On September 8th, 2025, a cohort of SwissBorg users was impacted by a malicious breach of the Kiln platform, a third party staking service provider contracted by SwissBorg. Since the breach, we have been hard at work to understand the facts and circumstances of the events that unfolded and are able to share how events actually happened and the exact nature of the attack that was perpetrated.
On September 8th, Kiln reached out to SwissBorg through its sales team to discuss the unstaking of a significant share of the SOL tokens delegated via their platform. SwissBorg immediately analysed the situation and detected, within a few minutes, a fraudulent transaction which triggered the unstaking of over 192,000 SOL.
SwissBorg opened a case with Seal 911, an emergency hotline for security incidents acting as a community lifeline, and was assisted in the forensics analysis by its custody partners. Forensics concluded within hours that the incident was not the result of a breach of or an intrusion in SwissBorg’s infrastructure, but that the tampering of the transaction happened within Kiln’s infrastructure.
As Kiln explained on their website, their investigation has determined that the entry point of the attack was the compromise of a GitHub access token belonging to a Kiln infrastructure engineer. The hackers were able to retrieve this access token, allowing them to inject a malicious payload inside the Kiln Connect API. SwissBorg could not have detected this malicious payload, as it was injected into the infrastructure of Kiln.
The malicious code targeted organisations using Kiln’s API (either directly or via the Kiln Dashboard) that held more than 150,000 SOL. During what should have been a routine “deactivate” transaction, the code secretly added extra instructions that changed who had control over the staked tokens transferring that control from SwissBorg to the hackers’ wallet.
To make it simple, imagine SwissBorg had placed assets with a secure trusted partner. Without any notice, the internal records of that partner were altered so that SwissBorg was no longer recognised as the owner of the assets.
In a blockchain environment, such a change would be publicly visible and auditable. Here, it happened inside Kiln’s closed infrastructure, where no external monitoring is possible. This is why the attack remained undetected and why it occurred entirely outside SwissBorg’s control.
The malicious actor did not breach SwissBorg’s wallet infrastructure or compromise our security in any way. The incident occurred entirely within Kiln’s systems and was completely independent from SwissBorg’s custody environment. Our wallets remain fully secure and protected by state-of-the-art multi-party computation technology.
Following the breach, Kiln took precautionary measures, including an emergency exit of all their ETH validators, the rotation of private keys across the various networks they operate (such as ATOM, INJ and TIA), and a temporary shutdown of their transaction-crafting capabilities.
SwissBorg was affected because we were the first organisation among Kiln’s clients to sign an unstaking transaction on a wallet holding more than 150,000 SOL. This incident represents one of the first major breaches directly targeting staking services and highlights a previously unseen attack vector for the industry.
At the time of the incident, no decoding tool suitable for day-to-day Solana operations was available. Solana transactions are only valid for less than two minutes, making any external, manual decoding workflow impractical. The tool that Kiln recommended was not integrated into their dashboard, was not open-sourced or verifiable, and did not meet basic security standards. For this reason, SwissBorg chose not to rely on it. We had expressly requested that Kiln integrate a native decoding function directly within their interface to ensure safe and practical verification of transactions, but this request was not implemented, leaving no safe or practical method to verify transactions at the time of the breach.
Where are we now?
After a comprehensive review of all our systems, logs, and security layers, we have concluded that no breach occurred within SwissBorg’s infrastructure. Our custody environment remains fully secure and has not been compromised in any way.
This incident nevertheless highlighted a new and sophisticated attack vector—one that targeted trusted service providers rather than end users and reinforced the need for the entire industry to further strengthen security standards.
In response, we have further strengthened our operational and security framework. SwissBorg has long operated with industry-leading safeguards, continuous monitoring, and rigorous expectations for all third-party providers. We are now going beyond these standards by deepening our oversight, enhancing our monitoring and tightening our risk-management and outsourcing frameworks to ensure that every partner meets the same level of operational and security excellence that we uphold internally.
This breach underscores the importance of transparency and shared responsibility in crypto infrastructure. By learning from such events and adapting collectively, we believe the entire industry can become stronger and more resilient.
