Fuzzland Loses $2 Million in Insider Attack on UniBTC Protocol

In September 2024, Fuzzland disclosed a significant security breach involving its UniBTC protocol, which resulted in a loss of $2 million. The attack was carried out by a former employee who exploited their privileged access and knowledge of the system. The individual, who had joined the company under the pretense of being a skilled MEV developer, inserted a trojan into Fuzzland’s MEV codebase using a malicious Rust crate named rands. This sophisticated insider operation involved social engineering, malware, and the manipulation of internal systems.

The attack began with the former employee impressing during interviews and demonstrating a functioning MEV bot, which earned them access to the company’s infrastructure. On September 4, 2024, the attacker modified the project’s Cargo.toml file to include the trojan, which auto-executed in commonly used IDEs such as VSCode and JetBrains. This allowed the attacker to gain persistent, undetected access to engineering workstations for over three weeks. Security tools such as Falcon and AVG failed to detect the intrusion. However, on September 26, Fuzzland discussed a vulnerability in UniBTC, discovered in a Dedaub report, during an emergency call. Just over an hour later, at 18:28 UTC, the UniBTC protocol was exploited.

In response to the breach, Fuzzland took full responsibility and reimbursed all affected parties. The firm enlisted Web3 security firm zeroShadow to investigate the breach and rule out any internal collusion. It also filed reports with both the FBI and Chinese law enforcement to pursue criminal action. Despite the attack, Bedrock’s total value locked (TVL) grew from $240 million in September 2024 to $535 million in June 2025.

To safeguard its systems from future incidents, Fuzzland launched new internal controls and adopted enhanced vetting procedures. This includes on-site employee screenings, detailed know-your-employee (KYE) verification, and strict privilege separation. Sensitive systems remain isolated, and private keys are secured in trusted execution environments (TEEs). Fuzzland has implemented software bill of materials (SBOM) checks across all codebases to ensure that any malicious dependencies are flagged before deployment. The firm also expanded its source code analysis capabilities by integrating tools like CodeQL and CodeRabbit. Additionally, Fuzzland reinforced its protocols for handling intelligence under TLP:RED, ensuring strict need-to-know access for vulnerability information.

Fuzzland acknowledged the contributions of Bedrock, SEAL 911, Slowmist, and zeroShadow in coordinating a swift response. It shared threat indicators such as suspicious IP addresses and malware samples on VirusTotal to assist the broader security community. The crypto industry continues to see a rise in crypto hacks driven by phishing and social engineering. This incident highlights the importance of robust security measures and the need for continuous vigilance in the face of evolving threats.