SWISSBORG

DESCRIPTION OF EVENTS

SwissBorg is a European-based crypto investment platform designed to make buying, selling, and managing digital assets easy and cost-effective. Operating in 47 countries and supporting 16 currencies, the application leverages a Smart Engine that scans top exchanges to offer users the best execution price for trades with no hidden fees. Key features include Auto-Invest for dollar-cost averaging, Limit Orders, and the ability to purchase crypto using various payment methods like credit card, Apple Pay, and bank transfers. The platform has amassed over 895,000 verified users and manages more than $2.28 billion in user crypto assets, reinforcing its growing reputation in the digital finance space.

Beyond trading, SwissBorg offers tools for wealth generation, including “Earn” products with up to 15% annual returns, and exclusive pre-sale investment opportunities through “Alpha Early Deals.” Users can diversify through Crypto Bundles—automated portfolios grouped by trending sectors, rebalanced monthly based on market dynamics. The native BORG token powers the ecosystem by providing benefits like reduced fees, boosted yields, and governance rights. By locking BORG, users also unlock exclusive access to investment deals and earn loyalty-based rewards.

SwissBorg stands out for its compliance and security focus, holding licenses in Estonia and France while adhering to European regulations. It’s been featured in top publications like Forbes and Cointelegraph, and continues to expand its offerings through integrations and innovations like Cashback Loyalty Ranks and support for stablecoins like VEUR and VCHF. The platform emphasizes community, promoting decentralization and transparency, and offers access to over 50,000 trading pairs. SwissBorg combines Swiss engineering with user-centric design to empower both new and seasoned crypto investors.

Unfortunately, the SwissBorg system appears to be vulnerable.

The breach was traced back to the compromise of a GitHub access token belonging to a Kiln infrastructure engineer. The attacker used this token to trigger GitHub Actions CI workflows within Kiln's infrastructure code repository, a process designed to automate deployment tasks. The threat actor’s method was sophisticated and stealthy—creating and then deleting branches to alter a large number of files in order to remain hidden from detection. This allowed them to extract stored secrets and cloud credentials, granting access to Kiln's Amazon Web Services (AWS), Google Cloud Platform (GCP), and bare-metal systems.

With access to these credentials, the attacker injected a malicious payload into a running Kubernetes pod, specifically altering the Kiln Connect API backend. The modification resulted in a malicious transaction being returned alongside legitimate ones. This malicious transaction changed the withdrawal authority of a Solana (SOL) staking account, but only under certain conditions—if the stake account held a balance above 150,000 SOL. The exploit impacted one Kiln customer, who unknowingly signed and approved the malicious transaction when using Kiln’s dashboard to unstake SOL on August 31st. Kiln had previously recommended that customers decode transactions before signing to verify their integrity, a practice that could have prevented this incident. The company provides a decoding tool as part of its user guidelines to mitigate such risks.

The attack was notable for its stealth and precision, evading multiple audits and penetration tests. The threat actor used methods typically associated with state-sponsored actors, including the avoidance of persistent files, code repository alterations, and database modifications. Instead, the attacker focused on executing commands within short-lived cloud workloads, utilizing a large number of different IP addresses to further obscure their tracks. Despite the complexity and stealth of the attack, no further malicious transactions or system modifications were detected beyond the initial breach. Kiln has not been able to determine the exact method by which the GitHub token was compromised, though they are continuing their investigation. The company is working to contain and remediate the situation, and no other customers' funds or assets appear to have been affected.

At this time, there is no conclusive evidence of how the compromise of the employee’s Github access token occurred.

SlowMist reported the loss total as $41.5m USD.

Upon detecting a compromise in a partner API impacting their SOL Earn Program, SwissBorg quickly addressed the situation by reassuring users about the security of the platform. They confirmed that the breach, which affected about 193,000 SOL (less than 1% of users), did not jeopardize other funds or programs. To mitigate the damage, SwissBorg immediately allocated a portion of its SOL Treasury to recover a significant part of the affected user balances, with the final figures still being determined. The company also initiated ongoing efforts to recover the compromised funds by engaging white-hat hackers and security partners. SwissBorg emphasized that no other Earn Programs or funds within the app were affected, and the platform's day-to-day operations and financial health remained intact. As part of their communication strategy, SwissBorg assured users that they would reach out directly via email and provide further updates. The CEO, Cyrus, also planned to address the community live on YouTube to offer more transparency and clarity.

Kiln Finance responded swiftly to the unauthorized activity detected on September 8, 2025, by activating their incident response plan. They contained the breach and took precautionary measures, such as disabling possibly affected services and rotating the keys for any impacted validators. Kiln immediately engaged their security partners, including Sygnia, to conduct an in-depth security review and implement a hardening process. Within a short period, Kiln was able to restore all of its services, including the Kiln Enterprise Dashboard, dApp, Widget, DeFi, and Kiln Connect API, as well as resume the deployment of new Ethereum validators. Kiln emphasized the thoroughness of the security review and reassured users that all affected services were safely re-enabled. The company also made it clear that the incident involved unauthorized access to a wallet used for staking operations, and Solana funds had been improperly removed. As a precaution, SwissBorg paused all Solana staking transactions on its platform to prevent further user impact.

Kiln Finance has taken a series of precautionary measures, including the orderly exit of all Ethereum (ETH) validators to ensure the integrity of staked assets. This decision, based on advice from security experts and collaboration with key stakeholders, aims to reinforce the security of Kiln’s platform and provide further protection to clients. The validator exit process, expected to take between 10 and 42 days depending on the specific validator, does not affect the security of client assets, and rewards will continue to be earned during the exit. After the exit, withdrawals will proceed as scheduled by the network, though the protocol enforces delays that are beyond Kiln's control.

Kiln’s leadership, including Co-founder and CEO Laszlo Szabo, emphasized the swift action taken to mitigate potential risks and safeguard the platform. While some services have been temporarily paused for hardening, Kiln reassured customers that there has been no evidence of additional fund losses beyond the SwissBorg incident. Kiln’s leadership also affirmed that the safety of client assets remains their top priority and assured that transparent communication will continue throughout the exit process. A detailed post-mortem will be shared once the security review is complete. In parallel, Kiln's efforts to strengthen security measures across various layers, including identity management, network security, workflows, and key management, have made the platform more resilient than before.

SwissBorg clarified the exploit occurring on an external DeFi wallet held with a counterparty, not a breach of the SwissBorg platform itself. SwissBorg assured its community that no other strategies were affected, and the funds in other programs remained fully secure. Additionally, any shortfall in the recovery of funds from the incident will be covered by SwissBorg, ensuring that no users suffer a loss.

SwissBorg has assured all users that they are financially healthy and will fully cover any potential losses on behalf of users.

Kiln has bolstered its security measures, incorporating key improvements across six strategic areas: zero-trust access, trusted CI/CD pipelines, blast-radius isolation, application/container hardening, continuous monitoring, and validator key protection. These upgrades, which were informed by the recent incident, ensure a more resilient security posture that not only prevents future exploitation of the same techniques but also strengthens defenses to protect against evolving threats in the crypto industry. It remains to be seen if this defense will be sufficient for the future.

An attacker compromised a GitHub access token from Kiln Finance, using it to manipulate the infrastructure and insert a malicious transaction in Kiln's Solana staking API. This altered the withdrawal authority of Solana stakes, which was unknowingly approved by SwissBorg when it processed the transaction through its Earn program. The result was the improper withdrawal of approximately 193,000 SOL from SwissBorg's platform. Both companies acted swiftly to mitigate the damage, with SwissBorg allocating part of its SOL Treasury to recover user funds and engaging security experts to recover the compromised assets. Kiln Finance contained the breach, rotated keys, and began the precautionary exit of Ethereum validators. Both platforms emphasized their ongoing commitment to security and user protection. SwissBorg has assured users that they will cover all losses.

SwissBorg - "SOL Earn Incident & SwissBorg Recovery Plan A partner API was compromised, impacting our SOL Earn Program (~193k SOL, <1% of users). Rest assured, the SwissBorg app remains fully secure and all other funds in Earn programs are 100% safe." - Twitter/X (Oct 9)
Kiln Finance - "On Sept. 8, 2025, unauthorized activity by a threat actor was detected on the Kiln platform, caused by a compromised GitHub token. After a full review with our security partners, we’ve confirmed no other customers were impacted. All Kiln services have been safely re-enabled." - Twitter/X (Oct 9)
Re-enablement of Kiln services and security incident information - Kiln Finance (Oct 9)
SOL Incident & SwissBorg - Announcement - Kiln Finance (Oct 9)
SwissBorg - "" - Twitter/X (Oct 9)
Signed Transaction By SwissBorg Changing Withdrawal Authority - SolScan (Oct 9)
The First Unstaking Transaction - SolScan (Oct 9)
The First Withdrawal Transaction - SolScan (Oct 9)
Swissborg Exploiter Address - SolScan (Oct 9)
@CeramicToken Twitter (Oct 9)
Officer CIA - "SwissBorg experienced an incident a few hours ago and 192.6K SOL ($41.5M) was stolen on Solana - @zachxbt" - Twitter/X (Oct 9)
@QwackerSol Twitter (Oct 9)
Kiln Responds to Infrastructure Issue With Validator Exit, Funds Remain Protected - Kiln Finance (Oct 9)
@0xGumshoe Twitter (Oct 9)
@norbertbodziony Twitter (Oct 9)
@swissborg Twitter (Oct 9)
@Cyrus_Fazel Twitter (Oct 9)
@swissborg Twitter (Oct 9)
@Cyrus_Fazel Twitter (Oct 9)
@swissborg Twitter (Oct 9)
@swissborg Twitter (Oct 9)
SwissBorg CEO and Executives speak live to the community about yesterday's events - SwissBorg (Oct 9)
SwissBorg Twitter/X Account (Oct 9)
SwissBorg Homepage (Oct 9)
Kiln Finance Twitter/X Account (Oct 9)
Kiln Finance Homepage (Oct 9)
@swissborg Twitter (Oct 9)

More case studies

Nemo Protocol Unaudited Deployment
Public Flash Loan Attack

NPM Josh Junon qix Supply Chain
Address Swap Malware Heist