Attackers compromised private keys for 96 Vulcan Forged user wallets through a breach of the platform's centralized key storage.
Vulcan Forged's semi-custodial wallet system stored private keys on centralized servers. Attackers breached the server and extracted private keys for 96 wallets, then systematically drained each one. The centralized key management was a fundamental architectural flaw — users believed they held self-custody but keys were server-side.
Stolen PYR immediately sold on decentralized exchanges, crashing the price. ETH proceeds moved to Tornado Cash. Vulcan Forged CEO Jamie Thomson pledged personal funds and company treasury to compensate users, reimbursing $140M from treasury. Users migrated to fully self-custodial wallets post-incident.
0xb7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c