Full Report
Nearly 200,000 Solana coins were stolen from SwissBorg, or about 2% of its assets, according to the platform's CEO. The company pledged to pay users back.
Analysis Summary
# Incident Report: SwissBorg $41 Million Cryptocurrency Theft via Partner API Breach
## Executive Summary
The European crypto platform SwissBorg suffered a significant financial loss totaling approximately $41 million in Solana (SOL) cryptocurrency due to a successful cyber incident targeting a partner company, Kiln. The attack was attributed to unauthorized access to an external decentralized finance (DeFi) wallet managed by Kiln, which was utilized for staking operations via a compromised Application Programming Interface (API) connecting to SwissBorg. SwissBorg has committed to reimbursing all affected customers (about 1% of its user base) and is actively working with law enforcement and security firms to trace and potentially recover the stolen assets.
## Incident Details
- Discovery Date: Monday (Implied, based on "this week" and partner confirmation)
- Incident Date: Monday (When the partner wallet was breached)
- Affected Organization: SwissBorg (Primary customer-facing platform); Kiln (Third-party partner infrastructure provider)
- Sector: Cryptocurrency/Decentralized Finance (DeFi)
- Geography: Switzerland-based (SwissBorg), Global impact on users.
## Timeline of Events
### Initial Access
- Date/Time: Monday (Exact time not specified)
- Vector: Compromise of a cryptocurrency infrastructure partner (Kiln).
- Details: Attackers gained unauthorized access to an external DeFi wallet held by Kiln, which was used for Solana staking operations linked to SwissBorg. The root cause was discovered to be a breach of Kiln's Application Programming Interface (API) used for communication with the Solana blockchain.
### Lateral Movement
- *Not explicitly detailed, as the attack focused on direct wallet theft via API access rather than typical network lateral movement.* Attackers utilized the compromised API privileges to issue unauthorized transactions from the staking wallet.
### Data Exfiltration/Impact
- **Impact:** Theft of approximately 192,600 Solana (SOL) coins, valued at over $41 million as of the reporting date. This represents 2% of SwissBorg’s total assets.
### Detection & Response
- **Detection:** Implied immediately upon transaction detection or alerts from security partners.
- **Response Actions:** SwissBorg and Kiln immediately activated their incident response plan. SwissBorg paused all Solana staking transactions to prevent further impact. They engaged security partners (including Chainalysis and ZachXBT) and notified law enforcement globally.
## Attack Methodology
- **Initial Access:** Breach of the trusted third-party infrastructure provider (Kiln) and exploitation of their associated Application Programming Interface (API) used for interacting with the Solana network.
- **Persistence:** *(Not specified)*
- **Privilege Escalation:** *(Implied by API exploitation resulting in access/control over the decentralized staking wallet.)*
- **Defense Evasion:** *(Not specified)*
- **Credential Access:** *(Not specified, the primary vector appears to be unauthorized API access leading directly to fund movement.)*
- **Discovery:** *(Not specified)*
- **Lateral Movement:** *(Not specified)*
- **Collection:** Targeted extraction of Solana funds from the compromised staking wallet.
- **Exfiltration:** Unauthorized transfer of 192,600 SOL from the partner-held wallet.
- **Impact:** Direct financial loss exceeding $41 million for pooled customer assets.
## Impact Assessment
- **Financial:** $41 million stolen (192,600 SOL). SwissBorg promised full reimbursement, leveraging internal funds.
- **Data Breach:** No customer PII breach appears to have occurred; the compromise was focused on custodial/staking assets.
- **Operational:** Solana staking transactions were paused on the SwissBorg platform.
- **Reputational:** Negative public attention; required CEO communication and high-profile security partner engagement to manage customer trust.
## Indicators of Compromise
- **Network indicators:** Transactions involving 192,600 SOL transferred from the compromised staking wallet (Specific wallet addresses defanged and omitted for security). Cooperation with exchanges globally to block transactions.
- **File indicators:** *(None provided)*
- **Behavioral indicators:** Unauthorized withdrawal/transaction activity originating from the Kiln-managed staking wallet interface/API pathway.
## Response Actions
- **Containment measures:** Immediately paused Solana staking transactions on the SwissBorg platform. Activity flow was contained with the assistance of security partners.
- **Eradication steps:** Root cause at Kiln (API access) has reportedly been discovered and addressed.
- **Recovery actions:** Working with law enforcement and global exchanges to monitor and attempt to recover stolen funds via transaction tracing. Commitment to fully reimburse all 1% of affected users.
## Lessons Learned
- Reliance on a single third-party API for critical infrastructure (staking) presents a single point of failure, even if the core platform itself was not breached.
- The operational security incident response plan was swiftly activated, leading to containment and commitment to compensation.
- Past experience with cyberattacks prepared the leadership for rapid, transparent communication.
## Recommendations
- Conduct a deep audit of all third-party API integrations, especially those tied to custodial or staking operations, ensuring stringent authentication and least-privilege access controls.
- Diversify staking or infrastructure partners where feasible, or implement multi-signature requirements that prevent bulk withdrawal based solely on API credentials.
- Enhance monitoring specifically around transactions initiated via known operational API keys versus normal user pathways.