Audit log

Every state-changing event for Kiln: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-19 19:14:07Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 420,830,398

   sig

   5bFxptZw4FiJ…JCCau2oicopyexplorer ↗

   hash

   DGF45e5i735v…rnSbrAvjcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (22576 B) ▸

   {"actor":"system:backfill","investigation_id":"d741f743-f792-4294-b5ae-234eb7336353","kind":"publish","page_slug":"kiln","published_at":"2026-05-19T19:14:07.021Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Kiln","sections":[{"content":"Kiln is a Paris-based enterprise staking infrastructure provider founded by Laszlo Szabo (co-founder and CEO). The platform is non-custodial and enables institutional clients — including exchanges, custodians, and wealth management platforms — to stake assets across 50+ proof-of-stake blockchain networks without transferring custody. As of mid-2025, Kiln reported managing over $14–18 billion in staked assets, operating more than 50,000 Ethereum validators representing approximately 6% of the Ethereum validator set, and 2.5% of the Solana network. Key enterprise customers include Crypto.com, Fireblocks, Ledger, Coinbase, and Binance.US. Kiln renewed its SOC 2 Type II audit in March 2025 with zero reported exceptions. Kiln operates the 'Kiln Connect' API product, which allows enterprise customers to interact with their staked assets through a unified API layer.","heading":"Entity Overview","severity":"low","sources":[{"credibility":1,"name":"Kiln Official Website — The Institutional Layer for Onchain Assets","type":"official","url":"https://www.kiln.fi/"},{"credibility":2,"name":"Kiln Staking — AuM, Validators & Rewards (Staking Rewards)","type":"research","url":"https://www.stakingrewards.com/provider/kiln"},{"credibility":2,"name":"OSL Partners with Kiln to Offer Enterprise-Grade ETH Staking","type":"news_article","url":"https://www.prnewswire.com/apac/news-releases/osl-partners-with-kiln-to-offer-enterprise-grade-eth-staking-302425770.html"}]},{"content":"On September 8, 2025, Kiln disclosed that a threat actor had conducted a supply chain attack against its API infrastructure. The initial intrusion vector was the compromise of a GitHub access token belonging to a Kiln infrastructure engineer. Using this token, the attacker created and immediately deleted branches in an infrastructure-as-code (IaC) repository to trigger CI/CD (Continuous Integration/Deployment) GitHub Actions workflows. These workflows had stored secrets and cloud credentials embedded in them; the attacker harvested these credentials, gaining access to cloud service accounts and production systems across Amazon Web Services (AWS), Google Cloud Platform (GCP), and bare-metal infrastructure. With access to Kiln's production Kubernetes environment, the attacker injected malicious code into a running pod hosting the Kiln Connect API backend controller. The payload modified a specific API endpoint to return a malicious transaction alongside a legitimate one during Solana unstaking operations ('deactivate' transactions). The injected instructions specifically targeted staking accounts holding balances exceeding 150,000 SOL. The malicious transaction embedded eight separate authorization instructions that transferred withdrawal authority for multiple SwissBorg-managed Solana stake accounts to an attacker-controlled wallet. The operation was designed to appear as a routine unstaking operation; external detection was described as impossible without internal visibility into Kiln's infrastructure. The initial seeding phase began on August 31, 2025, when the attacker embedded authorization instructions during what appeared to be a standard unstaking transaction. The main execution phase occurred on September 8, 2025, when the attacker exercised the now-transferred withdrawal authority to drain the accounts. Forensic analysis was conducted by Sygnia, engaged by Kiln.","heading":"Supply Chain Attack — September 2025","severity":"critical","sources":[{"credibility":1,"name":"Kiln — Re-enablement of Services and Security Incident Information (Official Post-Incident Report)","type":"official","url":"https://www.kiln.fi/post/re-enablement-of-kiln-services-and-security-incident-information"},{"credibility":1,"name":"SwissBorg — Security Information About the Kiln Breach","type":"official","url":"https://swissborg.com/blog/swissborg-security-update-kiln-breach"},{"credibility":2,"name":"Halborn — Explained: The SwissBorg Hack (September 2025)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-swissborg-hack-september-2025"},{"credibility":2,"name":"Fireblocks — The Case for Native Staking: What the Kiln Incident Reveals","type":"research","url":"https://www.fireblocks.com/blog/case-for-native-staking-kiln-incident"},{"credibility":2,"name":"QuillAudits — SwissBorg's $41M Exploit: Key Insights","type":"research","url":"https://quillaudits.medium.com/swissborgs-41m-exploit-d80eafcf0b74"}]},{"content":"The sole confirmed victim of the Kiln API compromise was SwissBorg, a Switzerland-based cryptocurrency wealth management platform. SwissBorg's SOL Earn staking program had delegated Solana staking operations through Kiln's Connect API infrastructure. On September 8, 2025, approximately 192,600 SOL (valued at approximately $41–41.5 million at the time) was drained from SwissBorg's staking accounts via the attacker's previously established withdrawal authority. SwissBorg CEO Cyrus Fazel publicly stated that 'SwissBorg wasn't hacked,' attributing the exploit entirely to the compromise of Kiln's external infrastructure. SwissBorg confirmed no breach occurred within its own systems; forensic analysis determined the breach originated in Kiln's environment. Approximately $40.7 million (189,524 SOL) was moved in a single transaction to a dormant attacker-controlled wallet, where funds remained as of reporting. Approximately 3,000 SOL (~$0.6 million) was moved through multiple intermediate hops and tested on exchange liquidity channels, including a 100 SOL probe sent to Bitget. Security researcher Chaofan Shou compared the operational methodology to the 2025 Bybit hack. SwissBorg pledged to cover any gap in recovered funds from its corporate SOL treasury, stating that the SwissBorg community would not take a loss. The impacted cohort represented approximately 1% of SwissBorg users. Kiln confirmed there was 'no evidence of any other malicious transaction, modification to Kiln systems, or assets stolen from any other Kiln customer.'","heading":"Impact on SwissBorg — $41 Million SOL Theft","severity":"critical","sources":[{"credibility":2,"name":"Protos — SwissBorg CEO Blames $41M Loss on Staking Partner Kiln","type":"news_article","url":"https://protos.com/swissborg-ceo-blames-41m-loss-on-staking-partner-kiln/"},{"credibility":1,"name":"The Record (Recorded Future) — European Crypto Platform SwissBorg to Reimburse Users After $41 Million Theft","type":"news_article","url":"https://therecord.media/swissborg-platform-solana-cryptocurrency-stolen"},{"credibility":1,"name":"CoinDesk — Kiln Exits Ethereum Validators in 'Orderly' Move Following SwissBorg Exploit","type":"news_article","url":"https://www.coindesk.com/tech/2025/09/10/kiln-exits-ethereum-validators-in-orderly-move-following-swissborg-exploit"},{"credibility":1,"name":"Kiln — SOL Incident & SwissBorg Announcement","type":"official","url":"https://www.kiln.fi/post/sol-incident-swissborg---announcement"},{"credibility":2,"name":"CoinCentral — SwissBorg Hit by $41M Solana Crypto Theft Due to Kiln API Breach","type":"news_article","url":"https://coincentral.com/swissborg-hit-by-41m-solana-crypto-theft-due-to-kiln-api-breach/"}]},{"content":"On-chain investigator ZachXBT was among the first to publicly report the theft on the day of the attack, September 8, 2025, raising broader awareness of the incident across the crypto community. SwissBorg CEO Cyrus Fazel thanked ZachXBT, alongside multiple security firms, for 'immediate collaboration, vigilance, and support' during the incident response. ZachXBT's early flagging of the on-chain activity contributed to the identification of attacker wallet activity and assisted investigators and exchanges in blocking or flagging associated transactions. The specific details of ZachXBT's on-chain tracing methodology in this case have not been separately published in a standalone report as of available sources.","heading":"ZachXBT's Role and Public Disclosure","severity":"high","sources":[{"credibility":2,"name":"Protos — SwissBorg CEO Blames $41M Loss on Staking Partner Kiln","type":"news_article","url":"https://protos.com/swissborg-ceo-blames-41m-loss-on-staking-partner-kiln/"},{"credibility":1,"name":"The Record — European Crypto Platform SwissBorg to Reimburse Users After $41 Million Theft","type":"news_article","url":"https://therecord.media/swissborg-platform-solana-cryptocurrency-stolen"}]},{"content":"On September 9–10, 2025, Kiln initiated an orderly exit from all of its Ethereum validator nodes as a precautionary measure during the ongoing security investigation. This represented approximately 1.6 million ETH worth of validators — among the largest single-entity validator exits in Ethereum's history. CEO Laszlo Szabo stated the company acted immediately after identifying a potential compromise, and that exiting validators was 'the responsible step to protect stakers.' Kiln emphasized that the Ethereum validators themselves were not directly compromised and that no ETH was at risk of theft, but that the exit was prudent given the infrastructure-wide nature of the investigation. The exit triggered an immediate spike in the Ethereum validator exit queue: the queue jumped approximately 150%, from around 1 million ETH to 2.5–2.65 million ETH awaiting exit, pushing estimated wait times to over 46 days — the longest exit queue backlog in Ethereum staking history at that time. As of mid-September 2025, approximately $11.3 billion in ETH was in the exit queue. Kiln and industry observers expected the ETH to be restaked under new validator keys once the investigation concluded, rather than sold into markets. Preston Van Loon, a known Ethereum core contributor, publicly described Kiln's decision as 'the most responsible decision to be made after a suspected leak of validator keys.'","heading":"Ethereum Validator Mass Exit and Network Impact","severity":"high","sources":[{"credibility":2,"name":"Mitrade — Ethereum Network Set to Reabsorb 1.6M Tokens After Kiln Validator Security Incident","type":"news_article","url":"https://www.mitrade.com/insights/news/live-news/article-3-1111426-20250910"},{"credibility":1,"name":"CoinDesk — Ethereum Faces Validator Bottleneck With 2.5M ETH Awaiting Exit","type":"news_article","url":"https://www.coindesk.com/tech/2025/09/16/ethereum-faces-validator-bottleneck-with-2-5m-eth-awaiting-exit"},{"credibility":2,"name":"Cryptopolitan — 1.6M Ethereum Tokens Set for Restake After Kiln Validator Exit","type":"news_article","url":"https://www.cryptopolitan.com/ethereum-restake-after-kiln-validator-exit/"},{"credibility":1,"name":"Kiln — Infrastructure Issue With Validator Exit, Funds Remain Protected","type":"official","url":"https://www.kiln.fi/kiln-responds-tot-infrastructure-issue-with-validator-exit-funds-remain-protected"},{"credibility":3,"name":"Preston Van Loon on X — Kiln exiting all validators is the most responsible decision","type":"social_media","url":"https://x.com/preston_vanloon/status/1965754574485987774"}]},{"content":"Following discovery of the breach on September 8, 2025, Kiln took the following documented response actions: engaged Sygnia for 24/7 forensic analysis and monitoring; shut down the Kiln Dashboard, Widget, and all APIs; rotated all validator keys; suspended all service accounts; rotated all cloud credentials across AWS, GCP, and bare-metal environments; and reviewed all GitHub repositories for signs of additional compromise. Kiln subsequently implemented six categories of security enhancements: zero-trust access controls, hardened CI/CD pipelines, isolation protocols, container hardening, continuous monitoring, and validator key protection measures. Kiln indicated plans to publish a full post-mortem once the investigation was complete. Services were re-enabled in a phased manner following the investigation. Kiln's SOC 2 Type II certification (renewed March 2025 with zero exceptions) was noted to have proven insufficient against what Fireblocks characterized as 'state-actor-level techniques' in its independent analysis of the incident.","heading":"Kiln's Incident Response and Security Remediation","severity":"high","sources":[{"credibility":1,"name":"Kiln — Re-enablement of Services and Security Incident Information","type":"official","url":"https://www.kiln.fi/post/re-enablement-of-kiln-services-and-security-incident-information"},{"credibility":2,"name":"Fireblocks — The Case for Native Staking: What the Kiln Incident Reveals","type":"research","url":"https://www.fireblocks.com/blog/case-for-native-staking-kiln-incident"},{"credibility":3,"name":"OneSafe — Kiln's Response to Security Breaches: A Lesson in Trust and Transparency","type":"other","url":"https://www.onesafe.io/blog/enhancing-crypto-security-lessons-from-kilns-response"}]},{"content":"The Kiln incident exposed a systemic risk in institutional crypto staking: when enterprises delegate staking to third-party API providers, they may unknowingly engage in 'blind-signing' of transactions they cannot fully parse or verify. Fireblocks, itself a Kiln partner, published an independent analysis highlighting that institutional signatories approved a malicious transaction because the Solana serialized transaction format is difficult to decode even for experienced blockchain engineers, despite the existence of open-source decoder tools. The attack exploited the trusted relationship between Kiln and its enterprise customers, inserting malicious logic at the API layer where it would be invisible to downstream signing parties reviewing transaction summaries. The incident was compared by multiple security researchers to the 2025 Bybit hack in terms of operational methodology — embedding malicious authorization logic within what appeared to be routine transactions. The CISA separately issued an advisory on September 23, 2025 regarding a widespread npm supply chain compromise affecting 2.6 billion weekly downloads, though this was a distinct event from the Kiln infrastructure compromise which was GitHub CI/CD-based rather than npm-package-based.","heading":"Systemic Risk — Third-Party Staking Infrastructure","severity":"high","sources":[{"credibility":2,"name":"Fireblocks — The Case for Native Staking: What the Kiln Incident Reveals","type":"research","url":"https://www.fireblocks.com/blog/case-for-native-staking-kiln-incident"},{"credibility":1,"name":"CISA — Widespread Supply Chain Compromise Impacting npm Ecosystem","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem"},{"credibility":2,"name":"Halborn — Explained: The SwissBorg Hack (September 2025)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-swissborg-hack-september-2025"}]}],"sources_used":[{"credibility":1,"name":"Kiln — Re-enablement of Services and Security Incident Information","type":"official","url":"https://www.kiln.fi/post/re-enablement-of-kiln-services-and-security-incident-information"},{"credibility":1,"name":"Kiln — SOL Incident & SwissBorg Announcement","type":"official","url":"https://www.kiln.fi/post/sol-incident-swissborg---announcement"},{"credibility":1,"name":"Kiln — Infrastructure Issue With Validator Exit, Funds Remain Protected","type":"official","url":"https://www.kiln.fi/kiln-responds-tot-infrastructure-issue-with-validator-exit-funds-remain-protected"},{"credibility":1,"name":"SwissBorg — Security Information About the Kiln Breach","type":"official","url":"https://swissborg.com/blog/swissborg-security-update-kiln-breach"},{"credibility":1,"name":"The Record (Recorded Future) — European Crypto Platform SwissBorg to Reimburse Users After $41 Million Theft","type":"news_article","url":"https://therecord.media/swissborg-platform-solana-cryptocurrency-stolen"},{"credibility":1,"name":"CoinDesk — Kiln Exits Ethereum Validators in 'Orderly' Move Following SwissBorg Exploit","type":"news_article","url":"https://www.coindesk.com/tech/2025/09/10/kiln-exits-ethereum-validators-in-orderly-move-following-swissborg-exploit"},{"credibility":1,"name":"CoinDesk — Ethereum Faces Validator Bottleneck With 2.5M ETH Awaiting Exit","type":"news_article","url":"https://www.coindesk.com/tech/2025/09/16/ethereum-faces-validator-bottleneck-with-2-5m-eth-awaiting-exit"},{"credibility":2,"name":"Protos — SwissBorg CEO Blames $41M Loss on Staking Partner Kiln","type":"news_article","url":"https://protos.com/swissborg-ceo-blames-41m-loss-on-staking-partner-kiln/"},{"credibility":2,"name":"Halborn — Explained: The SwissBorg Hack (September 2025)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-swissborg-hack-september-2025"},{"credibility":2,"name":"Fireblocks — The Case for Native Staking: What the Kiln Incident Reveals","type":"research","url":"https://www.fireblocks.com/blog/case-for-native-staking-kiln-incident"},{"credibility":2,"name":"QuillAudits — SwissBorg's $41M Exploit: Key Insights","type":"research","url":"https://quillaudits.medium.com/swissborgs-41m-exploit-d80eafcf0b74"},{"credibility":2,"name":"CoinCentral — SwissBorg Hit by $41M Solana Crypto Theft Due to Kiln API Breach","type":"news_article","url":"https://coincentral.com/swissborg-hit-by-41m-solana-crypto-theft-due-to-kiln-api-breach/"},{"credibility":2,"name":"Mitrade — Ethereum Network Set to Reabsorb 1.6M Tokens After Kiln Validator Security Incident","type":"news_article","url":"https://www.mitrade.com/insights/news/live-news/article-3-1111426-20250910"},{"credibility":2,"name":"Cryptopolitan — 1.6M Ethereum Tokens Set for Restake After Kiln Validator Exit","type":"news_article","url":"https://www.cryptopolitan.com/ethereum-restake-after-kiln-validator-exit/"},{"credibility":2,"name":"Kiln Staking — AuM, Validators & Rewards (Staking Rewards)","type":"research","url":"https://www.stakingrewards.com/provider/kiln"},{"credibility":1,"name":"CISA — Widespread Supply Chain Compromise Impacting npm Ecosystem","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem"}],"summary":"Kiln is an institutional-grade, non-custodial staking infrastructure provider that manages over $14 billion in staked assets across 50+ proof-of-stake networks, including approximately 6% of the entire Ethereum validator set. In September 2025, Kiln suffered a sophisticated supply chain attack in which a threat actor compromised a GitHub access token belonging to a Kiln infrastructure engineer, injected malicious code into the Kiln Connect API, and caused the theft of approximately 192,600 SOL (~$41 million) from enterprise customer SwissBorg. The incident prompted Kiln to exit all 1.6 million ETH worth of its Ethereum validators as a precautionary measure, triggering the longest Ethereum exit queue backlog in the network's history.","timeline":[{"date":"2025-03-01","event":"Kiln renews SOC 2 Type II audit with zero exceptions, demonstrating security controls prior to the incident.","source":"Kiln Official Website","source_url":"https://www.kiln.fi/"},{"date":"2025-08-31","event":"Attacker begins seeding phase: embeds eight hidden authorization instructions in an apparently routine SOL unstaking transaction through the Kiln Connect API, transferring withdrawal authority for multiple SwissBorg stake accounts to an attacker-controlled wallet.","source":"QuillAudits — SwissBorg's $41M Exploit: Key Insights","source_url":"https://quillaudits.medium.com/swissborgs-41m-exploit-d80eafcf0b74"},{"date":"2025-09-08","event":"Attacker executes main phase: exercises the previously transferred withdrawal authority to drain approximately 192,600 SOL (~$41 million) from SwissBorg's Kiln-managed staking accounts. ZachXBT is among the first to publicly report the theft on-chain. SwissBorg and Kiln activate incident response protocols. Kiln suspends Kiln Dashboard, Widget, and all APIs.","source":"Protos — SwissBorg CEO Blames $41M Loss on Staking Partner Kiln","source_url":"https://protos.com/swissborg-ceo-blames-41m-loss-on-staking-partner-kiln/"},{"date":"2025-09-09","event":"Kiln initiates exit from all Ethereum validators as a precautionary measure. Approximately 1.6 million ETH worth of validators enter the Ethereum exit queue.","source":"Mitrade — Ethereum Network Set to Reabsorb 1.6M Tokens After Kiln Validator Security Incident","source_url":"https://www.mitrade.com/insights/news/live-news/article-3-1111426-20250910"},{"date":"2025-09-09","event":"Approximately $40.7M (189,524 SOL) moved in a single transaction to a dormant attacker-controlled wallet. Approximately 3,000 SOL begins moving through multiple intermediate hops and tested against exchange liquidity channels.","source":"QuillAudits — SwissBorg's $41M Exploit: Key Insights","source_url":"https://quillaudits.medium.com/swissborgs-41m-exploit-d80eafcf0b74"},{"date":"2025-09-10","event":"Kiln CEO Laszlo Szabo makes public statement confirming orderly validator exit as precautionary security measure. Ethereum validator exit queue spikes approximately 150% to 2.5–2.65 million ETH, with exit wait times exceeding 46 days — the longest in Ethereum staking history.","source":"CoinDesk — Kiln Exits Ethereum Validators in 'Orderly' Move Following SwissBorg Exploit","source_url":"https://www.coindesk.com/tech/2025/09/10/kiln-exits-ethereum-validators-in-orderly-move-following-swissborg-exploit"},{"date":"2025-09-16","event":"CoinDesk reports approximately 2.5 million ETH (~$11.25 billion) waiting in the Ethereum exit queue, with wait times above 46 days. Kiln publishes post-incident service re-enablement and security remediation details.","source":"CoinDesk — Ethereum Faces Validator Bottleneck With 2.5M ETH Awaiting Exit","source_url":"https://www.coindesk.com/tech/2025/09/16/ethereum-faces-validator-bottleneck-with-2-5m-eth-awaiting-exit"},{"date":"2025-09-23","event":"CISA issues a separate advisory on a widespread npm supply chain compromise affecting 2.6 billion weekly downloads — a distinct event from the Kiln GitHub CI/CD-based attack occurring in the same month.","source":"CISA Advisory — Widespread Supply Chain Compromise Impacting npm Ecosystem","source_url":"https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 457aee5f-6d2c-4906-9498-31efb1bca690copy