Holdstation Hack
Incident Overview
On February 25, 2026, Holdstation suffered a 462,000 USDT supply chain attack when hackers compromised the application distribution server infrastructure via a fraudulent coding extension , injected malicious JavaScript into wallet function files, and distributed a trojanized update that silently drained user funds upon installation. Holdstation detected the breach within 2 minutes, suspended services, and committed to 100% compensation for all affected users.
The attack began with infrastructure compromise through a malicious coding extension that stole employee session tokens to bypass MFA and gain unauthorized access to Holdstation's distribution server, CI/CD pipeline, and Google Cloud storage containing core JavaScript files. After establishing access, the attacker installed a backdoor and directly overwrote official update files on the distribution server with malicious code containing JavaScript injected into critical wallet control functions. The malware was designed as a targeted attack that activated silently only when the application was updated and executed. When users installed the compromised update at 01:30 AM, the malware immediately accessed device secure storage and executed in complete silence (silent execution), exploiting the application's legitimate access rights to manipulate transaction signing processes without displaying confirmation requests to users. The backdoor sent malicious transaction signing commands, executed without requiring user authentication, and automatically transferred all assets to the hacker's wallet (0xcbfa60b3…19bf8d).
Exploiter:
https://etherscan.io/address/0xcbfa60b3…19bf8d
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Holdstation, these are the critical security checks that could have prevented this incident (February 2026).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
Learn to Prevent the Next Holdstation
The Holdstation hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.