Vercel Hacked: DeFi Frontends Threatened by a $2 Million Ransom

📋 En bref (TL;DR)

  • Vercel, the platform hosting the majority of DeFi interfaces (Uniswap, Aave, SushiSwap…), was hacked via a supply chain attack through Context.ai, an AI tool used by an employee. The attackers demand $2 million and threaten to sell source code, API keys, and data from 580 employees. No DeFi fund theft has been confirmed so far, but crypto projects are scrambling to rotate their credentials.

The attack: 22 months of infiltration via a compromised AI tool

On April 19, 2026, Vercel publicly disclosed that unauthorized actors had accessed its internal systems. But the story starts much earlier — roughly 22 months before discovery.

The attack followed a four-stage compromise chain:

  1. February 2026: a Context.ai employee (an AI productivity tool) gets infected with Lumma Stealer malware after downloading Roblox cheat scripts. The malware harvests their Google Workspace credentials, Supabase and Datadog keys.
  2. Malicious Chrome extension: the attacker installs a Chrome extension requesting full read access to the victim’s Google Drive files.
  3. Pivot to Vercel: a Vercel employee had connected their professional Google account to Context.ai with “Allow All” permissions. The attacker uses the compromised OAuth token to access their account — without needing their password (OAuth tokens survive password resets).
  4. Lateral movement: from the employee’s account, attackers access Vercel’s internal systems and enumerate customer environment variables.

What was stolen: API keys, source code, employee data

According to data posted on BreachForums by an actor claiming affiliation with the ShinyHunters group (attribution disputed — the actual group denies involvement), the haul includes:

  • Customer environment variables (API keys, GitHub tokens, database URLs) — only those not flagged as “sensitive”
  • Portions of Vercel’s source code
  • 580 employee records
  • Screenshots of internal tools (Linear, enterprise dashboard)
  • Database access credentials

Asking price: $2 million in Bitcoin.

A critical point: Vercel confirms that npm packages were not compromised. Next.js, Turbopack, and all open-source projects were audited and declared safe. Variables explicitly marked as “sensitive” (encrypted at rest) were also not accessed.

The design flaw: “non-sensitive” variables by default

The core issue is a Vercel design choice: by default, environment variables are stored in plaintext. Developers must manually toggle a “sensitive” option to enable encryption.

In practice, most developers add their DATABASE_URL, API_KEY, STRIPE_SECRET_KEY without thinking about it. Result: thousands of secrets were exposed. One customer reported that an OpenAI API key stored exclusively on Vercel triggered a leaked-credential alert on April 10 — nine days before the official disclosure.

Vercel has since reversed the default behavior: new variables are now automatically flagged as “sensitive.”

Why DeFi is particularly exposed

Vercel is the dominant hosting platform for Web3 frontends. Uniswap, SushiSwap, Compound, Aave, and most major DeFi protocols deploy their frontends on Vercel using Next.js.

These interfaces typically store critical credentials in environment variables:

  • Blockchain RPC endpoint keys (Alchemy, Infura, QuickNode)
  • Authentication secrets (NEXTAUTH_SECRET, JWT signing keys)
  • Database connection strings
  • Third-party API keys

The nightmare scenario, described by Protos: if an attacker obtains GitHub tokens or deployment credentials for a DeFi project, they could push malicious code to the frontend, trigger automatic redeployment, and inject a wallet drainer. Every user connecting their wallet would unknowingly sign fraudulent transactions.

Vercel and the ecosystem respond

Vercel CEO Guillermo Rauch posted a detailed thread confirming the attack chain and naming Context.ai as the compromised third party. He notably stated:

“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. The attacker moved with surprising velocity and in-depth understanding of Vercel’s systems.”

Vercel has engaged Mandiant (Google’s cybersecurity subsidiary) and is collaborating with GitHub, Microsoft, npm, and law enforcement.

Crypto project responses:

  • Orca (Solana DEX): confirmed Vercel hosting, rotated all deployment credentials
  • Jupiter (Solana aggregator): log audit completed, precautionary key rotation
  • Cork Protocol: CTO publicly called on users to “stop interacting with any DeFi application” hosted on Vercel

AI as an attack accelerator: a troubling precedent

Rauch’s statement about likely AI-assisted attackers marks a turning point. It’s the first time a major tech platform CEO has publicly raised AI acceleration of a cyberattack during an active breach disclosure.

The irony is twofold: an AI tool (Context.ai) created the initial attack surface, and AI likely helped the attackers navigate Vercel’s systems with unusual efficiency. The entry vector — an employee granting OAuth permissions to an AI productivity tool — illustrates the paradox of enterprise AI adoption: every connected tool is a potential entry point.

Timeline: supply chain attacks against DeFi

The Vercel incident joins a series of attacks targeting user interfaces rather than smart contracts:

  • December 2021 — BadgerDAO: attacker obtains Cloudflare API key, replaces frontend → $120M stolen
  • August 2022 — Curve Finance: DNS hijacked, users redirected to clone site with wallet drainer
  • December 2023 — Ledger Connect Kit: ex-employee phished, malicious npm versions published → $600K+ stolen
  • December 2024 — @solana/web3.js: versions 1.95.6-1.95.7 compromised, private keys exposed
  • April 2026 — Vercel/Context.ai: OAuth supply chain attack → environment variable exfiltration

The trend is clear: smart contracts are becoming more robust, but the frontend remains the weak link. Protocols are decentralized, but the interfaces users actually interact with rely on centralized cloud infrastructure.

How to protect yourself as a DeFi user

While the investigation continues, here are essential precautions:

  • Verify transactions before signing: read transaction details carefully in your wallet, not just on the website interface
  • Revoke unnecessary approvals: use Revoke.cash to remove old or unused spending authorizations
  • Use non-custodial wallets with local transaction validation — even if the frontend is compromised, your wallet will show the real transaction details
  • Use a hardware wallet for significant amounts: physical signing adds a verification layer
  • Monitor security announcements from the protocols you use
Glossary
Supply chain attack
An attack targeting a third-party vendor or component to reach the final target. Here, Context.ai was compromised to access Vercel, which hosts hundreds of DeFi projects.
Environment variables
Configuration parameters (API keys, passwords, database URLs) stored on the server and used by applications. Their leak can give full access to connected services.
OAuth
An authorization protocol allowing a third-party app to access an account without sharing the password. OAuth tokens persist even after password changes.
Wallet drainer
Malicious code injected into a web interface that tricks users into signing transactions that empty their crypto wallet to the attacker’s address.
Frontend
The user interface of a web application — the visible, interactive part. In DeFi, the frontend is often centralized (hosted on Vercel, Cloudflare) even when the underlying protocol is decentralized.
Mandiant
Google’s cybersecurity subsidiary, specialized in incident response and investigation of major cyberattacks.

Frequently Asked Questions

Are my DeFi funds at risk after the Vercel hack?

No DeFi fund theft has been directly linked to the Vercel breach so far. The main threat is theoretical: if attackers obtained GitHub tokens or deployment credentials from DeFi projects, they could potentially inject malicious code into interfaces. Major projects (Orca, Jupiter) have completed precautionary key rotations.

How did the Vercel hack start?

The attack began when a Context.ai employee (AI tool) was infected with Lumma Stealer malware, downloaded via Roblox cheat scripts. The attacker then used a compromised OAuth token to access the Google account of a Vercel employee who had connected Context.ai with full permissions.

Which crypto projects are hosted on Vercel?

The majority of major DeFi interfaces use Vercel: Uniswap, SushiSwap, Compound, Aave, Orca, Jupiter, and hundreds more. Vercel is the dominant hosting platform for Next.js applications, the most popular framework for Web3 interfaces.

What should I do if I use DeFi protocols hosted on Vercel?

Carefully verify every transaction before signing in your wallet. Revoke unused spending approvals via Revoke.cash. Use a hardware wallet for significant amounts. Monitor security announcements from the protocols you use. If a project announces a key rotation, that’s a good sign.

Why are DeFi frontends the weak link?

Smart contracts (on-chain protocols) are decentralized and audited, but user interfaces are hosted on centralized cloud infrastructure (Vercel, Cloudflare, AWS). A hosting server hack can allow injection of malicious code that users execute believing they’re interacting with the real protocol.

The simplest way to buy, swap and manage your crypto

Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.

Get early access →