3 crypto attacks in 24 hours – From fake apps to a $14.2M SOL theft

ambcryptoPublished on 2026-07-12Last updated on 2026-07-12

Abstract

The cryptocurrency space witnessed a high volume of attacks within 24 hours, highlighting several major security threats. First, fraudsters targeted SecondFi by creating fake browser extensions and apps to steal crypto; the company clarified its official channels and warned against unsolicited links. In a separate incident, a compromised early Solana whale wallet led to the theft of 180,900 SOL (worth $14.2 million), with the stolen funds being bridged to Ethereum and laundered via Tornado Cash. Finally, the jscrambler npm package suffered a supply chain attack where stolen credentials were used to publish malicious versions containing an information-stealing payload. These events underscore the prevalence of phishing, wallet exploits, and software supply chain vulnerabilities, emphasizing the need for vigilance, verifying official sources, and prompt software updates.

Crypto scams are becoming increasingly prevalent, drawing widespread attention. In fact, more than three breaches occurred in the past 24 hours, with a few notable cases highlighted below.

SecondFi falls victim to a scam

Fraudsters impersonated SecondFi by developing phony browser extensions and applications that were intended to steal cryptocurrency or access users’ wallets.

To address the confusion, SecondFi clarified,

There is no new application or link, it is the same.

The team asserted that it will never ask users to download software, click links, sign transactions, or transfer assets through direct messages or emails.

Therefore, to prevent phishing scams and money theft, the team advised users to only install the official Chrome extension that has the blue verified checkmark and to access SecondFi via its official website.

Source: SecondFi/X

How did a theft result in a loss of 180,900 SOL?

In the second case, blockchain investigator ZachXBT claims that an early Solana [SOL] whale wallet was compromised. This resulted in the purported theft of 180,900 SOL, worth $14.2 million.

According to on-chain data, the wallet initially displayed unusual unstaking activity, indicating that the attacker took over the staked assets before transferring them to newly made Solana addresses to combine and exchange the money.

Later, the stolen assets were bridged from Solana to Ethereum [ETH] to obscure transaction trails and access greater liquidity. Moreover, the investigation asserted that some money had already been transferred using Tornado Cash, making them far harder to trace.

A sophisticated supply chain attack

Finally, jscrambler npm package became the target of a software supply chain attack after an attacker allegedly stole the login credentials needed to release new versions. For context, an information-stealing (infostealer) payload was included in malicious releases 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.

Source: Socket/X

These releases were made to run malicious code on Linux, macOS, or Windows systems. Initially, a preinstall script that executes automatically during npm install was used to distribute the malware.

But in versions 8.18.0 and 8.20.0, the attacker incorporated the malicious code straight into the package, evading security measures such as npm install –ignore-scripts, which typically stops preinstall scripts from executing.

According to jscrambler, the attack was made possible by compromised npm publishing credentials, which allowed for unapproved releases. Following that, developers were urged to update immediately to version 8.22.0, which contains the fix.


Final Summary

  • Different hacking techniques like phishing scams, wallet compromises, and software supply chains are raising alarms.
  • By avoiding unsolicited links, updating compromised software, and confirming official sources, users, and developers can stay safe.

Trending Cryptos

Related Questions

QWhat type of attack did SecondFi warn its users about, and what specific advice was given to avoid it?

ASecondFi warned users about a phishing scam involving fake browser extensions and apps designed to steal cryptocurrency or access wallets. The team advised users to only install the official Chrome extension with a blue verified checkmark and to access the platform via its official website to prevent theft.

QAccording to the article, how did the attacker try to obscure the trail of the stolen 180,900 SOL tokens?

AThe attacker bridged the stolen SOL tokens from the Solana blockchain to the Ethereum blockchain. Additionally, some of the funds were transferred using the privacy mixer Tornado Cash, making them far harder to trace.

QWhat was the malicious component in the compromised jscrambler npm package versions, and how did it evolve?

AThe malicious component was an information-stealing (infostealer) payload. Initially, it was distributed via a 'preinstall' script that runs automatically during 'npm install'. In later versions (8.18.0, 8.20.0), the attacker embedded the malicious code directly into the package to evade security measures that block preinstall scripts.

QWhat common root cause enabled the unauthorized releases in the jscrambler supply chain attack?

AThe attack was made possible by compromised npm publishing credentials, which allowed the attacker to make unauthorized releases of the package.

QWhat are the three general categories of crypto attacks highlighted in the article's final summary?

AThe final summary highlights three categories of attacks: phishing scams, wallet compromises, and software supply chain attacks.

Related Reads

Trading

Spot

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of SOL (SOL) are presented below.

活动图片