The DeFi protocol said it had identified the attacker.
The stolen funds have been frozen by major exchanges.
Bitcoin DeFi application ALEX Lab was drained of over $4.3 million in various tokens early Wednesday after a suspected private key compromise attacked its bridging service.
Security researchers CertiK said the attackers likely caught hold of a private key that controlled ALEX’s XLink bridge, a service that lets users transfer tokens between different blockchains. The hacker transferred over $300,000 worth of bitcoin (BTC), $3.3 million worth of stablecoins and $75,000 worth of Sugar Kingdom (SKO) tokens.
ALEX developers confirmed the hack in an X post in early European hours, claiming they knew the identity of the attacker. The team offered them a 10% bounty for the return of 90% of the stolen funds.
“ALEX Lab Foundation has identified the individual responsible for the recent security breach and is offering a resolution through a bounty arrangement,” the developers said. “ALEX assures that upon compliance, there will be no further pursuit or law enforcement involvement. This offer stands until May 18 at 0800 UTC.”
Funds associated with the hacker have been frozen by major exchanges to prevent further misuse, the team said.
Private key compromises are among hackers’ most common attack vectors. Some of the biggest crypto hacks, such as Ronin’s $650 million drain in 2022 and Harmony’s $100 million hack in the same year, were the result of poor private key security.