Resolv’s $25M Theft: A Detailed Look at the Crypto Breach

On March 22, 2026, Resolv reported a significant breach in its security systems, revealing how attackers minted a staggering 80 million USR tokens and siphoned approximately $25 million in Ethereum.

The unauthorized minting process was initiated through compromised credentials associated with an external contractor’s previous project. This breach of security highlights vulnerabilities that can extend beyond a company’s immediate infrastructure.

TRUSTED PARTNER

4.4 ★★★★☆

Review and Opinions →

🔥 100% Up to 500 $

200 Spin + 1 Bonus 🏆

Open an account

According to Resolv, the attackers accessed specific repositories by exploiting a GitHub credential linked to the contractor’s earlier work. Once inside, they embedded a harmful protocol within the repository’s framework.

This malicious process was designed to extract credentials without raising alarms related to outgoing traffic, allowing the attackers to cover their tracks effectively. They later erased their access, seemingly to eliminate any evidence of their intrusion.

With the stolen credentials, cybercriminals penetrated Resolv’s cloud environment, allowing them to meticulously inspect various services and search for additional access keys.

This organized effort, characterized by multiple stages across various systems, aimed to seize signing authority, vital for executing minting actions. Although initial attempts faced resistance from existing security measures, the attackers persisted and ultimately discovered a pathway through a more privileged role within the cloud infrastructure.

Once this higher-level access was acquired, modifications to the key access policies enabled them to gain the necessary signing authority for minting the tokens. This pivotal moment allowed the first illicit transaction to be executed at 02:21:35 UTC, resulting in the creation of 50 million USR tokens. They continued their operation with a subsequent mint at 03:41 UTC, resulting in an additional 30 million tokens.

Resolv’s monitoring systems promptly identified unusual activity, triggering an immediate response from their team, who began to contain the breach across both backend and blockchain systems. Given the intricacies of the breach, the response team focused on tracing the access routes utilized by the attackers, laying the groundwork for containment steps.

TRUSTED PARTNER

3.9 ★★★☆☆

Review and Opinions →

🔥 Bonus 1.400 $

Bonus Instant + 225 FS 🏆

Open an account

Acting swiftly, the team halted backend services and paused relevant smart contracts by 05:16 UTC. By 05:30 UTC, compromised credentials were revoked, with logs indicating attacker activities persisted until shortly before these actions were taken.

Following the containment efforts, Resolv undertook measures to neutralize approximately 46 million of the illicitly minted tokens through direct burns and blacklist functions. The investigation into the full extent of the minted supply remains ongoing.

In an effort to rectify the situation, Resolv is compensating affected USR holders on a one-to-one basis, with the majority of eligible redemptions already processed. However, most operational functions of the protocol have been paused as the team focuses on ensuring the safety of collateral and continuing redemption initiatives.

Interestingly, the investigation revealed that the breach did not stem from a single flaw, but rather from a series of smaller vulnerabilities across third-party services and cloud permissions. Looking ahead, Resolv plans to implement measures including on-chain mint limits, enhanced oracle price checks, automated pause functionalities, and stricter GitHub access protocols.

This incident serves as a stark reminder of the importance of comprehensive cybersecurity practices in the ever-evolving crypto landscape.