Vercel, a cloud hosting platform, was hacked! The hacker demanded a ransom of 2 million dollars, and encrypted projects may have security risks.

Vercel Cloud Platform Hacked Due to Third-Party AI Tool Hijacking, Hackers Demand $2 Million Ransom for Confidential Data.
Since most cryptocurrency projects rely on its deployment of front-end interfaces, this incident could pose a significant security risk of tampering for these projects.

Vercel Cloud Hosting Platform Hacked, Crypto Projects Also Use It

Vercel, a cloud hosting and deployment infrastructure platform, has confirmed that some internal systems were accessed without authorization, affecting a small number of customers.

Vercel offers serverless functions, edge computing, and continuous integration and deployment pipelines, and is well-known for its popular React framework Next.js. Many blockchain and cryptocurrency projects also depend on Vercel to deploy their front-end interfaces.

Vercel CEO Guillermo Rauch explained on social platform X that the cause of this hacker incident was an issue with a third-party AI tool, Context.ai. A Vercel employee’s Google Workspace account was hijacked during a data leak incident on that AI platform, and the attacker subsequently used the account’s permissions to access Vercel’s internal environment.

All customer environment variables on Vercel are fully encrypted when static, and there is also an option to designate variables as non-sensitive. The hackers obtained unencrypted, non-sensitive environment variables through enumeration.

Image source: Vercel official website
Vercel is a cloud hosting and deployment infrastructure platform, and many blockchain and crypto projects rely on Vercel to deploy front-end interfaces.

Hackers Demand $2 Million Ransom for Stolen Data

Security media outlet Bleepingcomputer reported that a member claiming to be from the hacker group ShinyHunters posted on the hacking forum BreachForums, claiming to have obtained internal Vercel data and offering a $2 million ransom to the official team.

The data shown by the hackers includes access keys, source code, database records, and internal deployment API keys for NPM and GitHub, even containing 580 names, emails, account statuses, and activity timestamps of Vercel employees.

Image source: BreachForums
Hackers Demand $2 Million for Stolen Data

However, members of the core ShinyHunters organization have denied involvement in this Vercel attack, though they previously attacked Rockstar, the developer of the GTA game series.

• Related report: GTA6 Developer Hacked! Hacker: Leak Player Data if Not Paid by 4/14, How Will R Respond?*

Vercel Official Advises Customers to Conduct a Full Review

In response to this hacking incident, Vercel has hired external cybersecurity experts, reported to law enforcement, and launched updates to strengthen security management.

Vercel strongly recommends administrators review activity logs for suspicious behavior and urges Google Workspace admins to immediately check for the installation of any compromised OAuth applications.

The company also advises customers to conduct a comprehensive review and replace environment variables, enabling the sensitive variables feature to ensure data is protected with static encryption.

Impact of Vercel Hack on Crypto Projects

This incident poses a significant risk to the cryptocurrency industry. According to The Block, blockchain projects often deploy wallet interfaces, decentralized exchange (DEX) front-ends, and dApp dashboards on Vercel.

If blockchain projects store private RPC endpoints, third-party API keys, or wallet-related secrets in non-sensitive environment variables, these secrets are now very likely to have been leaked.

Community figure Theo Browne also posted that sources indicate the most severe impact was on Vercel’s internal integrations with Linear and GitHub.

Image source: X / Theo Browne

Past security issues in the crypto front-end space have been frequent, with projects like CoW Swap, Aerodrome, and Velodrome experiencing domain hijacking attacks, which typically redirect visitors to phishing sites to steal assets.

The Block pointed out that this attack occurred at the hosting and deployment layer, opening a new attack surface that bypasses domain system monitoring. In the worst case, attackers could directly tamper with the actual built front-end output of projects.

Further reading:
CoW Swap DNS Hijacking Attack! Estimated User Losses in the Millions of Dollars, Official: Do Not Use Front-End Webpages