A major security flaw in the ALEX Protocol, a Bitcoin-based DeFi platform, resulted in a massive $8.3 million heist. This is the second major attack on the platform in just over a year.
How the Hack Happened
The hackers exploited a vulnerability in the protocol’s self-listing verification system. This system is designed to prevent fake or malicious assets from being added to the platform. However, the hackers bypassed this security measure, allowing them to drain several asset pools.
The stolen loot included:
- 8,403,867.57 Stacks (STX) – ~$5,691,255.93
- 21.85 sBTC – ~$2,244,751.87
- 149,850 USDC/USDT – ~$149,850
- 2.80 WBTC – ~$287,369.33
Total stolen: ~$8,373,227.13
Making Amends: Compensation Plan
ALEX Protocol developers have promised to reimburse all affected users using funds from the ALEX Lab Foundation Treasury. Compensation will be paid in USDC, based on the average value of the stolen assets at the time of the hack (June 6th, 2025, between 10:00 UTC and 14:00 UTC).
Affected users received private on-chain notifications and a claim form by June 8th, 23:59 UTC. They had until June 10th, 23:59 UTC, to submit the completed form with their receiving wallet address. Full compensation is expected within seven days of form verification. Users with questions or who haven’t received a notification should contact the team via the email address provided in their announcement.
A History of Hacks
This isn’t the first time ALEX Protocol has been targeted. In May 2024, the notorious Lazarus Group stole $4.5 million through the platform’s bridge on the BNB Smart Chain. This latest incident highlights the ongoing challenges in securing DeFi platforms.
