Verify a decision

{"actor":"system:backfill","investigation_id":"25658d19-cb95-40ef-a7c2-05be94678fa1","kind":"publish","page_slug":"alexlab","published_at":"2026-06-01T17:46:53.650Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"ALEX Lab","sections":[{"content":"On May 14, 2024, ALEX Lab's cross-chain bridge infrastructure, XLink, was exploited on the BNB Smart Chain, resulting in losses of approximately $4.3 million across multiple tokens. The root cause was a compromise of the private key controlling the XLink bridge's deployer wallet, alleged to have been obtained via a phishing attack. Following the key compromise, the attacker executed five malicious proxy contract upgrades to the Bridge Endpoint contract, replacing it with unverified bytecode under their control. Within roughly one hour of the final upgrade, two mass withdrawal transactions drained 13.7 million STX tokens, plus approximately $300,000 in Bitcoin, $3.3 million in stablecoins (including sUSDT), and $75,000 in Sugar Kingdom (SKO) tokens. Approximately 3 million of the stolen STX were sent to centralized exchanges including Binance, Kraken, OKX, Bybit, and KuCoin. ALEX Lab confirmed it became aware of the exploit using compromised private keys on May 16, 2024.","heading":"May 2024 XLink Bridge Exploit","severity":"critical","sources":[{"credibility":1,"name":"Bitcoin DeFi Tool Alex Lab Loses $4.3M in Hack, Offers 10% Bounty for Stolen Funds","type":"news","url":"https://www.coindesk.com/business/2024/05/15/bitcoin-defi-tool-alex-lab-loses-43m-in-hack-offers-10-bounty-for-stolen-funds"},{"credibility":2,"name":"Rekt News — AlexLab","type":"news","url":"https://rekt.news/alexlab-rekt"},{"credibility":2,"name":"Taking a Closer Look at Alex Lab Exploit — Neptune Mutual","type":"news","url":"https://neptunemutual.com/blog/taking-a-closer-look-at-alex-lab-exploit/"}]},{"content":"In June 2024, ALEX Lab publicly attributed the May 2024 exploit to North Korea-backed Lazarus Group, stating there was 'substantial transaction evidence' linking the attack to the group. The investigation was facilitated by blockchain analyst ZachXBT, who traced the fund flow through three wallet addresses identified as critical to the operation. Stolen assets were ultimately routed to a Tron wallet address previously associated with Lazarus Group activity. Specifically, one address (0x418e...0c4e) was directly tied to the exploit; funds moved to a second address (0x63...BeA3), which then forwarded them to the Lazarus-linked Tron wallet. The attacker also broadcast over 11,800 STX transactions using DeFi protocols including Arkadiko, Bitflow, and Allbridge to off-ramp the stolen STX. ALEX Lab collaborated with the Singapore Police Force and international cybersecurity specialists in connection with the investigation. Attribution to Lazarus Group is assessed as alleged, as no formal government indictment has been publicly confirmed specifically naming this incident.","heading":"Lazarus Group Attribution","severity":"critical","sources":[{"credibility":2,"name":"Bitcoin DeFi app ALEX Lab links $4 million exploit to Lazarus Group — CryptoSlate","type":"news","url":"https://cryptoslate.com/bitcoin-defi-app-alex-lab-links-4-million-exploit-to-lazarus-group/"},{"credibility":1,"name":"Bitcoin DeFi application Alex Lab attributes $4 million exploit to North Korea's Lazarus Group — The Block","type":"news","url":"https://www.theblock.co/post/301722/bitcoin-defi-alex-lab-lazarus"},{"credibility":2,"name":"Alex Lab Blames North Korea's Lazarus Group for $4M Exploit — Coinspeaker","type":"news","url":"https://www.coinspeaker.com/bitcoin-protocol-alex-lab-lazarus-4-3-million-exploit/"},{"credibility":1,"name":"Alex Lab points to Lazarus Group after last month's $4M exploit — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/bitcoin-layer-2-alex-lab-may-exploit-lazrus-group-north-korea"}]},{"content":"Following the exploit, ALEX Lab offered the attacker a 10% bounty on the total stolen funds (approximately $430,000) in exchange for the return of 90% of assets, with a deadline of May 18, 2024 at 0800 UTC. The team stated it knew the identity of the attacker but declined to publicly disclose it. The bounty deadline passed without response from the attacker. In parallel, ALEX Lab cooperated with major centralized exchanges to freeze funds that had been deposited by the exploiter. As of May 16, 2024, Alex Labs reported freezing more than $3.9 million worth of crypto through exchange cooperation — representing a partial recovery of the total losses. The team simultaneously filed reports with Singapore Police Force and engaged international cybersecurity specialists.","heading":"Fund Recovery and Bounty Response","severity":"high","sources":[{"credibility":1,"name":"Alex Labs freezes $3.9M of exploited funds sent to CEXs after hack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/alex-labs-freezes-3-9-million-exploited-funds-cexs-after-hack"},{"credibility":2,"name":"ALEX Lab Offers 10% Bounty for Return of $4.3M in Stolen Assets — CoinEdition","type":"news","url":"https://coinedition.com/alex-lab-offers-10-bounty-for-return-of-4-3m-in-stolen-assets-will-the-hacker-bite/"},{"credibility":2,"name":"Alex Labs Recovers $3.9 Million in Crypto from BNB Smart Chain Bridge Exploit — Crypto Daily","type":"news","url":"https://cryptodaily.co.uk/news-in-crypto/crypto-intelligence:alex-labs-recovers-3-9-million-in-crypto-from-bnb-smart-chain-bridge-exploit"}]},{"content":"Following the May 2024 exploit, XLink — ALEX's cross-chain bridge product — announced partnerships with Fireblocks and Ancilia to overhaul its security architecture. The new model implements a two-of-three multiparty computation (MPC) wallet arrangement for holding user assets: one key held by ALEX's Bitcoin Oracle validator network, a second by Fireblocks, and a third by Coincover as disaster recovery. XLink additionally partnered with Cobo, a digital asset custody provider, to further integrate MPC technology. Real-time threat detection and monitoring was contracted to Ancilia, a Web3 security firm, providing continuous alerts and proactive breach prevention. These measures were intended to prevent a repeat private-key compromise by eliminating single points of failure in key custody.","heading":"Post-Exploit Security Upgrades","severity":"medium","sources":[{"credibility":1,"name":"XLink onboards Fireblocks, Ancilia to prevent another $10M hack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/xlink-fireblocks-ancilia-partner-10-m-hack"}]},{"content":"On June 6, 2025, ALEX Lab suffered a second major security breach, this time involving a smart contract vulnerability in the protocol's vault system rather than a bridge key compromise. According to security firm Halborn, the attacker exploited failed access controls by deploying a malicious token (ssl-labubi-672d3) containing a deceptive transfer function. The attacker called set-approved-token on the vault, which granted the malicious contract vault-level permissions. When swap-x-for-y executed, the vault called the fake transfer using as-contract, making itself appear as the token contract — bypassing access controls and enabling mass token drainage. The official loss figure reported by ALEX Lab was approximately $8.3 million, comprising 8.4 million STX, 21.85 sBTC, and several hundred thousand dollars in USDT, USDC, and wBTC; however, community estimates placed total losses as high as $16.18 million when accounting for alleged under-reported aBTC and ALEX token losses. ALEX Lab pledged full reimbursement of affected users from its own treasury. Reports from Chinese outlet ChainCatcher indicated customers of Shanghai Pudong Development Bank (SPD Bank) were among affected parties, and a Japanese Ministry of Foreign Affairs sanctions-evasion dossier reportedly listed both ALEX Lab and SPD Bank as entities targeted by North Korea-linked advanced persistent threat groups including Kimsuky and TraderTraitor.","heading":"June 2025 Smart Contract Vault Exploit","severity":"critical","sources":[{"credibility":2,"name":"Explained: The ALEX Protocol Hack (June 2025) — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-alex-protocol-hack-june-2025"},{"credibility":1,"name":"Stacks-based Alex Lab to reimburse users after $8.3 million exploit as token drops 45% — The Block","type":"news","url":"https://www.theblock.co/post/357368/stacks-based-alex-lab-to-reimburse-users-after-8-3-million-exploit-as-token-drops-45"},{"credibility":2,"name":"Alex Lab hack reportedly hits SPD Bank clients after earlier $8.3M exploit — crypto.news","type":"news","url":"https://crypto.news/alex-lab-hack-reportedly-hits-spd-bank-clients-after-earlier-8-3m-exploit/"}]},{"content":"ALEX Lab launched on mainnet in January 2022 and positioned itself as the leading DeFi protocol in the Bitcoin ecosystem via the Stacks blockchain. Its product suite includes a decentralized exchange (DEX), liquidity pools, yield farming, a token launchpad, a Bitcoin Oracle, and the XLink cross-chain bridge. The protocol raised $5.8 million in an early funding round and received a $10 million strategic investment in March 2024. Co-founders Dr. Chiente Hsu (CEO) and Rachel Yu (COO) bring backgrounds in institutional quantitative finance from Morgan Stanley and Goldman Sachs respectively; CTO is Chan Ahn. Prior to the 2024 exploit, ALEX reported TVL exceeding $80 million; as of data available to DeFiLlama in mid-2025, TVL had declined substantially to approximately $822,000, reflecting the impact of successive security incidents on user confidence.","heading":"Protocol Overview and Ecosystem Position","severity":"medium","sources":[{"credibility":2,"name":"ALEX the Super App for Bitcoin is using Stacks and sBTC — Stacks.org","type":"official","url":"https://stacks.org/alex-the-bitcoin-finance-layer"},{"credibility":2,"name":"Dr. Chiente Hsu profile — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/dr-chiente-hsu"},{"credibility":2,"name":"ALEX TVL and Volume — DefiLlama","type":"onchain","url":"https://defillama.com/protocol/alex"},{"credibility":3,"name":"Decoding the Stacks ecosystem leader Alex Lab — AICoin","type":"news","url":"https://www.aicoin.com/en/article/381719"}]},{"content":"XLink is ALEX Lab's cross-chain bridge product enabling asset transfers between Bitcoin, Stacks, BNB Smart Chain, and other networks. At the time of the May 2024 exploit, the bridge relied on a single deployer wallet private key with administrative authority over the Bridge Endpoint proxy contract, representing a critical single point of failure. The attacker's ability to upgrade the proxy contract to arbitrary malicious bytecode and drain funds within a single transaction session highlights the absence of multi-signature controls or time-locked upgrade mechanisms. Post-exploit, XLink adopted a two-of-three MPC key model with Fireblocks and Coincover as key custodians alongside the Bitcoin Oracle validator network. The bridge had accumulated over $28 million in TVL and processed more than 33,000 transactions before the exploit.","heading":"XLink Bridge Architecture and Risk Profile","severity":"high","sources":[{"credibility":1,"name":"XLink onboards Fireblocks, Ancilia to prevent another $10M hack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/xlink-fireblocks-ancilia-partner-10-m-hack"},{"credibility":2,"name":"Rekt News — AlexLab","type":"news","url":"https://rekt.news/alexlab-rekt"}]}],"sources_used":[{"name":"Bitcoin DeFi Tool Alex Lab Loses $4.3M in Hack, Offers 10% Bounty for Stolen Funds — CoinDesk","type":"news","url":"https://www.coindesk.com/business/2024/05/15/bitcoin-defi-tool-alex-lab-loses-43m-in-hack-offers-10-bounty-for-stolen-funds"},{"name":"AlexLab — Rekt News","type":"news","url":"https://rekt.news/alexlab-rekt"},{"name":"Taking a Closer Look at Alex Lab Exploit — Neptune Mutual","type":"news","url":"https://neptunemutual.com/blog/taking-a-closer-look-at-alex-lab-exploit/"},{"name":"Bitcoin DeFi app ALEX Lab links $4 million exploit to Lazarus Group — CryptoSlate","type":"news","url":"https://cryptoslate.com/bitcoin-defi-app-alex-lab-links-4-million-exploit-to-lazarus-group/"},{"name":"Bitcoin DeFi application Alex Lab attributes $4 million exploit to North Korea's Lazarus Group — The Block","type":"news","url":"https://www.theblock.co/post/301722/bitcoin-defi-alex-lab-lazarus"},{"name":"Alex Lab Blames North Korea's Lazarus Group for $4.3 Million Exploit — Coinspeaker","type":"news","url":"https://www.coinspeaker.com/bitcoin-protocol-alex-lab-lazarus-4-3-million-exploit/"},{"name":"Alex Lab points to Lazarus Group after last month's $4M exploit — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/bitcoin-layer-2-alex-lab-may-exploit-lazrus-group-north-korea"},{"name":"Alex Labs freezes $3.9M of exploited funds sent to CEXs after hack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/alex-labs-freezes-3-9-million-exploited-funds-cexs-after-hack"},{"name":"ALEX Lab Offers 10% Bounty for Return of $4.3M in Stolen Assets — CoinEdition","type":"news","url":"https://coinedition.com/alex-lab-offers-10-bounty-for-return-of-4-3m-in-stolen-assets-will-the-hacker-bite/"},{"name":"Alex Labs Recovers $3.9 Million in Crypto from BNB Smart Chain Bridge Exploit — Crypto Daily","type":"news","url":"https://cryptodaily.co.uk/news-in-crypto/crypto-intelligence:alex-labs-recovers-3-9-million-in-crypto-from-bnb-smart-chain-bridge-exploit"},{"name":"XLink onboards Fireblocks, Ancilia to prevent another $10M hack — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/xlink-fireblocks-ancilia-partner-10-m-hack"},{"name":"Explained: The ALEX Protocol Hack (June 2025) — Halborn","type":"news","url":"https://www.halborn.com/blog/post/explained-the-alex-protocol-hack-june-2025"},{"name":"Stacks-based Alex Lab to reimburse users after $8.3 million exploit as token drops 45% — The Block","type":"news","url":"https://www.theblock.co/post/357368/stacks-based-alex-lab-to-reimburse-users-after-8-3-million-exploit-as-token-drops-45"},{"name":"Alex Lab hack reportedly hits SPD Bank clients after earlier $8.3M exploit — crypto.news","type":"news","url":"https://crypto.news/alex-lab-hack-reportedly-hits-spd-bank-clients-after-earlier-8-3m-exploit/"},{"name":"ALEX the Super App for Bitcoin is using Stacks and sBTC — Stacks.org","type":"official","url":"https://stacks.org/alex-the-bitcoin-finance-layer"},{"name":"Dr. Chiente Hsu — IQ.wiki","type":"news","url":"https://iq.wiki/wiki/dr-chiente-hsu"},{"name":"ALEX TVL and Volume — DefiLlama","type":"onchain","url":"https://defillama.com/protocol/alex"},{"name":"Official Links — ALEX Lab Docs","type":"official","url":"https://docs.alexlab.co/resources/official-links"}],"summary":"ALEX Lab is a Bitcoin DeFi protocol built on the Stacks blockchain, offering a decentralized exchange, yield farming, cross-chain bridging via XLink, and a token launchpad. The protocol suffered two significant security incidents: a May 2024 exploit of its XLink bridge via a compromised private key (alleged to be linked to North Korea's Lazarus Group) that drained approximately $4.3 million, and a second smart contract vault exploit in June 2025 that resulted in roughly $8.3 million in losses. Despite user reimbursement pledges and post-exploit security upgrades, the repeated nature of major incidents materially reduces trust.","timeline":[{"date":"2022-01-17","event":"ALEX Lab launches on mainnet on the Stacks blockchain.","source":"AICoin — Decoding the Stacks ecosystem leader Alex Lab","source_url":"https://www.aicoin.com/en/article/381719"},{"date":"2024-03-01","event":"ALEX Lab receives $10 million strategic funding round; TVL reported above $80 million.","source":"Decoding the Stacks ecosystem leader Alex Lab — AICoin","source_url":"https://www.aicoin.com/en/article/381719"},{"date":"2024-05-14","event":"XLink bridge exploited on BNB Smart Chain via compromised private key; approximately $4.3 million drained in STX, aBTC, sUSDT, and SKO tokens.","source":"CoinDesk — Bitcoin DeFi Tool Alex Lab Loses $4.3M in Hack","source_url":"https://www.coindesk.com/business/2024/05/15/bitcoin-defi-tool-alex-lab-loses-43m-in-hack-offers-10-bounty-for-stolen-funds"},{"date":"2024-05-15","event":"ALEX Lab offers attacker a 10% bounty on stolen funds (approximately $430,000) in exchange for return of 90% of assets; deadline set for May 18.","source":"CoinDesk — Bitcoin DeFi Tool Alex Lab Loses $4.3M in Hack","source_url":"https://www.coindesk.com/business/2024/05/15/bitcoin-defi-tool-alex-lab-loses-43m-in-hack-offers-10-bounty-for-stolen-funds"},{"date":"2024-05-16","event":"ALEX Lab reports freezing more than $3.9 million in stolen funds via cooperation with centralized exchanges; Singapore Police Force engaged.","source":"Alex Labs freezes $3.9M of exploited funds sent to CEXs — CoinTelegraph","source_url":"https://cointelegraph.com/news/alex-labs-freezes-3-9-million-exploited-funds-cexs-after-hack"},{"date":"2024-05-18","event":"Bounty deadline passes without response from the attacker.","source":"ALEX Lab Offers 10% Bounty — CoinEdition","source_url":"https://coinedition.com/alex-lab-offers-10-bounty-for-return-of-4-3m-in-stolen-assets-will-the-hacker-bite/"},{"date":"2024-06-20","event":"ALEX Lab reveals attacker broadcast over 11,800 STX transactions to off-ramp stolen funds via Arkadiko, Bitflow, and Allbridge.","source":"Alex Lab points to Lazarus Group — CoinTelegraph","source_url":"https://cointelegraph.com/news/bitcoin-layer-2-alex-lab-may-exploit-lazrus-group-north-korea"},{"date":"2024-06-25","event":"ALEX Lab publicly attributes May 2024 exploit to Lazarus Group based on forensic analysis facilitated by ZachXBT, citing fund flows to a Tron address historically associated with the group.","source":"Bitcoin DeFi app ALEX Lab links $4 million exploit to Lazarus Group — CryptoSlate","source_url":"https://cryptoslate.com/bitcoin-defi-app-alex-lab-links-4-million-exploit-to-lazarus-group/"},{"date":"2024-07-01","event":"XLink announces security partnerships with Fireblocks and Ancilia implementing two-of-three MPC wallet custody and real-time threat monitoring.","source":"XLink onboards Fireblocks, Ancilia — CoinTelegraph","source_url":"https://cointelegraph.com/news/xlink-fireblocks-ancilia-partner-10-m-hack"},{"date":"2025-06-06","event":"ALEX Lab suffers second major exploit: smart contract vault access control vulnerability drained approximately $8.3 million (official figure) in STX, sBTC, USDT, USDC, and wBTC; community estimates place losses as high as $16.18 million.","source":"Explained: The ALEX Protocol Hack (June 2025) — Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-alex-protocol-hack-june-2025"},{"date":"2025-06-10","event":"ALEX Lab pledges full reimbursement of affected users from its treasury; reports emerge that customers of Shanghai Pudong Development Bank (SPD Bank) were among those affected.","source":"Alex Lab hack reportedly hits SPD Bank clients — crypto.news","source_url":"https://crypto.news/alex-lab-hack-reportedly-hits-spd-bank-clients-after-earlier-8-3m-exploit/"}]},"v":1}