Alphapo, a crypto payment gateway operator, had millions of dollars worth of crypto drained from its hot wallets over the weekend. 

On-chain sleuth ZachXBT alerted users to the exploit on July 22, noting that the stolen funds were swapped for Ethereum and then bridged to the Avalanche and Bitcoin blockchains.

According to Web3 security company DeDotFi, more than $31 million was confirmed stolen and some reports suggest that up to $100 million worth of funds may have been compromised.

“A potential cause is a private keys leakage. As of now, the exact amount of stolen BTC remains unconfirmed,” wrote DeDotFi on Twitter.

An analysis by blockchain security firm PeckShield found that the stolen funds were made up of USDT, USDC, FTN, TFL, TRX, ETH and DAI, which were then swapped and bridged to multiple different wallets. A separate analysis of the flow of funds from the team of blockchain security experts at SlowMist suggested that the attacker’s actions resembled previous exploits associated with the North Korean cybercrime group Lazarus.

Alphapo offers instant payments for more than 30 digital currencies and is particularly known for being a payment gateway for platforms like HypeDrop, Bovada and Ignition which offer gambling services.

Shortly after the incident, HypeDrop halted crypto processing deposits and withdrawals, citing an issue with its payment provider in an update on Sunday. 

The HypeDrop team said that pending deposits would be credited after the payment processor resumes operations, but any pending withdrawals would be canceled and the user would need to put in a new request to have them processed.

“Rest assured, we are actively working to resolve this matter with them, even though it is beyond our control,” stated the HypeDrop team.