Cloud development platform Vercel was hacked on April 19. The attackers gained access by using a third-party AI tool used by employees, and are apparently selling the stolen data publicly on a forum, with an asking price as high as 2 million USD. Because many crypto projects deploy their wallet interfaces and dApp front ends on Vercel, the incident has also raised concerns across the crypto community.
Attack source: employee third-party AI tool OAuth compromised
In an official security bulletin, Vercel said that a Google Workspace OAuth application under Context.ai—the third-party AI tool used by an employee—was compromised. The attackers used it to hijack that employee’s Google Workspace account and then infiltrate Vercel’s internal data.
Vercel CEO Guillermo Rauch revealed in a post on X that the attack may affect hundreds of organizations that use the same tool, not just Vercel.
Rauch described the hackers’ attack plan as “highly sophisticated,” and suspects they used AI to significantly enhance the intrusion efforts, showing a deep understanding of Vercel’s internal architecture. At present, Google-owned cybersecurity firm Mandiant is assisting with the investigation, and Vercel has also notified relevant law enforcement agencies.
Members of hacking organization post to extort $2 million
Vercel said that sensitive data is stored in an encrypted form and was not accessed; however, other data not labeled as “sensitive” may have been read and used by the attackers.
A screenshot of a forum post circulating on Telegram
A person claiming to be associated with the hacking organization ShinyHunters posted on the cybercrime forum BreachForums, saying they had obtained Vercel’s API keys, NPM tokens, GitHub tokens, source code, and internal database contents, and released about 580 employees’ data as “proof” of a breach, including employees’ names, company email addresses, account statuses, and activity times.
ShinyHunters denies involvement; the truth behind the extortion negotiations is unclear
What’s hard to believe is that although the poster claimed to be from ShinyHunters, the organization has already publicly denied participating in this incident, leaving the attackers’ true identity shrouded in mystery.
The attackers also claimed they had contacted Vercel through Telegram and about the $2 million ransom, and demanded that 500k USD in Bitcoin be paid first to retrieve some of the data, but Vercel has not confirmed this.
Crypto agreements flash red: front-end supply chain becomes a new attack surface
The impact of the Vercel incident on the crypto space should not be underestimated. A large number of decentralized exchange (DEX) and wallet front-end interfaces, as well as dApp dashboards, are deployed on Vercel. If a relevant crypto project’s private RPC endpoints, third-party API keys, or wallet-related sensitive secrets are stored in data not labeled as “sensitive,” then this information could be leaked.
For context, a lot of DeFi is hosted on Vercel and crypto users are a prime target for such attack.
If you need to use DeFi in this time of crisis, verifying what you sign is of utmost importance! You can also use .eth.limo (just hacked but back up and running) or IPFS frontend…
— Pybast (@Pybast) April 19, 2026
In simple terms, attackers can theoretically directly tamper with a project’s website and interface, lure users into clicking and signing malicious contracts—not just redirecting a domain to a phishing website, fully bypassing monitoring and protection at the DNS layer. So far, there has been no reported incident involving any protocol, but security teams across the industry have already listed it as a potential severe risk.
In fact, front-end security issues in the crypto space have long been a persistent problem for the industry. Last week, DEX CoW Swap suspended trading due to a domain hijacking incident. Aerodrome and Velodrome were also hit by DNS hijacking attacks in November last year.
Vercel rolls out data updates, urging users to immediately replace their keys
Vercel said the company’s services are currently operating normally and the investigation is still ongoing, while also updating its data management dashboard. The company strongly recommends that all users immediately conduct a comprehensive review of existing data, replace keys for all data not labeled as “sensitive,” and enable the platform’s sensitive variables feature to ensure that related credentials are stored in an encrypted form.
This article pay attention to the signed content! Vercel hacked and extorted 2 million USD; front-end security warning lights up for crypto protocols first appeared on Chain News ABMedia.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Seven Israeli Officers Charged in Multimillion-Dollar Crypto Theft Ring
Israeli Security Forces Charged in Crypto Theft Case
Israeli authorities have charged seven military and police officers with running a multimillion-dollar theft and bribery ring involving cryptocurrency, marking the second crypto-related criminal case to hit the country's defence establishment in
CryptoFrontier31m ago
Trump First Explicitly Said “Regime Change” for Iran: The White House Officially Forwarded Three Signals
Trump first directly mentioned Iran’s “regime change” in a public statement, and explicitly said that the U.S. side would not be influenced by Israel. He used Venezuela as an analogy, implying that the U.S. may adopt a long-term pressure strategy against Iran. This will change the negotiation framework and increase the risk of oil-price and market volatility. Taiwan investors need to pay attention to the oil price trend, the reaction at the Fed hearing, and the agenda of the U.S.-China summit.
ChainNewsAbmedia4h ago
Russian Crypto Exchange Grinex Halts Operations After $13M Hack, Threatening Sanctions Evasion Network
Russian cryptocurrency exchange Grinex ceased operations after a cyberattack caused losses over $13 million. The shutdown impacts Russian businesses' ability to convert rubles internationally and challenges the country's shadow finance system.
GateNews5h ago
Iran Has Not Yet Decided Whether to Attend Second Round of U.S. Talks, Citing Deep Mistrust
An Iranian official indicated that Iran has not decided on participating in the second round of U.S.-Iran talks due to mistrust stemming from U.S. actions and statements, exacerbated by a recent U.S. attack on an Iranian vessel.
GateNews8h ago
EU Council President Costa: Reopening Strait of Hormuz Unconditionally is Top Priority
European Council President António Costa discussed the EU's dedication to Middle East peace with King Abdullah II of Jordan, highlighting collaboration with regional partners and the reopening of the Strait of Hormuz as a priority, while monitoring Lebanon, Gaza, and the West Bank.
GateNews8h ago
U.S. Launches Tariff Refund Program; Over 56,000 Enterprises Register
The U.S. government initiated a tariff refund program effective April 20, impacting over 53 million import declarations. This marks a significant policy shift, allowing importers to reclaim previously collected taxes, with over 56,000 businesses participating.
GateNews9h ago
