1inch Hit by Major Hack in Supply Chain Attack
A supply chain attack has compromised 1inch and other platforms through malicious code in a popular animation library, risking users' funds and data.
A recent supply chain attack has compromised the frontend of decentralized exchange aggregator 1inch, along with TEN Finance and other platforms, due to malicious code injected into the Lottie Player animation library. This breach, affecting Lottie Player versions 2.0.5 and above, allows unauthorized transactions, endangering users' funds and personal data. Users are strongly advised to avoid interacting with these affected platforms until the security issues are completely resolved.
The attack started with malicious code introduced into the Lottie Player library’s JSON files, making it possible for compromised websites to execute unauthorized actions. Blockaid, a security firm, reported that this breach was caused by a corrupted npm package on Lottie Player’s content server. Blockaid and other security firms confirmed that the attackers managed to insert unauthorized scripts, including code to bypass debugging measures. Legitimate websites outside the crypto space may also be serving malicious content because of this exploit. Although 1inch has not officially addressed the breach, the Lottie Player team has identified the source of the problem and is actively working to remove the compromised versions.
This incident is part of a broader trend of increasing crypto hacks. Security breaches remain a pressing issue in the crypto industry, with cyber attacks growing more sophisticated each year. Recently, hackers stole $20 million in crypto from the U.S. government, linked to funds seized from the Bitfinex hackers. Blockchain lender Radiant Capital also experienced a significant loss, with over $50 million drained due to a hack that gained access to its private keys.
Federal investigations and prosecutions for crypto crimes have intensified as well. The FBI recently arrested a man named Eric Council Jr. for allegedly hacking the SEC’s X (formerly Twitter) account and spreading false news about Bitcoin ETF approvals, which caused market disruption. While Council is in custody, authorities believe he was not the mastermind behind the hack and are negotiating a plea deal with him.
In 2024, crypto-related thefts have already surpassed $2.1 billion, with centralized finance (CeFi) platforms bearing the most significant losses.
