Pay attention to the signed content! Vercel is hit with ransomware demanding $2 million, and crypto protocol frontend security raises a red flag

Cloud development platform Vercel was hacked on April 19. The attackers gained access by using a third-party AI tool used by employees, and are apparently selling the stolen data publicly on a forum, with an asking price as high as 2 million USD. Because many crypto projects deploy their wallet interfaces and dApp front ends on Vercel, the incident has also raised concerns across the crypto community.

Attack source: employee third-party AI tool OAuth compromised

In an official security bulletin, Vercel said that a Google Workspace OAuth application under Context.ai—the third-party AI tool used by an employee—was compromised. The attackers used it to hijack that employee’s Google Workspace account and then infiltrate Vercel’s internal data.

Vercel CEO Guillermo Rauch revealed in a post on X that the attack may affect hundreds of organizations that use the same tool, not just Vercel.

Rauch described the hackers’ attack plan as “highly sophisticated,” and suspects they used AI to significantly enhance the intrusion efforts, showing a deep understanding of Vercel’s internal architecture. At present, Google-owned cybersecurity firm Mandiant is assisting with the investigation, and Vercel has also notified relevant law enforcement agencies.

Members of hacking organization post to extort $2 million

Vercel said that sensitive data is stored in an encrypted form and was not accessed; however, other data not labeled as “sensitive” may have been read and used by the attackers.

A screenshot of a forum post circulating on Telegram

A person claiming to be associated with the hacking organization ShinyHunters posted on the cybercrime forum BreachForums, saying they had obtained Vercel’s API keys, NPM tokens, GitHub tokens, source code, and internal database contents, and released about 580 employees’ data as “proof” of a breach, including employees’ names, company email addresses, account statuses, and activity times.

ShinyHunters denies involvement; the truth behind the extortion negotiations is unclear

What’s hard to believe is that although the poster claimed to be from ShinyHunters, the organization has already publicly denied participating in this incident, leaving the attackers’ true identity shrouded in mystery.

The attackers also claimed they had contacted Vercel through Telegram and about the $2 million ransom, and demanded that 500k USD in Bitcoin be paid first to retrieve some of the data, but Vercel has not confirmed this.

Crypto agreements flash red: front-end supply chain becomes a new attack surface

The impact of the Vercel incident on the crypto space should not be underestimated. A large number of decentralized exchange (DEX) and wallet front-end interfaces, as well as dApp dashboards, are deployed on Vercel. If a relevant crypto project’s private RPC endpoints, third-party API keys, or wallet-related sensitive secrets are stored in data not labeled as “sensitive,” then this information could be leaked.

For context, a lot of DeFi is hosted on Vercel and crypto users are a prime target for such attack.

If you need to use DeFi in this time of crisis, verifying what you sign is of utmost importance! You can also use .eth.limo (just hacked but back up and running) or IPFS frontend…

— Pybast (@Pybast) April 19, 2026

In simple terms, attackers can theoretically directly tamper with a project’s website and interface, lure users into clicking and signing malicious contracts—not just redirecting a domain to a phishing website, fully bypassing monitoring and protection at the DNS layer. So far, there has been no reported incident involving any protocol, but security teams across the industry have already listed it as a potential severe risk.

In fact, front-end security issues in the crypto space have long been a persistent problem for the industry. Last week, DEX CoW Swap suspended trading due to a domain hijacking incident. Aerodrome and Velodrome were also hit by DNS hijacking attacks in November last year.

Vercel rolls out data updates, urging users to immediately replace their keys

Vercel said the company’s services are currently operating normally and the investigation is still ongoing, while also updating its data management dashboard. The company strongly recommends that all users immediately conduct a comprehensive review of existing data, replace keys for all data not labeled as “sensitive,” and enable the platform’s sensitive variables feature to ensure that related credentials are stored in an encrypted form.

This article pay attention to the signed content! Vercel hacked and extorted 2 million USD; front-end security warning lights up for crypto protocols first appeared on Chain News ABMedia.