Verify a decision

{"actor":"system:backfill","investigation_id":"93c20340-5fab-43fa-a4d9-92949c3b2d9f","kind":"publish","page_slug":"nexera","published_at":"2026-05-19T16:20:52.950Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Nexera","sections":[{"content":"Nexera is a blockchain infrastructure project that rebranded from AllianceBlock in early 2023 following a series of adverse events. The platform targets the real-world asset (RWA) tokenization market by providing compliance-first infrastructure, including KYC/KYB tooling, omnichain interoperability, and an ISO 27001-certified compliance platform called ComPilotAI. The native token NXRA is used for staking, governance, and validator incentives. AllianceBlock rebranded to the Nexera Foundation after the February 2023 BonqDAO incident forced the replacement of the original ALBT token with NXRA.","heading":"Entity Overview","severity":"low","sources":[{"credibility":2,"name":"AllianceBlock Rebrands As Nexera Foundation — The Defiant","type":"news_article","url":"https://thedefiant.io/news/press-releases/allianceblock-rebrands-as-nexera-foundation-launches-nexera-finance-to-shape-the-future-of-tokenization"},{"credibility":2,"name":"What Is Nexera (NXRA) And How Does It Work? — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/cmc-ai/allianceblock-nexera/what-is/"}]},{"content":"On February 1, 2023, the third-party lending protocol BonqDAO was exploited via a price oracle manipulation bug affecting AllianceBlock's ALBT token, which had been used as collateral. Approximately 113.8 million wrapped-ALBT tokens worth roughly $11 million were illegally accessed, and the broader BonqDAO exploit totaled an alleged $120 million including BEUR stablecoins. AllianceBlock stated it had no control over BonqDAO's contract design and reimbursed affected users. The incident led to the token migration from ALBT to NXRA.","heading":"Prior Incident: BonqDAO Oracle Exploit (February 2023)","severity":"high","sources":[{"credibility":2,"name":"AllianceBlock Issues Statement in Response to BonqDAO Hack — Medium","type":"official","url":"https://medium.com/allianceblock/allianceblock-issues-statement-in-response-to-bonqdao-hack-6510a61fcf5c"},{"credibility":2,"name":"$120 Million Exploit: AllianceBlock Token Price Manipulated in Oracle Hack — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/120-million-exploit-allianceblock-token-price-manipulated-oracle-hack-heres-what-happened/"}]},{"content":"On August 7, 2024, an external actor gained unauthorized access to Nexera's smart contract management credentials through a social engineering campaign. A Nexera employee received a fraudulent consulting or job offer requiring them to review smart contract code; the skills assessment instructed the target to clone and build code from a GitHub repository that contained embedded malware. The malware deployed was BeaverTail, an information stealer documented as part of North Korean state-backed threat actor toolkits. Once the malware executed on the employee's machine, the attacker obtained the private key or login credentials used to administer the Fundrs staking platform contracts on Ethereum.\n\nWith those credentials, the attacker transferred proxy contract ownership to an address they controlled at approximately 05:05 UTC. They then invoked the withdraw admin function to extract 47.24 million NXRA tokens from staking contracts on Ethereum and vesting contracts on Avalanche. Token sales through Uniswap began at approximately 05:28–05:29 UTC. Before the remaining tokens could be liquidated, Nexera paused the NXRA contract across multiple chains at 06:28 UTC and subsequently zeroed out the balance in the attacker's wallet. Of the 47.24 million tokens stolen, approximately 14.75 million were sold for roughly $449,000 before the freeze. The remaining 32.5 million were later formally burned.","heading":"August 2024 Hack: Private Key Compromise via BeaverTail Malware","severity":"critical","sources":[{"credibility":1,"name":"7 August 2024 Incident: Post Mortem Report From the Nexera Team — Medium","type":"official","url":"https://nexera.medium.com/240807-incident-post-mortem-report-5f1f7840d4d7"},{"credibility":2,"name":"Explained: The Nexera Hack (August 2024) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nexera-hack-august-2024"},{"credibility":1,"name":"Blockchain Protocol Nexera Suffers $1.8M Exploit, NXRA Tumbles 40% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/08/07/blockchain-protocol-nexara-suffers-18m-exploit-nxra-tumbles-40"},{"credibility":2,"name":"DeFi protocol Nexera hacked for $1.5M via smart contract exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/nexera-hack-1-5-million-nxra-token"},{"credibility":2,"name":"Nexera Private Key Compromise — Quadriga Initiative Case Study","type":"research","url":"https://quadrigainitiative.com/casestudy/nexeraprivatekeycompromisecontractupgrade.php"}]},{"content":"Blockchain investigator ZachXBT published findings on Telegram on August 7, 2024 linking the Nexera attacker on-chain to a series of prior private-key compromise incidents including SpaceCatch, Concentric Finance, OKX DEX, Serenity Shield, and Reach. Security researchers at Halborn and other firms noted that the use of BeaverTail malware and the fake-job-offer social engineering vector are consistent with the documented modus operandi of the Lazarus Group and affiliated DPRK threat actors. The Lazarus Group has been linked to a broader campaign of infiltrating crypto firms using fraudulent developer identities, a pattern ZachXBT has tracked across more than 25 projects. The UN Panel of Experts and MSMT reports on DPRK sanctions violations have documented this class of attack. Attribution remains probabilistic rather than formally adjudicated, as no law enforcement indictment against specific individuals for the Nexera hack has been publicly announced.","heading":"Attribution to Lazarus Group / North Korea","severity":"critical","sources":[{"credibility":2,"name":"Nexera Protocol Hacked for $1.5 Million — CryptoPotato (cites ZachXBT Telegram post)","type":"news_article","url":"https://cryptopotato.com/nexera-protocol-hacked-for-1-5-million-nxra-token-drops-over-40/"},{"credibility":2,"name":"ZachXBT Uncovers $3.5M Operation by North Korean Fake Devs Inside Crypto Firms — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/zachxbt-uncovers-3-5m-operation-by-north-korean-fake-devs-inside-crypto-firms/"},{"credibility":1,"name":"ZachXBT uncovers North Korea-linked IT worker network generating $1M monthly — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":2,"name":"lazarus-bluenoroff-research / nexera.md — tayvano GitHub","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/nexera.md"},{"credibility":2,"name":"Explained: The Nexera Hack (August 2024) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nexera-hack-august-2024"}]},{"content":"The following Ethereum addresses have been linked to the Nexera exploit and subsequent laundering activity, as documented in open-source Lazarus Group research:\n\nDirect theft addresses:\n- 0xe697949817a45446776376db203c04d31b580a10\n- 0x6bd33c8256f7a37336b2b8fe967321e25540337b\n\nAlleged laundering addresses:\n- 0x8856eb9b59d7e68ca7fcb2c76ff67e9a70fe9141\n- 0xadb7482d62d771e696ffbba07259fd0abd5d9190\n- 0xd138ae2013bd501ba42f1b5d914e3a0afd3fcf92\n- 0x1e6cb086100b264e5fcb02dfccd5f4aff6385efc\n- 0xf8d02d8bc8cfb3b50ee8fd21a1e21e0154fcee0b\n- 0xa736a6cf4239f3919740d9a434be358593f03fbc\n- 0x75fd76edc59a68c4de14ce248fa499b333d577f5\n\nTron network addresses also linked to the operation:\n- TCVgK96xZbZFu1sNPvX2RAThZ4gzkAcC4c\n- TFTiEEaV4Kc8nb5TJKmXM238EQBLZMGE89\n- TS33JwYCvEMiioh2hYuqPZCiyYdb416KBj\n\nSome of the liquidated proceeds were converted to ETH and bridged to BNB Chain. Exchanges including MEXC, Gate, Binance, Kraken, OKX, HTX, and HitBTC were used as alleged exit venues.","heading":"Known Attacker On-Chain Addresses","severity":"critical","sources":[{"credibility":2,"name":"lazarus-bluenoroff-research / nexera.md — tayvano GitHub","type":"on_chain","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/nexera.md"},{"credibility":2,"name":"Nexera Private Key Compromise — Quadriga Initiative Case Study","type":"research","url":"https://quadrigainitiative.com/casestudy/nexeraprivatekeycompromisecontractupgrade.php"}]},{"content":"Following the exploit, Nexera paused the NXRA token contract and zeroed out the attacker's remaining token balance using administrative contract controls. The team subsequently executed a formal burn of 32.5 million NXRA tokens to permanently remove them from circulation, stating the action would \"prevent these tokens from being used, traded, or circulated, thereby protecting the integrity of the NXRA token's value.\" Exchanges KuCoin and MEXC suspended NXRA trading immediately after the incident. The token price dropped over 40–53% on the day of the hack (from approximately $0.062 to $0.029–$0.036). Within 24 hours of the burn announcement, NXRA recovered roughly 40% from its post-hack low. The token's all-time high of $0.286 had been reached on March 26, 2024; as of May 2026 the token trades at a fraction of that level and is down approximately 99% from ATH.","heading":"Token Burn Mitigation and Market Impact","severity":"high","sources":[{"credibility":2,"name":"Nexera Burns 32.5M NXRA Tokens to Enhance Security — Coinspeaker","type":"news_article","url":"https://www.coinspeaker.com/nexera-burns-32-5m-nxra-tokens/"},{"credibility":2,"name":"Nexera Burns 32.5 Million NXRA Tokens Stolen During Recent Hack — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/nexera-burns-32-5-million-nxra-tokens-stolen-during-recent-hack/"},{"credibility":2,"name":"Nexera Burns 32.5m Compromised Tokens After $440k Loss — crypto.news","type":"news_article","url":"https://crypto.news/nexera-burns-32-5m-compromised-tokens-after-440k-loss/"},{"credibility":2,"name":"Nexera price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/allianceblock-nexera/"}]},{"content":"Security researchers noted that the Nexera exploit was enabled by single-point-of-failure contract administration: a single set of credentials held administrative control over the proxy contract, meaning that compromise of one employee machine was sufficient to transfer contract ownership. Post-incident, Halborn and other analysts recommended migration to multi-signature wallets and hardware wallets for contract management. The Nexera team stated in their post-mortem that smart contract code itself was not flawed and that the breach was limited to the credential compromise. The project's history of two significant adverse events within approximately 18 months — the BonqDAO oracle exploit in February 2023 and the August 2024 private key compromise — raises concerns about sustained operational security practices.","heading":"Security Architecture Concerns","severity":"high","sources":[{"credibility":2,"name":"Explained: The Nexera Hack (August 2024) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nexera-hack-august-2024"},{"credibility":1,"name":"7 August 2024 Incident: Post Mortem Report From the Nexera Team — Medium","type":"official","url":"https://nexera.medium.com/240807-incident-post-mortem-report-5f1f7840d4d7"}]}],"sources_used":[{"credibility":1,"name":"7 August 2024 Incident: Post Mortem Report From the Nexera Team — Medium","type":"official","url":"https://nexera.medium.com/240807-incident-post-mortem-report-5f1f7840d4d7"},{"credibility":2,"name":"Explained: The Nexera Hack (August 2024) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-nexera-hack-august-2024"},{"credibility":1,"name":"Blockchain Protocol Nexera Suffers $1.8M Exploit, NXRA Tumbles 40% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/08/07/blockchain-protocol-nexara-suffers-18m-exploit-nxra-tumbles-40"},{"credibility":2,"name":"Nexera Protocol Hacked for $1.5 Million, NXRA Token Drops Over 40% — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/nexera-protocol-hacked-for-1-5-million-nxra-token-drops-over-40/"},{"credibility":2,"name":"DeFi protocol Nexera hacked for $1.5M via smart contract exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/nexera-hack-1-5-million-nxra-token"},{"credibility":2,"name":"Nexera Burns 32.5M NXRA Tokens to Enhance Security — Coinspeaker","type":"news_article","url":"https://www.coinspeaker.com/nexera-burns-32-5m-nxra-tokens/"},{"credibility":2,"name":"Nexera Burns 32.5 Million NXRA Tokens Stolen During Recent Hack — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/nexera-burns-32-5-million-nxra-tokens-stolen-during-recent-hack/"},{"credibility":2,"name":"Nexera Burns 32.5m Compromised Tokens After $440k Loss — crypto.news","type":"news_article","url":"https://crypto.news/nexera-burns-32-5m-compromised-tokens-after-440k-loss/"},{"credibility":2,"name":"Nexera Crypto Hacked, But Company Claims Only $440K Stolen — The Cyber Express","type":"news_article","url":"https://thecyberexpress.com/nexera-crypto-hack-only-440k-only-stolen/"},{"credibility":2,"name":"lazarus-bluenoroff-research / nexera.md — tayvano GitHub","type":"research","url":"https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/hacks-and-thefts/nexera.md"},{"credibility":2,"name":"Nexera Private Key Compromise — Quadriga Initiative Case Study","type":"research","url":"https://quadrigainitiative.com/casestudy/nexeraprivatekeycompromisecontractupgrade.php"},{"credibility":1,"name":"ZachXBT uncovers North Korea-linked IT worker network generating $1M monthly — The Block","type":"news_article","url":"https://www.theblock.co/post/396847/zachxbt-uncovers-north-korea-linked-it-worker-network-generating-1m-monthly-via-crypto-payment-flows"},{"credibility":2,"name":"ZachXBT Uncovers $3.5M Operation by North Korean Fake Devs Inside Crypto Firms — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/zachxbt-uncovers-3-5m-operation-by-north-korean-fake-devs-inside-crypto-firms/"},{"credibility":2,"name":"$120 Million Exploit: AllianceBlock Token Price Manipulated in Oracle Hack — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/120-million-exploit-allianceblock-token-price-manipulated-oracle-hack-heres-what-happened/"},{"credibility":2,"name":"AllianceBlock Rebrands As Nexera Foundation — The Defiant","type":"news_article","url":"https://thedefiant.io/news/press-releases/allianceblock-rebrands-as-nexera-foundation-launches-nexera-finance-to-shape-the-future-of-tokenization"},{"credibility":2,"name":"Nexera price today — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/allianceblock-nexera/"}],"summary":"Nexera (formerly AllianceBlock) is a blockchain infrastructure protocol focused on compliant real-world asset tokenization, operating primarily on Ethereum. In August 2024, a threat actor later attributed to North Korea's Lazarus Group used social engineering and BeaverTail malware to steal smart contract management credentials, enabling unauthorized transfer of 47.24 million NXRA tokens valued at approximately $1.9 million. The team mitigated further losses by zeroing out and subsequently burning the 32.5 million tokens that remained in the attacker's wallet, limiting confirmed liquidated losses to roughly $449,000.","timeline":[{"date":"2023-02-01","event":"BonqDAO oracle exploit drains approximately $120M across the protocol; AllianceBlock's ALBT token used as collateral is affected, with ~113.8M wALBT tokens worth ~$11M illegally accessed.","source":"AllianceBlock / CryptoNews","source_url":"https://cryptonews.com/news/120-million-exploit-allianceblock-token-price-manipulated-oracle-hack-heres-what-happened/"},{"date":"2023-02-23","event":"AllianceBlock launches Token Distribution Portal for NXRA, the replacement token for the affected ALBT, effectively rebranding as Nexera.","source":"Nexera Medium","source_url":"https://medium.com/allianceblock/allianceblock-issues-statement-in-response-to-bonqdao-hack-6510a61fcf5c"},{"date":"2024-03-26","event":"NXRA token reaches all-time high of approximately $0.286.","source":"CoinMarketCap","source_url":"https://coinmarketcap.com/currencies/allianceblock-nexera/"},{"date":"2024-08-07","event":"Attacker executes BeaverTail malware on a Nexera employee's machine, stealing smart contract management credentials. At 05:05 UTC proxy contract ownership is transferred. Between 05:28–05:29 UTC, 47.24M NXRA tokens are extracted and sales begin on Uniswap. At 06:28 UTC Nexera pauses the token contract. NXRA drops 40–53% on the day.","source":"Nexera Post-Mortem / Halborn / CoinDesk","source_url":"https://nexera.medium.com/240807-incident-post-mortem-report-5f1f7840d4d7"},{"date":"2024-08-07","event":"ZachXBT publishes Telegram post linking the Nexera attacker on-chain to prior private-key compromise incidents at SpaceCatch, Concentric Finance, OKX DEX, Serenity Shield, and Reach, and flags potential North Korean state actor involvement.","source":"CryptoPotato (citing ZachXBT Telegram)","source_url":"https://cryptopotato.com/nexera-protocol-hacked-for-1-5-million-nxra-token-drops-over-40/"},{"date":"2024-08-07","event":"Nexera team zeros out 32.5M NXRA tokens remaining in attacker's wallet, limiting liquidated losses to approximately $449,000 from 14.75M tokens already sold.","source":"Nexera Post-Mortem","source_url":"https://nexera.medium.com/240807-incident-post-mortem-report-5f1f7840d4d7"},{"date":"2024-08-08","event":"Nexera announces formal burn of 32.5 million NXRA tokens recovered from attacker's wallet. KuCoin and MEXC suspend NXRA trading.","source":"Coinspeaker / CryptoNews","source_url":"https://www.coinspeaker.com/nexera-burns-32-5m-nxra-tokens/"}]},"v":1}