Complex Cyberattack on Bedrock Protocol: Social Engineering, Insider Threat, and TVL Growth Despite Leak

The Bedrock protocol incident, revealed in a transparency report by Fuzzland, was a complex, multi-stage cyberattack in which the attacker used a combination of social engineering, supply chain attacks, and persistent threat techniques to gain access to sensitive data 1 .

Key details of the incident:

Vulnerability Discovered : The vulnerability was discovered early, but was not prioritized due to the large number of false positives and security noise. This allowed an attacker to exploit it for their own purposes 1 .
Malware from a former employee : In addition to external attacks, a former employee of the company planted malware that created hidden access points on engineers’ workstations. These access points remained undetected for several weeks, allowing the attacker to collect data and exploit a previously identified vulnerability discovered by the Dedaub research group 1 .
Financial Impact and Compensation : As a result of the attack, the attacker withdrew approximately $2 million in liquidity from the Bedrock Protocol’s UniBTC product, which is part of the liquid restaking system that provides synthetic UniBTC, UniETH, and UniLOX tokens for staking income. Despite the incident, the protocol’s total locked value grew from $240 million in September 2024 to $535 million in June 2025, demonstrating continued user confidence 1 .
Fuzzland’s Actions : Fuzzland has fully compensated for the damage to the Bedrock protocol and initiated a joint investigation with digital security company ZeroShadow. In addition, Fuzzland has shared information about the incident with Chinese law enforcement and the US FBI, and is working with Seal 911 and SlowMist to strengthen industry security standards. Importantly, Fuzzland claims that no customers or users were harmed, as all data was isolated in a separate internal environment 1 .
Context of the rise in cyberattacks : The Fuzzland report comes amid a significant increase in social engineering attacks. According to CertiK, hackers are expected to steal more than $2.1 billion in digital assets in 2025, with most of the damage coming from phishing and wallet hacking. Ronghui Gu, co-founder of CertiK, noted that attackers are changing their strategies to focus on social engineering techniques 1 .

The Bedrock incident thus demonstrates how a combination of technical vulnerabilities, human error, and targeted insider activity can lead to serious consequences in the field of digital security. Fuzzland’s response, including compensation for losses, cooperation with experts and law enforcement, and strengthening of security standards, serves as an example of a comprehensive approach to incident management in the blockchain industry. At the same time, the increase in such attacks highlights the need for continuous improvement of security methods and increased digital literacy of all market participants 1 .

What security measures did Fuzzland and partners take after the Bedrock attack?

Following the attack on the Bedrock protocol, Fuzzland took comprehensive security measures :

Fully compensated for the damage to the protocol to restore user trust and minimize the impact of the incident.
Initiated a joint investigation with digital security company ZeroShadow to deeply analyze and eliminate the causes of the attack.
Passed information about the incident to Chinese law enforcement agencies and the US FBI to bring those responsible to justice and prevent further attacks.
Collaborates with experts from Seal 911 and SlowMist to strengthen industry security standards , including improving monitoring, threat detection, and incident response processes.
Ensured that user and customer data remained isolated in a separate internal environment , preventing it from being compromised.

These measures reflect a systematic approach by Fuzzland and its partners to improve security and prevent similar incidents in the future.

How the attacker used social engineering to obtain data

The Bedrock attacker used social engineering to gain access to the company’s sensitive data and systems. Social engineering is a technique used to psychologically manipulate people to trick them into revealing sensitive information or accessing resources while bypassing technical protections 1 5 .

In this case, the attacker could have used the following techniques:

Gathering information about employees and infrastructure – studying open sources, social networks and internal data to create a profile of the victim and prepare a convincing legend 5 6 .
Impersonating a trusted person , such as a technical support employee, partner, or manager, to gain trust and obtain the necessary data or access 2 4 .
Establishing contact and gaining trust – through email, instant messaging or phone calls, using professional slang and detailed information about the company, which reduces the victim’s suspicions 1 6 .
Malware injection – under the guise of an update or help, which allows you to create hidden access points and remain undetected in the system for a long time 5 .
Exploitation of previously identified vulnerabilities – using collected data and access, an attacker could take advantage of technical gaps that were not promptly eliminated due to false positives of the security system 1 .

Thus, the attacker did not simply hack the system technically, but used a complex strategy of psychological deception and manipulation, which allowed him to gain access to the company’s internal resources and confidential information, as well as introduce malware for further data collection 1 5 6 .

What was the vulnerability that was previously discovered and why was it not a priority?

The previously discovered vulnerability used by the attacker in the Bedrock protocol attack was a known security flaw for which an update or fix already existed. However, it was not prioritized for immediate remediation due to a high false positive rate and noise in the security monitoring system. This meant that the security system generated many alerts that did not always correspond to real threats, making it difficult to isolate truly critical issues.

As a result, the vulnerability remained incompletely patched and continued to pose a risk, as such “N-day” vulnerabilities (vulnerabilities known in advance and patched) remain dangerous if organizations do not or cannot update their systems in a timely manner. Exploits for such vulnerabilities are often publicly available, and their exploitation depends on software patching discipline and incident management.

Thus, it was precisely because of insufficient priority and processing of false positives that the vulnerability was not closed in time, which allowed the attacker to use it in combination with other attack methods 2 .

How a former employee planted malware and created hidden access points

The former employee introduced malware onto engineers’ workstations using methods that combined technical tricks and trusted access. According to known attack scenarios, he was able to use his internal access and knowledge of the infrastructure to covertly install malware that created hidden access points — communication channels with the attacker’s external control server that were invisible to standard security tools.

The main mechanisms of malware implementation and operation include:

Using loaders like GuLoader , which are able to bypass antivirus systems and sandboxes, checking that the program is launched not in a test environment, but on a real device. This increases the likelihood of successfully launching a malicious load.
The malware could disguise itself as legitimate processes by changing their names and launch parameters, making it difficult to detect.
Creating hidden access points – for example, through Port knocking techniques, allowing an attacker to gain unnoticed access even in segments with strictly limited Internet access.
Encryption of transmitted data and use of legitimate hacked sites as control servers, which masks malicious traffic and complicates investigation.
The malware could launch automatically at system boot or user login, gaining a foothold in the system and providing long-term hidden access.

Thus, the former employee, using his knowledge and access to the infrastructure, introduced sophisticated, detection-resistant malware that created hidden access channels on the engineers’ workstations. These access points remained undetected for several weeks, allowing the attacker to collect data and exploit a previously identified vulnerability 1 6 .

Why Despite Liquidity Leaks, Total Protocol TVL Increased From September 2024 to June 2025

Despite a liquidity leak of approximately $2 million from the Bedrock protocol’s UniBTC product in September 2024, the protocol’s total value locked (TVL) grew from $240 million in September 2024 to $535 million in June 2025. This is due to several factors:

Maintaining user and investor confidence : Fuzzland responded quickly to damages and investigations, helping to maintain the protocol’s reputation and market confidence.
Active development and expansion of Bedrock products : The protocol offers synthetic tokens UniBTC, UniETH and UniLOX, which allow for income from staking, which attracts new users and capital.
Overall positive trend in the DeFi and cryptocurrency market : Despite isolated incidents, the market continued to grow, and institutional investors increased their investments in crypto assets, which contributed to the influx of liquidity into promising projects 1 3 .
Growing interest in liquid restaking and innovative financial products : Protocols like Bedrock are meeting the needs of investors looking to generate income from assets, driving an increase in TVL 3 10 .

Thus, despite the short-term losses due to the attack, the complex compensation and security measures, as well as the attractiveness of the protocol products, contributed to a significant increase in the total locked value.