
Yet another cryptocurrency theft has underscored the fact that cybercriminals are not above targeting even the smallest of projects when a quick profit is within reach. This time, the victim was UPCX, a blockchain-based payment platform that fell prey to a vulnerability within its smart contracts.
The first signs of suspicious transactions were reported by analysts at Cyvers. Almost immediately thereafter, the UPCX team confirmed unauthorized activity, specifying that the incident involved their administrative account. However, the developers withheld further details regarding the breach.
According to Cyvers, unknown actors gained access to one of the project’s cryptocurrency wallets and altered the ProxyAdmin contract. The attackers then executed the withdrawByAdmin
function, enabling them to siphon off 18.4 million UPC tokens—equivalent to approximately $74 million. The stolen funds were withdrawn from three separate administrative accounts.
In response, the platform temporarily suspended all deposits and withdrawals, while assuring users that customer assets allegedly remained secure and unaffected. The team promised to release additional information in due course, though no follow-up statements have been issued since the initial announcement.
The UPC token is a low-cap asset, currently holding a market capitalization of just $16.7 million. According to CoinGecko, it ranks 1,153rd among cryptocurrencies, with a daily trading volume slightly exceeding $1 million. This means that any attempt to rapidly liquidate the stolen funds would cause the token’s price to plummet almost instantaneously.
Strikingly, only about 0.5% of UPC tokens are in public circulation. Thus, the value of the stolen assets is roughly four times greater than the project’s entire market capitalization, rendering the incident particularly absurd.
Despite the scale of the exploit, the market reacted with surprising composure. Following a brief price dip, UPC not only recouped its losses but even posted a 2% gain within 24 hours. It remains unclear who is driving this trading activity—some speculate that the UPCX team may be purchasing the token themselves in an effort to stabilize its value.
The lack of transparency and the developers’ half-hearted response cast serious doubt on the project’s resilience. Moreover, the incident serves as yet another stark reminder of the inherent fragility of smaller crypto systems—especially those that allow administrative functions to be executed without adequate safeguards.