Summary
UPCX is a blockchain payment protocol that suffered a $70 million exploit on April 1, 2025, when an attacker compromised an administrative private key and used it to push a malicious smart contract upgrade, draining 18.4 million UPC tokens from management accounts. The attack was enabled by the absence of multisig controls on privileged protocol functions, despite having undergone CertiK and Cyberscope audits that did not catch the operational key management risk. Despite listing on a Japanese FSA-licensed exchange just 11 days prior, no recovery of stolen funds was reported.
Connected Entities
1 entitiesTimeline(5 events)
2025-03-17
UPCX announces listing on BitTrade, a Japanese FSA-licensed exchange.
2025-03-27
UPCX UPC token goes live on BitTrade exchange in Japan.
2025-04-01
Attacker compromises admin private key, pushes malicious ProxyAdmin upgrade, drains ~18.4M UPC (~$70M) from three management accounts.
2025-04-01
Cyvers detects the exploit; UPCX halts all transactions and announces investigation.
2025-07-15
UPCX press release reports staking activity resuming, surpassing 975,000 tokens. Stolen funds unrecovered.
Decision Log
- hash: 9jxz8Togm5LV9MDYXTWBQJR9njrgR4WCEaQnSH2mSw6C
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-5
generated: 5/4/2026, 2:54:24 AM
last updated: 5/28/2026, 8:25:00 PM
avoid.net — verified advice for a post-truth world