On February 26, 2026 – The Vietnam-based DeFAI Holdstation smart wallet project (built on Worldcoin and BNB Chain) confirmed it was a victim of a serious supply chain attack in the early morning of February 25, 2026. The total loss recorded is 462,000 USDT.
This is the project’s second security incident in 2026, after losing approximately $100,000 in January.
Supply Chain Attack: Not Targeting Smart Contracts but Infrastructure
According to official statements, the hacker did not directly breach user wallets or smart contracts. Holdstation and the auditing firm Verichains confirmed that the smart contracts remain secure.
Instead, the attacker targeted the application distribution infrastructure – the platform that provides updates to users.
Specifically, the hacker:
After gaining control of the infrastructure, the attacker modified the JavaScript files in the official app version, inserting malicious code as a backdoor. Users updating the app inadvertently installed the infected version.
“Silent” Withdrawal Mechanism
The malicious code is designed to activate immediately after installation:
As a result, many wallets were drained within the first few minutes after the malicious update was released.
Holdstation’s Emergency Response Within 30 Minutes
According to the timeline released (UTC+7):
Subsequently, Holdstation coordinated with Verichains to analyze on-chain data and gather evidence for the investigation.
The current confirmed total loss is 462,000 USDT.
100% Refund Commitment to Users
Holdstation commits to fully reimburse affected assets. Users are required to fill out the official form at:
https://forms.gle/9FriUzFWHx6ZPXCS7
The team will verify on-chain ownership and authenticate wallets before issuing refunds. The project emphasizes that no seed phrase, private key, or any fees are required during the reimbursement process.
Security Lessons for the Industry
The incident shows that even if smart contracts are secure, vulnerabilities in the software distribution infrastructure can cause significant losses. This type of attack is a supply chain attack – where hackers infiltrate the “entry point” of the product rather than attacking users directly.
Holdstation stated it is upgrading its entire release process, including:
This incident has attracted significant attention from the Vietnamese crypto community, as Holdstation is one of the DeFi wallet projects based in Ho Chi Minh City.
The project promises to continue updating the investigation progress in the coming days.
Vương Tiễn
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
When even I cannot prove that I'm not an AI, forensic experts recommend: set up a secret code with family and friends.
BBC reporter Thomas Germain's experiment shows that AI deepfake technology is now difficult to distinguish, with digital forensics expert Hany Farid claiming it's "finished." Even when experts verify a video's authenticity, people may still doubt it. As AI fraud cases surge, especially in crypto markets, the cost of verifying authenticity is high, while creating doubt has become low-cost. Ultimately, the recommendation is to return to old methods: using cryptographic signatures to enhance trust.
動區BlockTempo35m ago
Distributed Shenbo: Set Bounty to Recover Approximately $42 Million Stolen Three Years Ago
Shen Bo, founder of Distributed Capital, had his personal wallet compromised in November 2022, resulting in losses of approximately $42 million. After three years of tracking, the team has obtained key leads and is publicly soliciting information from those who can provide clues, offering rewards of 10%-20% based on contributions. Approximately $1.2 million in assets has been frozen so far, and the team has expressed gratitude to individuals and teams who have continuously provided assistance.
BlockBeatNews2h ago
Distributed Capital Founder Bo Shen: Lost $42 Million from Personal Wallet Theft in 2022, Now Offering 10%-20% Bounty for Information
Distributed Capital founder Bo Shen recently publicly solicited leads regarding the theft of his personal wallet and established a bounty mechanism. His wallet was compromised in November 2022, resulting in losses of approximately $42 million. The bounty program is open to all individuals and institutions, with reward ratios of 10%-20% of recovered funds.
GateNews2h ago
Google Sets 2029 Target for Post-Quantum Cryptography Migration, Six Years Ahead of Government Goal, Crypto Industry Must Keep Pace
Google announced 2029 as the deadline for completing post-quantum cryptography migration across all products, six years ahead of the U.S. government's 2035 target. Quantum computing poses a threat to current cryptographic methods, with major blockchains adopting different response strategies. The Bitcoin community holds divided views on the risks, while Ethereum plans to provide corresponding protections by 2029. Time is tight, and industry action needs to accelerate.
動區BlockTempo2h ago
Polymarket Suspected Insider Trading: 6 "Mystery Wallets" Bet on US-Iran Ceasefire
Recently, six wallets on Polymarket precisely built positions before the U.S. attack on Iran and profited $1.2 million, then continued betting on Iranian nuclear facilities, and later coordinated a $100,000 bet predicting a U.S.-Iran ceasefire. This series of transactions has raised market concerns about information advantages and highlighted a trust crisis in prediction markets. Changes in market participant behavior reflect worries about insider trading, and the conflict between transparency and anonymity makes it difficult to trace responsibility.
MarketWhisper3h ago
Resolv Foundation suspends Season 4 airdrop claims and RESOLV token staking functions
Gate News: On March 25, Resolv Foundation announced that due to recent security incidents involving Resolv Labs' stablecoin USR, both the protocol and applications have been suspended. Season 4 airdrop claiming functionality is temporarily unavailable, and staking and unstaking functions for RESOLV tokens are also temporarily unavailable. Once the protocol recovery plan is finalized and the application can be safely used again, the relevant functions will be restored.
GateNews14h ago
