Cloud hosting platform Vercel hacked! Hackers demand 2 million dollars in ransom, encryption projects may have security risks

Vercel Cloud Platform Hacked Due to Third-Party AI Tool Hijacking, Hacker Demands $2 Million Ransom for Confidential Data.
Since most cryptocurrency projects rely on its deployment front-end, this incident could pose a significant security risk of tampering for projects.

Vercel Cloud Hosting Platform Hacked, Crypto Projects Also Use It

Vercel, a cloud hosting and deployment infrastructure platform, has confirmed that some internal systems were accessed without authorization, affecting a small number of customers.

Vercel offers serverless functions, edge computing, and continuous integration and deployment pipelines, and is well-known for the widely used React framework Next.js. Many blockchain and cryptocurrency projects also depend on Vercel to deploy their front-end interfaces.

Vercel CEO Guillermo Rauch explained on social platform X that the cause of this hacker incident was an issue with a third-party AI tool, Context.ai. A Google Workspace account of a Vercel employee was hijacked during a data leak incident involving that AI platform, and the attacker subsequently used that account’s permissions to access Vercel’s internal environment.

All customer environment variables on Vercel are encrypted at rest, and there is also an option to designate variables as non-sensitive. The hacker was able to enumerate and obtain unencrypted, non-sensitive environment variables.

Image source: Vercel official website
Vercel is a cloud hosting and deployment infrastructure, and many blockchain and crypto projects also rely on Vercel to deploy front-end interfaces.

Hacker Demands $2 Million Ransom for Stolen Data

Security media outlet Bleepingcomputer reported that a member claiming to be from the hacker group ShinyHunters posted on the hacking forum BreachForums, claiming to have obtained internal Vercel data and demanding $2 million in ransom.

The data shown by the hacker includes access keys, source code, database records, and internal deployment API keys for NPM and GitHub, even containing 580 names, emails, account statuses, and activity timestamps of Vercel employees.

Image source: BreachForums
Hacker Demands $2 Million for Selling Stolen Data

However, members of the core ShinyHunters organization have denied involvement in this Vercel attack, though the group previously attacked Rockstar, the developer of the GTA game series.

• Related report: GTA6 Developer Hacked! Hacker: Leak Player Data if Not Paid by 4/14, How Did R Respond?*

Vercel Officially Advises Customers to Conduct a Full Review

In response to this incident, Vercel has hired external cybersecurity experts, reported to law enforcement, and released updates to strengthen security management.

Vercel strongly recommends administrators review activity logs for suspicious behavior and urges Google Workspace admins to immediately check for the installation of any compromised OAuth applications.

The company also advises customers to conduct a comprehensive review and replace environment variables, enabling the sensitive variables feature to ensure data is protected with static encryption.

Impact of Vercel Hack on Crypto Projects

This incident poses a significant risk to the cryptocurrency industry. According to The Block, blockchain projects often deploy wallet interfaces, decentralized exchange (DEX) front-ends, and dApp dashboards on Vercel.

If blockchain projects store private RPC endpoints, third-party API keys, or wallet-related secrets in non-sensitive environment variables, these secrets are now very likely to have been leaked.

Notable community figure Theo Browne also posted that sources indicate the most severe impact was on Vercel’s internal integrations with Linear and GitHub.

Image source: X / Theo Browne

Past front-end security issues in the crypto space have been frequent, with projects like CoW Swap, Aerodrome, and Velodrome experiencing domain hijacking. These attacks typically redirect visitors to phishing sites to steal assets.

The Block pointed out that this attack occurred at the hosting and deployment layer, opening a new attack surface that bypasses domain system monitoring. In the worst case, attackers could directly tamper with the actual built front-end output of projects.

Further reading:
CoW Swap suffers DNS hijacking attack! Estimated user losses in the millions of dollars, official: do not use the front-end webpage