SwissBorg Signs Exploit Transaction From Kiln Finance Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:09, 10 October 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/swissborgsignsexploittransactionfromkilnfinancebreach.php}} {{Unattributed Sources}} thumb|SwissBorg Logo/HomepageAn attacker compromised a GitHub access token from Kiln Finance, using it to manipulate the infrastructure and insert a malicious transaction in Kiln's Solana staking API. This altered the withdrawal authority of Solana stakes, which was unknowingly ap...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

SwissBorg Logo/Homepage

An attacker compromised a GitHub access token from Kiln Finance, using it to manipulate the infrastructure and insert a malicious transaction in Kiln's Solana staking API. This altered the withdrawal authority of Solana stakes, which was unknowingly approved by SwissBorg when it processed the transaction through its Earn program. The result was the improper withdrawal of approximately 193,000 SOL from SwissBorg's platform. Both companies acted swiftly to mitigate the damage, with SwissBorg allocating part of its SOL Treasury to recover user funds and engaging security experts to recover the compromised assets. Kiln Finance contained the breach, rotated keys, and began the precautionary exit of Ethereum validators. Both platforms emphasized their ongoing commitment to security and user protection. SwissBorg has assured users that they will cover all losses.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27]

About SwissBorg

SwissBorg is a European-based crypto investment platform designed to make buying, selling, and managing digital assets easy and cost-effective. Operating in 47 countries and supporting 16 currencies, the application leverages a Smart Engine that scans top exchanges to offer users the best execution price for trades with no hidden fees. Key features include Auto-Invest for dollar-cost averaging, Limit Orders, and the ability to purchase crypto using various payment methods like credit card, Apple Pay, and bank transfers. The platform has amassed over 895,000 verified users and manages more than $2.28 billion in user crypto assets, reinforcing its growing reputation in the digital finance space.

Beyond trading, SwissBorg offers tools for wealth generation, including “Earn” products with up to 15% annual returns, and exclusive pre-sale investment opportunities through “Alpha Early Deals.” Users can diversify through Crypto Bundles—automated portfolios grouped by trending sectors, rebalanced monthly based on market dynamics. The native BORG token powers the ecosystem by providing benefits like reduced fees, boosted yields, and governance rights. By locking BORG, users also unlock exclusive access to investment deals and earn loyalty-based rewards.

SwissBorg stands out for its compliance and security focus, holding licenses in Estonia and France while adhering to European regulations. It’s been featured in top publications like Forbes and Cointelegraph, and continues to expand its offerings through integrations and innovations like Cashback Loyalty Ranks and support for stablecoins like VEUR and VCHF. The platform emphasizes community, promoting decentralization and transparency, and offers access to over 50,000 trading pairs. SwissBorg combines Swiss engineering with user-centric design to empower both new and seasoned crypto investors.

About Kiln Finance

Kiln is an institutional-grade platform that enables hundreds of companies—including custodians, exchanges, ETP issuers, wallets, and data providers—to generate yield from digital assets through staking and DeFi integration. With over $16 billion in assets staked and 6% of Ethereum’s network secured through Kiln, it plays a leading role in democratizing staking. The platform supports more than 50 proof-of-stake (PoS) networks and over 10 DeFi protocols, allowing partners to seamlessly integrate yield functionalities into their own products via Kiln’s white-labeled, unified API solutions.

Kiln's core offering revolves around a full-stack infrastructure that includes enterprise-grade validators, real-time data, reporting, and compliance tools. Products like the Kiln Dashboard, Onchain staking, DeFi integration, and the no-code Kiln Widget simplify the launch of customized “Earn” experiences. Treasury managers can stake assets with one click, and institutions benefit from built-in performance monitoring, 24/7 infrastructure uptime, and industry-standard security, including SOC 2 Type II compliance. Through services like restaking and BTC staking, Kiln remains on the cutting edge of innovation in digital asset yield generation.

Designed for scalability and simplicity, Kiln helps partners launch and manage staking offerings within a day, monetizing their platforms while maintaining regulatory and technical excellence. Its broad protocol coverage—from Ethereum, Solana, and Polygon to newer networks like EigenLayer and Ton—ensures compatibility with a wide range of digital assets. Backed by leading investors and trusted by major players in the industry, Kiln is setting the benchmark for secure, compliant, and user-friendly staking infrastructure tailored to institutional needs.

The Reality

Unfortunately, the SwissBorg system appears to be vulnerable.

What Happened

An exploit of a GitHub access token from Kiln allowed an attacker to inject a malicious transaction into Kiln's Solana staking API, which was unknowingly signed by SwissBorg, ultimately enabling the unauthorized withdrawal of 193,000 SOL.

Key Event Timeline - SwissBorg Signs Exploit Transaction From Kiln Finance Breach
Date Event Description
August 31st, 2025 3:55:37 AM MDT Withdrawal Authority Switched Over Swissborg signs a malicious transaction which unstakes their funds, and transfers the withdrawal authority for all of their stake accounts.
September 6th, 2025 4:02:59 AM MDT Unstaking Transaction Occurs A set of transactions start unstaking Swissborg funds from the earn program of Kiln Finance.
September 8th, 2025 6:22:03 AM MDT Withdrawal Transactions Occur A set of transactions start withdrawing the Swissborg funds from stake accounts to the exploiter wallet.
September 8th, 2025 12:25:00 PM MDT SwissBorg Announcement Posted SwissBorg posts an announcement for their community to acknowledge the incident,
September 8th, 2025 12:42:00 PM MDT SwissBorg Update Posted SwissBorg updates their announcement to remove the name of the API which was compromised. All references to KILN are removed from the original tweet.
September 11th, 2025 10:22:16 AM MDT SwissBorg Reach Out To Hacker SwissBorg reaches out to the hacker on the Solana blockchain "to see whether [they] would be open to speaking ... about any potential next steps".
October 7th, 2025 4:14:00 AM MDT Kiln Finance Update Posted Kiln Finance posts their update to Twitter/X account to report that the compromise is limited to a single customer (SwissBorg) and they have now safely re-enabled all services.

Technical Details

The breach was traced back to the compromise of a GitHub access token belonging to a Kiln infrastructure engineer. The attacker used this token to trigger GitHub Actions CI workflows within Kiln's infrastructure code repository, a process designed to automate deployment tasks. The threat actor’s method was sophisticated and stealthy—creating and then deleting branches to alter a large number of files in order to remain hidden from detection. This allowed them to extract stored secrets and cloud credentials, granting access to Kiln's Amazon Web Services (AWS), Google Cloud Platform (GCP), and bare-metal systems.

With access to these credentials, the attacker injected a malicious payload into a running Kubernetes pod, specifically altering the Kiln Connect API backend. The modification resulted in a malicious transaction being returned alongside legitimate ones. This malicious transaction changed the withdrawal authority of a Solana (SOL) staking account, but only under certain conditions—if the stake account held a balance above 150,000 SOL. The exploit impacted one Kiln customer, who unknowingly signed and approved the malicious transaction when using Kiln’s dashboard to unstake SOL on August 31st. Kiln had previously recommended that customers decode transactions before signing to verify their integrity, a practice that could have prevented this incident. The company provides a decoding tool as part of its user guidelines to mitigate such risks.

The attack was notable for its stealth and precision, evading multiple audits and penetration tests. The threat actor used methods typically associated with state-sponsored actors, including the avoidance of persistent files, code repository alterations, and database modifications. Instead, the attacker focused on executing commands within short-lived cloud workloads, utilizing a large number of different IP addresses to further obscure their tracks. Despite the complexity and stealth of the attack, no further malicious transactions or system modifications were detected beyond the initial breach. Kiln has not been able to determine the exact method by which the GitHub token was compromised, though they are continuing their investigation. The company is working to contain and remediate the situation, and no other customers' funds or assets appear to have been affected.

At this time, there is no conclusive evidence of how the compromise of the employee’s Github access token occurred.

Total Amount Lost

SlowMist reported the loss total as $41.5m USD.

The total amount lost has been estimated at $41,500,000 USD.

Immediate Reactions

Upon detecting a compromise in a partner API impacting their SOL Earn Program, SwissBorg quickly addressed the situation by reassuring users about the security of the platform. They confirmed that the breach, which affected about 193,000 SOL (less than 1% of users), did not jeopardize other funds or programs. To mitigate the damage, SwissBorg immediately allocated a portion of its SOL Treasury to recover a significant part of the affected user balances, with the final figures still being determined. The company also initiated ongoing efforts to recover the compromised funds by engaging white-hat hackers and security partners. SwissBorg emphasized that no other Earn Programs or funds within the app were affected, and the platform's day-to-day operations and financial health remained intact. As part of their communication strategy, SwissBorg assured users that they would reach out directly via email and provide further updates. The CEO, Cyrus, also planned to address the community live on YouTube to offer more transparency and clarity.

Kiln Finance responded swiftly to the unauthorized activity detected on September 8, 2025, by activating their incident response plan. They contained the breach and took precautionary measures, such as disabling possibly affected services and rotating the keys for any impacted validators. Kiln immediately engaged their security partners, including Sygnia, to conduct an in-depth security review and implement a hardening process. Within a short period, Kiln was able to restore all of its services, including the Kiln Enterprise Dashboard, dApp, Widget, DeFi, and Kiln Connect API, as well as resume the deployment of new Ethereum validators. Kiln emphasized the thoroughness of the security review and reassured users that all affected services were safely re-enabled. The company also made it clear that the incident involved unauthorized access to a wallet used for staking operations, and Solana funds had been improperly removed. As a precaution, SwissBorg paused all Solana staking transactions on its platform to prevent further user impact.

Ultimate Outcome

Kiln Finance has taken a series of precautionary measures, including the orderly exit of all Ethereum (ETH) validators to ensure the integrity of staked assets. This decision, based on advice from security experts and collaboration with key stakeholders, aims to reinforce the security of Kiln’s platform and provide further protection to clients. The validator exit process, expected to take between 10 and 42 days depending on the specific validator, does not affect the security of client assets, and rewards will continue to be earned during the exit. After the exit, withdrawals will proceed as scheduled by the network, though the protocol enforces delays that are beyond Kiln's control.

Kiln’s leadership, including Co-founder and CEO Laszlo Szabo, emphasized the swift action taken to mitigate potential risks and safeguard the platform. While some services have been temporarily paused for hardening, Kiln reassured customers that there has been no evidence of additional fund losses beyond the SwissBorg incident. Kiln’s leadership also affirmed that the safety of client assets remains their top priority and assured that transparent communication will continue throughout the exit process. A detailed post-mortem will be shared once the security review is complete. In parallel, Kiln's efforts to strengthen security measures across various layers, including identity management, network security, workflows, and key management, have made the platform more resilient than before.

SwissBorg clarified the exploit occurring on an external DeFi wallet held with a counterparty, not a breach of the SwissBorg platform itself. SwissBorg assured its community that no other strategies were affected, and the funds in other programs remained fully secure. Additionally, any shortfall in the recovery of funds from the incident will be covered by SwissBorg, ensuring that no users suffer a loss.

Total Amount Recovered

SwissBorg has assured all users that they are financially healthy and will fully cover any potential losses on behalf of users.

The total amount recovered is unknown.

Ongoing Developments

Kiln has bolstered its security measures, incorporating key improvements across six strategic areas: zero-trust access, trusted CI/CD pipelines, blast-radius isolation, application/container hardening, continuous monitoring, and validator key protection. These upgrades, which were informed by the recent incident, ensure a more resilient security posture that not only prevents future exploitation of the same techniques but also strengthens defenses to protect against evolving threats in the crypto industry. It remains to be seen if this defense will be sufficient for the future.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SwissBorg - "SOL Earn Incident & SwissBorg Recovery Plan A partner API was compromised, impacting our SOL Earn Program (~193k SOL, <1% of users). Rest assured, the SwissBorg app remains fully secure and all other funds in Earn programs are 100% safe." - Twitter/X (Accessed Oct 9, 2025)
  2. Kiln Finance - "On Sept. 8, 2025, unauthorized activity by a threat actor was detected on the Kiln platform, caused by a compromised GitHub token. After a full review with our security partners, we’ve confirmed no other customers were impacted. All Kiln services have been safely re-enabled." - Twitter/X (Accessed Oct 9, 2025)
  3. Re-enablement of Kiln services and security incident information - Kiln Finance (Accessed Oct 9, 2025)
  4. SOL Incident & SwissBorg - Announcement - Kiln Finance (Accessed Oct 9, 2025)
  5. SwissBorg - "" - Twitter/X (Accessed Oct 9, 2025)
  6. Signed Transaction By SwissBorg Changing Withdrawal Authority - SolScan (Accessed Oct 9, 2025)
  7. The First Unstaking Transaction - SolScan (Accessed Oct 9, 2025)
  8. The First Withdrawal Transaction - SolScan (Accessed Oct 9, 2025)
  9. Swissborg Exploiter Address - SolScan (Accessed Oct 9, 2025)
  10. @CeramicToken Twitter (Accessed Oct 9, 2025)
  11. Officer CIA - "SwissBorg experienced an incident a few hours ago and 192.6K SOL ($41.5M) was stolen on Solana - @zachxbt" - Twitter/X (Accessed Oct 9, 2025)
  12. @QwackerSol Twitter (Accessed Oct 9, 2025)
  13. Kiln Responds to Infrastructure Issue With Validator Exit, Funds Remain Protected - Kiln Finance (Accessed Oct 9, 2025)
  14. @0xGumshoe Twitter (Accessed Oct 9, 2025)
  15. @norbertbodziony Twitter (Accessed Oct 9, 2025)
  16. @swissborg Twitter (Accessed Oct 9, 2025)
  17. @Cyrus_Fazel Twitter (Accessed Oct 9, 2025)
  18. @swissborg Twitter (Accessed Oct 9, 2025)
  19. @Cyrus_Fazel Twitter (Accessed Oct 9, 2025)
  20. @swissborg Twitter (Accessed Oct 9, 2025)
  21. @swissborg Twitter (Accessed Oct 9, 2025)
  22. SwissBorg CEO and Executives speak live to the community about yesterday's events - SwissBorg (Accessed Oct 9, 2025)
  23. SwissBorg Twitter/X Account (Accessed Oct 9, 2025)
  24. SwissBorg Homepage (Accessed Oct 9, 2025)
  25. Kiln Finance Twitter/X Account (Accessed Oct 9, 2025)
  26. Kiln Finance Homepage (Accessed Oct 9, 2025)
  27. @swissborg Twitter (Accessed Oct 9, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=SwissBorg_Signs_Exploit_Transaction_From_Kiln_Finance_Breach&oldid=6947"