La plateforme d'hébergement cloud Vercel a été piratée ! Les hackers demandent 2 millions de dollars en rançon, ce qui pourrait mettre en danger la sécurité des projets cryptographiques.

Vercel cloud platform hacked due to third-party AI tool hijacking, hackers demand 2 million USD ransom for confidential data.
Since most cryptocurrency projects rely on its frontend deployment, this incident could pose a significant security risk of tampering.

Vercel cloud hosting platform compromised, crypto projects also rely on it

Vercel, a cloud hosting and deployment infrastructure platform, has confirmed that some internal systems were accessed without authorization, affecting a small number of customers.

Vercel offers serverless functions, edge computing, and continuous integration and deployment pipelines, and is well-known for the widely used React framework Next.js.
Many blockchain and cryptocurrency projects also depend on Vercel to deploy their front-end interfaces.

Vercel CEO Guillermo Rauch explained on social platform X that the cause of this hacking incident was an issue with a third-party AI tool, Context.ai. A Google Workspace account of a Vercel employee was hijacked during a data leak incident on that AI platform, and the attacker subsequently used the account’s permissions to access Vercel’s internal environment.

All customer environment variables on Vercel are encrypted when static, and there is also a feature to designate variables as non-sensitive.
The hackers obtained unencrypted, non-sensitive environment variables through enumeration.

Image source: Vercel official website
Vercel is a cloud hosting and deployment infrastructure, and many blockchain and crypto projects also rely on it to deploy front-end interfaces.

Hackers demand 2 million USD ransom for stolen data

Security media “Bleepingcomputer” reported that a member claiming to be from the hacker group ShinyHunters posted on the hacking forum BreachForums, claiming to have obtained internal Vercel data and offering a ransom of 2 million USD.

The stolen data displayed by the hackers includes access keys, source code, database records, and internal deployment API keys for NPM and GitHub, as well as 580 names, emails, account statuses, and activity timestamps of Vercel employees.

Image source: BreachForums
Hackers demand 2 million USD to sell the stolen data

However, members of the core ShinyHunters organization have denied involvement in this Vercel attack, though the group previously attacked Rockstar, the developer of the GTA game series.

• Related report: GTA6 developer hacked! Hackers: Leak player data if not paid by 4/14, how did R star respond?

Vercel recommends comprehensive review for customers

In response to this hacking incident, Vercel has hired external cybersecurity experts and reported to law enforcement, while also releasing updates to strengthen security management.

Vercel strongly advises administrators to check activity logs for suspicious behavior, and urges Google Workspace admins to immediately verify if any compromised OAuth applications are installed.

The company also recommends customers to review and replace environment variables, and enable sensitive variable features to ensure data is protected with static encryption.

Impacts of Vercel hack on crypto projects

This incident poses a major risk to the cryptocurrency industry.
According to “The Block,” blockchain projects often deploy wallet interfaces, decentralized exchange (DEX) front-ends, and dApp dashboards on Vercel.

If blockchain projects store private RPC endpoints, third-party API keys, or wallet-related secrets in non-sensitive environment variables, these secrets are now very likely to have been leaked.

Notable figures in the developer community, such as Theo Browne, also posted that sources indicate the most severe impact was on Vercel’s internal integrations with Linear and GitHub.

Image source: X / Theo Browne

Past security issues in the crypto front-end space have been frequent, including incidents involving CoW Swap, Aerodrome, and Velodrome projects, which have experienced domain hijacking.
These attacks typically redirect visitors to phishing sites to steal assets.

“The Block” pointed out that this hacking incident occurred at the hosting and deployment layer, opening a new attack surface and bypassing domain system monitoring.
In the worst case, attackers could directly tamper with the actual built front-end output of projects.

Further reading:
CoW Swap DNS hijacking attack! Estimated user losses in the millions of USD, official advice: avoid using the front-end webpage