Malicious script injected into BadgerDAO's Cloudflare-hosted frontend intercepted wallet approvals and redirected user funds.
Attackers injected a malicious Cloudflare Worker script into BadgerDAO's frontend that prompted users to approve additional token transfers to attacker-controlled addresses. The script was active for several weeks before detection. Users who interacted with the compromised frontend unknowingly granted the attacker unlimited token allowances.
Stolen BTC and ETH moved through multiple wallets. Significant BTC moved to renBTC bridge and then dispersed. Some ETH routed through Tornado Cash. Blockchain analytics firms (Chainalysis, TRM Labs) tracked portions to known Lazarus Group-associated wallets, though attribution remains uncertain.
0x951babdddbfbbba81bbbb7809f2da3a0d44bc2f2c99aae43d82e4c0d7b6c7e7f