According to ChainCatcher, the 0G Foundation reported a targeted attack on its reward contract via the X platform. The attacker exploited the emergency withdrawal function of the 0G reward contract, stealing 520,010 $0G tokens, which were subsequently bridged and dispersed through Tornado Cash.
The attacker accessed a leaked private key from an Alibaba Cloud instance responsible for managing NFT status and reward updates, storing the key locally. This breach was facilitated by a critical vulnerability in Next.js (CVE-2025-66478) exploited on December 5, leading to multiple Alibaba Cloud instances being compromised. The attacker moved laterally through internal IP addresses, affecting calibration services, validator nodes, Gravity NFT services, node sales services, computing, Aiverse, Perpdex, Ascend, and others.
The confirmed losses include 520,010 $0G tokens, 9.93 ETH, and $4,200 USDT. Despite the breach, the core chain infrastructure and user funds remain unaffected, aside from the reward distribution contract.
