3 crypto attacks in 24 hours – From fake apps to a $14.2M SOL theft
Here's how increasing security risks are affecting crypto developers and users in 2026.
Crypto scams are becoming increasingly prevalent, drawing widespread attention. In fact, more than three breaches occurred in the past 24 hours, with a few notable cases highlighted below.
SecondFi falls victim to a scam
Fraudsters impersonated SecondFi by developing phony browser extensions and applications that were intended to steal cryptocurrency or access users’ wallets.
To address the confusion, SecondFi clarified,
There is no new application or link, it is the same.
The team asserted that it will never ask users to download software, click links, sign transactions, or transfer assets through direct messages or emails.
Therefore, to prevent phishing scams and money theft, the team advised users to only install the official Chrome extension that has the blue verified checkmark and to access SecondFi via its official website.

How did a theft result in a loss of 180,900 SOL?
In the second case, blockchain investigator ZachXBT claims that an early Solana [SOL] whale wallet was compromised. This resulted in the purported theft of 180,900 SOL, worth $14.2 million.
According to on-chain data, the wallet initially displayed unusual unstaking activity, indicating that the attacker took over the staked assets before transferring them to newly made Solana addresses to combine and exchange the money.
Later, the stolen assets were bridged from Solana to Ethereum [ETH] to obscure transaction trails and access greater liquidity. Moreover, the investigation asserted that some money had already been transferred using Tornado Cash, making them far harder to trace.
A sophisticated supply chain attack
Finally, jscrambler npm package became the target of a software supply chain attack after an attacker allegedly stole the login credentials needed to release new versions. For context, an information-stealing (infostealer) payload was included in malicious releases 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.

These releases were made to run malicious code on Linux, macOS, or Windows systems. Initially, a preinstall script that executes automatically during npm install was used to distribute the malware.
But in versions 8.18.0 and 8.20.0, the attacker incorporated the malicious code straight into the package, evading security measures such as npm install –ignore-scripts, which typically stops preinstall scripts from executing.
According to jscrambler, the attack was made possible by compromised npm publishing credentials, which allowed for unapproved releases. Following that, developers were urged to update immediately to version 8.22.0, which contains the fix.
Final Summary
- Different hacking techniques like phishing scams, wallet compromises, and software supply chains are raising alarms.
- By avoiding unsolicited links, updating compromised software, and confirming official sources, users, and developers can stay safe.