UPCX Suffers $70M Hack, UPC Price Drops 7%

On April 1, 2025, UPCX, an open-source payment platform, faced a significant security breach that resulted in the unauthorized transfer of 18.4 million UPC tokens, valued at approximately $70 million. The incident was first detected by Cyvers, a blockchain security firm, which identified multiple suspicious transactions involving UPCX's management accounts. The attacker exploited an administrative function within the ProxyAdmin contract, initiating fund withdrawals from three separate management accounts.

UPCX swiftly acknowledged the breach and took immediate action to suspend deposits and withdrawals as a precautionary measure. The company reassured users that their assets remained secure and unaffected, emphasizing that the unauthorized activity was confined to the management accounts. Despite these assurances, the incident raised concerns about the platform's security measures and the potential impact on its credibility and future operations.

Cyvers' findings revealed that the hacker gained access to a UPCX address and modified its ProxyAdmin contract. The attacker then executed the 'withdrawByAdmin' function, resulting in the transfer of 18.4 million UPC tokens to a newly created wallet. The hacker's wallet became the seventh-largest holder of UPC, with no prior activity aside from a small test transaction of 10 UPC just minutes before the main attack. Notably, the hacker did not deposit ETH for gas fees but instead directly interacted with the token contract, executing the transfer with minimal costs and no intermediary steps.

The stolen UPC tokens were consolidated into a single address, and as of the time of the report, the tokens had not been swapped for other cryptocurrencies. The hacker's strategy for converting the stolen funds remained unclear, and the limited liquidity and trading options for UPC on Gate.IO and MEXC may restrict the hacker's ability to offload assets. The incident triggered a price drop, with UPC falling 7% from a high of $4.06 to a low of $3.77 before recovering slightly to $4.01.

Cyvers co-founder and CTO Meir Dolev stated that while the root cause of the attack is still under investigation, similar breaches typically result from compromised credentials or weak access controls—factors responsible for over 80% of Web3 losses in 2024. Dolev noted that the attack followed patterns seen in previous exploits, emphasizing the urgent need for stronger wallet permissions, multisignature security, and real-time transaction validation.

The $70 million theft more than doubles the $33 million lost to crypto hacks in March, highlighting the growing scale of such threats. Although development on UPCX began in late 2023, significant activity only picked up in early 2025. Yet, the project remains relatively obscure compared to other Web3 payment platforms. While the $70 million breach is a severe blow to UPCX, its broader market impact remains uncertain. The largest crypto hack in history occurred just over a month ago, and its repercussions are still unfolding. By contrast, UPCX is a minor player—its admission of the breach on X received barely over 12,000 views at the time of writing.

Notably, the hacker’s wallet has yet to move the stolen UPC tokens, raising questions about how they intend to cash out. Given that the stolen amount is nearly five times the circulating supply, any liquidation attempt could trigger a sharp price collapse. The UPCX breach stands out for its scale yet relative lack of market disruption. If investigators can track the attackers and freeze the assets, the damage may be contained. Otherwise, the looming threat of liquidation could weigh on UPC’s recovery for the foreseeable future.