Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 247Private Key Compromise

SwissBorg Kiln-API SOL Earn Drain

SwissBorg's SOL Earn lost $41.5M (193,000 SOL) via a compromised API at staking vendor Kiln. SwissBorg itself wasn't breached; the third-party infra was.

Date
Victim
SwissBorg
Chain(s)
Solana
Status
Funds Stolen

On September 8, 2025, the Swiss crypto-wealth-management platform SwissBorg lost approximately 193,000 SOL — about $41.5 million — from its SOL Earn staking strategy. The compromise was not at SwissBorg itself: the API at SwissBorg's staking vendor Kiln was breached, and the attackers manipulated requests to siphon SOL out of the SwissBorg-Earn deposits Kiln managed.

What happened

SwissBorg offered users a SOL Earn product where deposits were staked on Solana through Kiln, a major staking-infrastructure vendor. Kiln operated the validator infrastructure and signing keys; SwissBorg's app handled the user-facing layer.

The attackers compromised Kiln's API — likely through credential theft or backend exploitation; the exact vector was not publicly disclosed in full detail. With API access, they could issue staking-related transactions on behalf of SwissBorg's deposits in ways that ultimately routed funds to attacker-controlled addresses on Solana.

The drain hit a wallet labeled "SwissBorg Exploiter" on Solscan and affected less than 1% of SwissBorg's overall user base — only those who had opted into the SOL Earn product through the Kiln-backed strategy.

Aftermath

  • SwissBorg paused Solana staking immediately.
  • SwissBorg CEO Cyrus Fazel publicly committed to covering any shortfall from the company treasury so that no user would absorb a loss — even if recovery efforts failed.
  • The platform partnered with Fireblocks, the Solana Foundation, and white-hat investigators to trace stolen funds. Several attacker-linked transactions were blocked at major exchange chokepoints.
  • Kiln issued its own post-mortem and tightened API-side controls.

Why it matters

SwissBorg is the canonical 2025 case for vendor-API risk in retail crypto products. The user-visible product was SwissBorg's, the trust relationship was with SwissBorg, but the actual security boundary ran through Kiln's API surface. When that surface was compromised, the loss was real and the burden of customer reimbursement fell on SwissBorg — even though the breach happened at the vendor.

The structural lesson, increasingly relevant as the staking-infrastructure ecosystem matures:

  • Front-facing platforms are responsible for the security posture of every vendor in their staking stack — operationally, reputationally, and (per SwissBorg's response) financially.
  • API-based vendor relationships need the same scrutiny as direct-key custody relationships, including penetration testing, third-party audits of the vendor's controls, and contractual provisions about breach disclosure.
  • Cyrus Fazel's "no user will lose" response is increasingly the expected playbook for established consumer platforms — and one that has meaningful capital implications for newer entrants who don't have treasury depth to absorb $40M+ losses out of pocket.

Sources & on-chain evidence

  1. [01]swissborg.comhttps://swissborg.com/blog/sol-earn-incident-swissborg-recovery
  2. [02]unchainedcrypto.comhttps://unchainedcrypto.com/hackers-drain-41-million-from-swissborgs-solana-earn/
  3. [03]quillaudits.comhttps://www.quillaudits.com/blog/hack-analysis/swissborg-exploit

Related filings