La plateforme d'hébergement cloud Vercel a été piratée ! Le hacker demande 2 millions de dollars en rançon, ce qui pourrait mettre en danger la sécurité des projets cryptographiques.

Vercel cloud platform hacked due to third-party AI tool hijacking, hackers demand 2 million USD ransom for confidential data.
Since most cryptocurrency projects rely on its frontend deployment, this incident could pose a significant security risk of tampering.

Vercel cloud hosting platform compromised, crypto projects also rely on it

Vercel, a cloud hosting and deployment infrastructure platform, has confirmed that some internal systems were accessed without authorization, affecting a small number of customers.

Vercel offers serverless functions, edge computing, and continuous integration and deployment pipelines, and is well-known for the widely used React framework Next.js.
Many blockchain and cryptocurrency projects also depend on Vercel to deploy their front-end interfaces.

Vercel CEO Guillermo Rauch explained on social platform X that the cause of this hacking incident was an issue with a third-party AI tool, Context.ai.
A Vercel employee’s Google Workspace account was hijacked during a data leak incident on that AI platform, and the attacker subsequently used the account’s permissions to access Vercel’s internal environment.

All customer environment variables on Vercel are fully encrypted when static, and there is also a feature to designate variables as non-sensitive.
The hackers exploited enumeration to obtain unencrypted, non-sensitive environment variables.

Image source: Vercel official website
Vercel is a cloud hosting and deployment infrastructure, and many blockchain and crypto projects also rely on Vercel to deploy front-end interfaces.

Hackers demand 2 million USD ransom for stolen data

Security media outlet Bleepingcomputer reported that a member claiming to be from the hacker group ShinyHunters posted on the hacking forum BreachForums, claiming to have obtained internal Vercel data and offering a ransom of 2 million USD.

The stolen data displayed by the hackers includes access keys, source code, database records, and internal deployment API keys for NPM and GitHub,
and even 580 records of Vercel employees’ names, emails, account statuses, and activity timestamps.

Image source: BreachForums
Hacker group ShinyHunters members deny involvement in the Vercel attack
However, members of the core ShinyHunters organization have denied participating in this Vercel incident,
though they previously attacked Rockstar, the developer of the GTA game series.

• Related report: GTA6 developer hacked! Hackers threaten to leak player data if not paid by 4/14, how will R star respond?

Vercel recommends comprehensive review for customers

In response to this hacking incident, Vercel has hired external cybersecurity experts, reported to law enforcement, and launched updates to strengthen security management.

Vercel strongly advises administrators to check activity logs for suspicious behavior, and urges Google Workspace admins to immediately verify if any compromised OAuth applications are installed.

The company also recommends customers thoroughly review and replace environment variables, enabling the sensitive variables feature to ensure data is protected with static encryption.

Impact of Vercel hack on crypto projects

This incident poses a significant risk to the cryptocurrency industry. According to The Block, blockchain projects often deploy wallet interfaces, decentralized exchange (DEX) front-ends, and dApp dashboards on Vercel.

If blockchain projects store private RPC endpoints, third-party API keys, or wallet-related secrets in non-sensitive environment variables, these secrets are now highly likely to have been leaked.

Notable figures in the developer community, such as Theo Browne, also posted that sources indicate the most affected systems are Vercel’s internal Linear and GitHub integrations.

Image source: X / Theo Browne
Past security issues in the crypto front-end space have been frequent, with projects like CoW Swap, Aerodrome, and Velodrome experiencing domain hijacking attacks,
which typically redirect visitors to phishing sites to steal assets.

The Block pointed out that this attack occurred at the hosting and deployment layer, opening a new attack surface and bypassing domain system monitoring entirely.
In the worst case, attackers could directly tamper with the actual built front-end output of projects.

Further reading:
CoW Swap DNS hijacking attack! Estimated user losses in the millions of USD, official advice: avoid using the front-end webpage