A hacker gained unauthorized access to the UPCX payment platform’s smart contract, stealing 18.4 million UPC tokens valued at $70 million.
A hacker gained unauthorized access to the UPCX payment platform’s smart contract, stealing 18.4 million UPC tokens valued at $70 million. The theft was flagged by blockchain security firm Cyvers, which traced the suspicious activity to a contract upgrade by the attacker. This upgrade allowed them to withdraw funds from three management accounts. In response to the breach, UPCX halted deposits and withdrawals and assured users that their personal funds were safe.
The incident caused a significant dip in the UPC token price, dropping 7% initially and continuing to fall after the attack. From a high of $4.06, the price dropped to $3.52. The token’s recent surge in value, driven by a rally earlier in the year, likely made it an attractive target for the hacker. However, the stolen tokens remained in a single Ethereum wallet and had not been swapped for other assets at the time of reporting.
This attack follows patterns seen in previous exploits, according to Cyvers’ co-founder Meir Dolev. He pointed out that compromised credentials and flawed access control mechanisms were often to blame for such breaches. He noted that these issues accounted for over 80% of Web3-related losses in 2024. Dolev also stressed the importance of improving security measures, particularly for wallet permissions and multisignature implementations, to prevent future incidents.
The hack caused significant disruption to UPCX, a relatively new project that had been expanding its presence in niche markets, especially Southeast Asia. Despite launching its mainnet and introducing a native wallet, UPCX’s reliance on the Ethereum network for most of its operations and smart contracts left it vulnerable to attacks like this one. Although the protocol offers limited trading on exchanges like Gate.io and MEXC, the breach triggered an outflow of users, with hundreds of wallets emptying their UPCX balance.
In addition to the stolen funds, the hack raised concerns about UPCX’s token circulation. At the time of the attack, only 4.14 million UPC tokens were in circulation, with more than 50% of the total supply held by a few large wallets, including those controlled by the project’s team. Most of the remaining tokens are locked under a long-term vesting schedule. The hacker’s wallet now holds the largest portion of the stolen UPC, and the limited liquidity options for the token may make it difficult to offload these funds.
As UPCX works to investigate the breach, the loss of $70 million marks one of the largest crypto hacks of 2025, surpassing the total stolen in March, which was only $33 million. The platform is under scrutiny to determine how the breach occurred and to implement stronger security protocols moving forward.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
