Alex Protocol, a Bitcoin-based DeFi project built on the Stacks blockchain, suffered a major security breach on June 6, resulting in a loss of approximately $8.3 million across multiple token pools. The attack targeted a vulnerability in the platform’s self-listing logic, allowing the perpetrators to bypass verification mechanisms and withdraw funds undetected.
According to an official statement on X, the stolen assets include roughly 8.4 million STX tokens, 21.85 sBTC, $149,850 in USDC and USDT, and 2.8 WBTC. The incident stands as one of the most severe exploits within the emerging Stacks ecosystem.
In response, the Alex Lab Foundation—the team behind the protocol—has pledged full compensation to affected users. A structured reimbursement plan has been announced, with refunds to be issued in USDC and disbursed through a claims process beginning June 8.
Alex Lab Details Reimbursement Plan After $8.3M Exploit
To address the fallout from the exploit, Alex Protocol has introduced a clear compensation roadmap. Refunds will be calculated using a time-weighted average price of affected assets based on on-chain exchange rates between 10:00 a.m. and 2:00 p.m. UTC on June 6, the day of the incident.
Impacted wallet addresses will receive on-chain notifications by June 8, including a customized claim form and instructions for submission. Users must complete the form and provide a preferred wallet address by June 10. Verified claims will be processed within seven days, with reimbursements delivered in USDC.
While technical details of the exploit remain undisclosed, the team has committed to releasing a full post-mortem once internal investigations conclude.
May Hack Tied to Lazarus Adds to Alex Protocol Woes
This is not the first time Alex Protocol has been targeted. In May 2024, the platform experienced a separate exploit involving its cross-chain bridge infrastructure, resulting in the loss of approximately $4.3 million in crypto assets.
According to the development team, the earlier breach may be linked to the North Korea-backed Lazarus Group. The suspicion stems from wallet behaviors resembling those used in previous Lazarus-related cyberattacks. To aid the investigation, Alex Protocol enlisted the help of blockchain investigator ZachXBT to trace the stolen funds.
The recurrence of major breaches in back-to-back months has raised serious concerns about the platform’s security architecture and, more broadly, the vulnerabilities facing DeFi protocols built on Bitcoin layers.
Quick Facts
- Losses: $8.3M lost in STX, sBTC, WBTC, USDC, and USDT
- Exploit Cause: Vulnerability in self-listing logic on June 6
- Compensation Plan: Refunds in USDC; claim process opens June 8
- Previous Breach: $4.3M lost in May 2024 bridge exploit
- Suspected Attacker: May hack potentially linked to Lazarus Group
- Post-Mortem: Full incident report to be published after investigation
