A security breach in the open-source payment network UPCX has resulted in the loss of approximately $70 million in digital assets.
The incident was flagged by blockchain security firm, Cyvers, on 1 April, revealing that an attacker exploited a vulnerability within UPCX’s smart contract system.
According to Cyvers, the unauthorised individual gained access to a critical UPCX address and modified the platform’s ProxyAdmin contract.
This allowed the attacker to execute a function typically reserved for administrators, enabling them to withdraw large amounts of funds.
The attack specifically targeted UPCX’s management accounts, from which the hacker successfully withdrew 18.4 million $UPC tokens, valued at around $70 million.
The compromised tokens were transferred from three separate management accounts, indicating that the breach was carefully executed with knowledge of the platform’s internal systems.
At the time of writing, the stolen tokens remain in the attacker’s wallet, with no recorded attempts to exchange them for other cryptocurrencies.
This lack of immediate token movement suggests the hacker may be waiting for market conditions to stabilise or looking for ways to launder the stolen assets.
UPCX responds as token price takes a hit
Following the breach, UPCX publicly acknowledged the unauthorised access in a statement on X. The platform assured users that personal funds were unaffected and stated that immediate action had been taken to secure the network.
In its official statement, UPCX explained that they were actively investigating the matter and implementing additional security measures.
“UPCX has identified unauthorised activity involving our management account. As a precautionary measure, we are taking immediate action to ensure platform security”, the company stated.
In response to the attack, UPCX temporarily suspended deposits and withdrawals to prevent further losses and reassess the platform’s security. Despite these assurances, the incident had an immediate impact on the value of the $UPC token.
According to data from CoinGecko, $UPC’s price fell 7%, dropping from a high of $4.06 to a low of $3.77following the news of the breach. The price decline reflects investor concerns over the security of the platform, as similar incidents in the past have often led to extended downturns in affected tokens.
The co-founder and Chief Technology Officer of Cyvers, Meir Dolev, commented on the nature of the attack, explaining that breaches like this usually result from compromised credentials or flawed access control mechanisms.
He stated that these vulnerabilities have been among the leading causes of financial losses in Web3 this year. “This incident mirrors attack patterns we’ve documented in prior exploits, where access to critical administrative roles enabled malicious upgrades and fund drainage”, Dolev explained.
The executive further emphasised the importance of strengthening wallet security and ensuring that platforms have robust multisignature implementations to prevent unauthorised access.
The nature of this attack once again highlights the persistent weaknesses in decentralised platforms, particularly when it comes to administrative controls and security practices.
Cryptocurrency hacks continue to surge in 2025
The recent UPCX exploit is just one of many crypto-related hacks that have taken place in 2025. Blockchain security firm, PeckShield, reported that in the first quarter of the year alone, hackers stole over $1.63 billion in cryptocurrency.
This staggering figure represents a 131% increase compared to the same period in 2024, when losses stood at $706 million.
The largest portion of these losses occurred in February, when the Bybit exchange suffered a massive hack, resulting in $1.53 billion being stolen. The Bybit incident remains one of the biggest crypto thefts in history.
In addition to that, other hacks in February accounted for another $126 million in losses, including a $50-million exploit targeting Infini, a $9.5-million hack on zkLend, and an $8.5-million attack on Ionic.
While February was the most damaging month, the situation improved slightly in March. PeckShield reported that total crypto losses due to hacking incidents dropped by 97% from February, with only $33 million stolen in March.
This decline offered a brief reprieve, but the UPCX exploit has now reversed the trend, bringing the issue of crypto security back into focus.
Among the biggest incidents in March was a $13 million exploit on the decentralised finance (DeFi) protocol Abracadabra.Money. According to PeckShield, the attacker drained 6,260 Ethereum ($ETH) from the protocol on 25 March, taking advantage of a smart contract vulnerability.
The second-largest hack that month targeted the real-world asset (RWA) restaking protocol Zoth, where an attacker stole $8.4 million by exploiting a weakness in the platform’s wallets. The stolen assets were quickly converted into stablecoins and moved to a different address.
Despite the losses, some hackers in March chose to return stolen assets. On 7 March, a hacker who exploited a vulnerability in the decentralised exchange (DEX), 1inch, returned 90% of the stolen funds, equivalent to $4.5 million.
The DEX had offered the attacker a 10% bounty worth $500,000 in exchange for returning the rest of the funds, a strategy that has become increasingly common in crypto security incidents.
The UPCX exploit further underscores the ongoing security challenges facing blockchain-based platforms. While the company has taken immediate action to contain the damage, the incident raises broader concerns about the security of smart contracts and the risks associated with DeFi.
As the investigation into the UPCX breach continues, it remains unclear whether any of the stolen funds will be recovered. For now, $70 million worth of $UPC tokens remain in the attacker’s address, leaving investors and the broader crypto community on edge.
The incident serves as another reminder that despite the promise of decentralised finance, the industry remains highly vulnerable to sophisticated cyberattacks.
