Between October 2024 and March 2026, a single browser extension marketed as 'VaultGuard' drained more than $600M in stablecoins from over 14,000 wallets across 38 jurisdictions. Chainvail reconstructed the attack from leaked Telegram archives, on-chain forensics, and interviews with three former operators who agreed to speak under condition of anonymity.
The attackers exploited a deceptively simple pattern: a malicious update pushed through a hijacked Chrome publisher account silently swapped the wallet's signing routine. Each transaction looked normal to the victim, but a hidden post-sign hook re-broadcast a parallel transfer to attacker-controlled multisigs.
Recovery efforts led by Cypriot magistrate Elena Pavlou have so far frozen $42M in correspondent banks. Chainvail has independently verified the freeze orders and the chain of custody for each tranche.
