September 12, 2025
Detections

Learning From the SwissBorg $41M Exploit: How Hypernative Protects Staking Ecosystems

Why both staking operators and yield platforms need to adopt real-time controls and embed transaction-level safeguards into every flow.

Hypernative

Update Sept. 13, 2025: This transaction had set the withdrawal authority on Aug. 31, which would have limited potential actions to secure the funds.

On Sept. 8, SwissBorg suffered a major exploit that resulted in the theft of 192,600 SOL tokens worth $41.3M across 8 malicious transactions.

SwissBorg, a leading European wealth app, offers customers an Earn product, a way to deposit funds and earn yield via staking. To power this, they rely on Kiln, a professional staking operator managing deposits and withdrawals of staked funds.

Kiln’s infrastructure was compromised several days prior, allowing the attacker to manipulate stake account authorities and prepare for theft without triggering immediate alarms.


The Attack Timeline


Sept. 4, 2025: First Signs of Intrusion

The attacker experimented with both authorize and authorizeChecked instructions on a SwissBorg/Kiln stake account (example). This suggests the attacker was testing methods to escalate control, indicating uncertainty about how to best exploit the accounts.


Sept. 6, 2025: Coordinated Authority Changes

Two days later, the attacker executed eight authorizeChecked calls, one for each victim Stake Account. Importantly, in every call, the attacker changed the Staker authority.


  • The withdrawer authority remained under victim control, meaning SwissBorg/Kiln could still have deactivated the stakes and withdrawn funds during this window.

  • This created a multi-day opportunity for defenders to detect the anomaly and preemptively secure funds, even manually.


Sept. 8, 2025: Exploit Executed


At 12:22:03 UTC, withdrawals began (first transaction). Over the next 3 minutes, the attacker drained 192,600 SOL across 8 withdrawals. Even reacting after the first withdrawal it would have been possible to save over 80% of funds.

How Hypernative Could Have Helped

For Staking Operators (like Kiln)

Operators, who construct and submit transactions, are the first line of defense:

  • Guardian: Would have simulated each unstaking transaction, validating full parameters against policy. The substituted recipient addresses would have been flagged, with an automatic deny recommendation before execution.
  • Platform: Real-time monitoring would have caught the anomalous authorizeChecked instructions as soon as they appeared on Sept. 4 and 6. Automated Response could have deactivated or withdrawn funds before the attacker executed the exploit.

For Staking Services (like SwissBorg)

Services act as custodians of customer funds and depend on operators. To stay secure, they must ensure:

  • Their staking operators enforce Guardian simulation checks and Platform monitoring.
  • They also deploy Guardian for their own operational fund transfers.
  • By using the Hypernative Platform directly, they can continuously monitor stake accounts.
    • In this case, they would have been alerted to unauthorized Staker authority changes days in advance.
    • Even without automation, a manual emergency withdrawal was possible to secure customer assets before the exploit.


Broader Lessons

This incident highlights two key truths for staking ecosystems:

  1. Attackers often reveal themselves early. In this case, the exploiter spent four days preparing the theft, leaving clear signals onchain.
  2. Defense in depth is critical. Pre-execution checks (Guardian) combined with continuous monitoring and rapid mitigation (Platform) provide multiple chances to block or contain an attack.


Closing Thought

The SwissBorg exploit wasn’t inevitable. The early authorizeChecked activity gave more than enough time for defenders to intervene. With Hypernative Guardian and Platform, both operators and services can detect these anomalies, deny malicious transactions, and respond in time to save customer funds.

Hypernative turns attacker “signal” into defender action, protecting staking ecosystems from supply-chain compromises.

If your team is reassessing its security posture, we’re here to answer questions and show how real-time protection can prevent the next incident. Reach out for a demo of Hypernative’s solutions, tune into Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.

Secure everything you build, run and own in Web3 with Hypernative.

Website | X (Twitter) | LinkedIn

Related resources

September 11, 2025
Detections

How Venus Saved ~$13M in a Phishing Attack After Hypernative's Detection

The combination of real-time detection, coordinated response, and a timely pause prevented significant user loss.

May 15, 2025
Detections

Hypernative Detection: $506K Exploit of Numa Money on Arbitrum

The Hypernative platform detected the attack 7 minutes before execution, providing ample opportunity to avoid loss of any funds

June 9, 2025
Detections

Hypernative Detection: $3.5M Frontend Attack on Curve Finance

The Hypernative platform detected the drainer address involved in the heist 2 hours before the phishing attack claimed its first victim

Secure everything you build, run, and, own onchain

Book a demo

Products

PlatformGuardianScreenerWallet ProtectSequencer/RPC Integration Firewall

Solutions

ProtocolsL1 & L2 ChainsFunds & Treasury ManagersExchangesFinancial InstitutionsPayment ProvidersWallet Providers

Insights

Why HypernativeBlogResourcesEvents & Webinars

Company

About UsCareers
© Hypernative 2025
Privacy Policy