SwissBorg Hit by $41M Solana Theft in Kiln API Compromise

The company clarified that only 1% of users were affected and pledged full reimbursement. Meanwhile, a massive supply chain hack targeting JavaScript libraries downloaded over a billion times, but surprisingly only netted attackers less than $50 in stolen crypto. However, experts warned that the potential risks are still significant.

Hackers Steal $41M in SOL from SwissBorg

SwissBorg, a Switzerland-based crypto wealth management platform, confirmed that it suffered a security breach involving its staking partner Kiln that resulted in the theft of about 193,000 Solana tokens. The exploit targeted Kiln’s API, and drained funds from SwissBorg’s Solana Earn program which amounted to roughly $41 million at the time of the incident. Despite the scale of the hack, SwissBorg explained that its app and other Earn products were unaffected, with the vulnerability traced back to Kiln’s infrastructure rather than its own systems.

API attacks like this one exploit the software bridge that enables communication between different systems. In this case, Kiln’s API was compromised, which allowed hackers to manipulate requests and siphon tokens meant for staking on the Solana network. 

SwissBorg stated that the breach only impacted users who deposited Solana into its Earn program, which makes up about 1% of its customer base and 2% of total assets under management. CEO Cyrus Fazel addressed the issue in an X Space, and admitted that the loss was big but it did not threaten the company’s overall financial stability.

Cyrus Fazel during an X Space addressing the hack

The Solana Earn program, powered by Kiln, was designed to make staking simple for retail investors who might not want to deal with the complexities of running validator nodes or engaging directly with DeFi protocols. While the attack was a setback, SwissBorg reassured its customers that affected users will be reimbursed. The company also pointed out that its treasury reserves were strong enough to cover losses immediately and pledged to move forward with reimbursements while continuing to work with international agencies, exchanges, and white-hat hackers to trace and block stolen funds.

Blockchain data shows that the stolen assets were routed to a Solana wallet now flagged on Solscan as belonging to the “SwissBorg Exploiter.” The company advised users to avoid interacting with this address during their investigations. 

Fazel described the incident as “a bad day for SwissBorg,” but one that will ultimately serve as a learning experience. Despite the disruption, SwissBorg said daily operations remain unaffected, and its broader suite of crypto yield products is still intact.

$50 Lost in Supply Chain Hack

Meanwhile, hackers have managed to steal less than $50 worth of crypto in what researchers are calling a massive supply chain attack targeting JavaScript software libraries. According to security intelligence platform Security Alliance, attackers broke into the node package manager (NPM) account of a well-known developer and inserted malware into popular libraries downloaded more than a billion times. The breach specifically targeted Ethereum and Solana wallets, but so far the actual damage has been minimal.

Security Alliance revealed that the only malicious address it has identified, an Ethereum wallet labeled “0xFc4a48,” received just a handful of tokens including ETH and several meme coins like Brett, Andy, Dork Lord, Ethervista, and Gondola. Initially, the value of the compromised funds was reported at just five cents, before climbing to around $50 as more small transfers were detected. The relatively tiny haul prompted Security Alliance to say that hackers squandered what could have been one of the most damaging supply chain exploits in the industry’s history.

The attack involved packages like chalk, strip-ansi, and color-convert, which are deeply embedded in the dependency chains of countless projects. This means even developers who never installed the compromised packages directly may still be exposed if their projects depend on them indirectly. The malware that was planted appears to be a crypto-clipper, which is designed to silently swap out wallet addresses during transactions to siphon funds.

Despite the low dollar impact so far, experts are urging caution. Ledger’s chief technology officer Charles Guillemet advised users to carefully verify on-chain transactions, but Ledger confirmed its hardware devices were not directly affected. 

Meanwhile, 0xngmi, founder of DeFiLlama, mentioned that only crypto projects that updated after the malicious NPM code was pushed are at risk, and even then, users would need to approve the compromised transactions for funds to be taken. Still, he thinks that users may want to avoid interacting with crypto websites until developers confirm that their platforms are no longer relying on infected libraries.

Although the outcome so far seems like a missed opportunity for attackers, the sheer scale of the breach shed some light on the fragility of supply chain security in open-source software and how deeply even small libraries are integrated into critical crypto infrastructure.