A version of this article appeared in our The Decentralised newsletter on September 9. Sign up here.
GM, Tim here.
DeFi is reeling from a supply chain attack that targeted crypto wallets.
On Monday it was revealed that hackers have poisoned JavaScript packages with crypto-stealing malware. Those packages were collectively downloaded more than 2.6 billion times last week, potentially threatening millions of users worldwide.
Now, DeFi protocols and wallet providers are scrambling to reassure users that they’re not at risk.
The incident highlights how much of DeFi’s $204 billion ecosystem is vulnerable to an unexpected point of failure — an Achilles heel, if you will.
It comes as cybercriminals have stolen $2.2 billion from crypto protocols this year, a 77% uptick from the total amount stolen throughout 2024, according to DefiLlama.
Blockchain developers go to great lengths to ensure their networks are truly decentralised and distributed. After all, much of the value of blockchain technology comes from its resilience to single points of failure that are the bane of more centralised systems.
Yet the years of honing decentralised systems were made largely irrelevant when the developer who maintains over a dozen popular JavaScript packages, which most of DeFi relies on, fell victim to a phishing hack.
To be sure, the compromises didn’t cause any critical failures. But it certainly gave users a scare and slowed things down temporarily.
The hackers updated the JavaScript packages after taking control, injecting malicious code able to hijack network traffic. The goal was to wait for users to send crypto transactions and then use the code to redirect funds to the hacker’s wallet, according to an analysis by Aikido Security.
It’s similar to how North Korean hackers targeted Bybit in February, stealing $1.4 billion from the crypto exchange.
Like the Bybit hack, the malicious code only impacts individuals accessing the compromised applications over the web. So as long as users don’t send any transactions until they get the all clear from DeFi protocols and wallet providers, they’re not at risk.
Despite the hack being potentially the largest supply chain attack in history, the attackers have only stolen a minimal amount so far.
An Ethereum address believed to belong to the hackers has only received around $500 worth of crypto so far, according to Arkham Intelligence.
“The biggest financial impact of this entire incident will be the collective thousands of hours spent by engineering and security teams around the world working to clean compromised environments,” Security Alliance, a crypto security nonprofit, said in a blog post.
