Open-source payment platform UPCX has suffered a major security breach, with an estimated $70 million worth of UPC tokens stolen in a targeted attack on its core management infrastructure.
In a security alert issued on April 1, blockchain security firm Cyvers flagged the suspicious transfer of approximately 18.4 million UPC tokens, attributing the breach to unauthorized access and contract manipulation.
According to Cyvers, the attacker managed to access a UPCX-controlled address and upgrade its ProxyAdmin contract, a powerful admin-level component. Using this control, the hacker executed a withdrawal function, draining funds from three separate management accounts.
At the time of writing, the stolen UPC tokens had not yet been swapped for other crypto assets.
In response to the incident, UPCX confirmed the unauthorized activity and announced the immediate suspension of deposits and withdrawals on the platform. The team emphasized that user funds were not impacted and that a full investigation is underway.
Despite the assurance, market reaction was swift. UPC’s token price dropped 7%, falling from a high of $4.06 to $3.77, according to data from CoinGecko, amid uncertainty surrounding the breach.
Security Firm: Exploit Mirrors Prior Admin-Level Attacks
Cyvers co-founder and CTO Meir Dolev noted that while the specific origin of the vulnerability is still under review, the exploit is part of a broader trend of admin privilege abuse in Web3 platforms.
“This incident mirrors attack patterns we’ve documented in prior exploits, where access to critical administrative roles enabled malicious upgrades and fund drainage,” Dolev told Cointelegraph.
He added that compromised credentials and inadequate access control mechanisms continue to be the leading causes of crypto losses in 2024, accounting for over 80% of stolen funds this year.
Dolev emphasized the importance of strengthening on-chain defenses, including wallet permission management, multisignature protections, and runtime transaction validation.
A Costly Start to April for Crypto Security
The $70 million theft at UPCX marks one of the largest crypto hacks so far in 2025 and doubles the amount stolen in all of March, which totaled $33 million, according to Cyvers and blockchain security firm CertiK.
With administrative-level exploits continuing to dominate the risk landscape, the UPCX incident adds renewed urgency for platforms to reassess smart contract governance, elevate security standards, and implement more robust response mechanisms.
