Cloud infrastructure provider Vercel confirmed unauthorized access to internal systems after hackers breached an employee account through third-party AI platform Context.ai. The attackers now demand $2 million for what they claim is access to API keys, source code, and internal deployment credentials.
Vercel CEO Guillermo Rauch characterized the threat actors as "exceptionally sophisticated," noting their rapid movement through company systems. The initial compromise occurred when an employee's Google Workspace account was accessed via Context.ai's breached OAuth application, according to Rauch's public statement.
From there, attackers escalated access into Vercel environments where they could enumerate non-sensitive environment variables. While Vercel encrypts all customer environment variables at rest, those designated "non-sensitive" were accessible during the intrusion.
"A listing on BreachForums cybercrime marketplace advertises purported Vercel information for $2 million, claiming access to authentication keys, proprietary source code, database entries, and internal deployment credentials."
Individuals associated with the ShinyHunters collective have publicly disputed any connection to the incident. The breach poses particular risk to Web3 development teams that rely on Vercel for hosting decentralized application frontends and cryptocurrency wallet interfaces.
Solana-based decentralized exchange Orca confirmed its user interface operates on Vercel infrastructure and has proactively rotated all deployment authentication credentials. The exchange emphasized its blockchain protocol layer and customer assets remained secure.
Vercel has engaged cybersecurity firm Mandiant to investigate the incident and notified law enforcement. The company advises customers to review environment variables for sensitive information and enable the sensitive variable feature to ensure encryption at rest.
This security incident arrives amid a devastating month for cryptocurrency platform security. Just one day before Vercel's disclosure, Kelp DAO suffered a $292 million exploit linked to North Korea's Lazarus Group, the largest theft of 2026 so far.
Earlier in April, Solana-based derivatives platform Drift lost approximately $285 million in an attack also attributed to North Korean state-sponsored hacking groups. Additional protocols experiencing security breaches this month include CoW Swap, Zerion, Rhea Finance, and Silo Finance.
Vercel stated its services remain fully operational and only a limited subset of customers was affected by the breach. The company continues investigating whether attackers exfiltrated additional data beyond what was accessible through non-sensitive environment variables.
