0G Foundation reports $520,000 security breach through exploitation of critical Next.js flaw

The 0G Foundation, which operates a decentralized AI operating system, reports a targeted cyberattack on December 13, 2025, that resulted in the theft of approximately $520,000 worth of cryptocurrency from its rewards distribution contract. 

The attack occurred on December 11, 2025 and exploited a critical vulnerability in the Next.js web framework CVE-2025-66478 (CVSS score 10.0) to gain access to the foundation's infrastructure. The flaw stems from insecure deserialization in the React Server Components Flight protocol, enabling unauthenticated attackers to execute arbitrary code on servers processing RSC requests. 

The attackers found a private key that was stored locally on an AliCloud server instance. This instance was responsible for managing NFT status updates and reward distributions, and the attackers used the stolen key to authorize transactions through the contract's emergency withdrawal function. Then the attackers moved laterally across the infrastructure using internal IP addresses, systematically compromising multiple services.

The confirmed financial losses from the attack include:

• 520,010 0G tokens
• 9.93 ETH
• $4,200 USDT

The stolen cryptocurrency was immediately bridged to another blockchain network and laundered through Tornado Cash, a cryptocurrency mixing service commonly used to obscure the origin and destination of illicit funds. The total value of the theft at the time of the attack was approximately $520,000. The 0G Foundation claims that beyond the rewards distribution contract, no user funds or core blockchain infrastructure were compromised during the incident.

The foundation has characterized the incident as "a painful but necessary wake-up call" and has committed to releasing a comprehensive post-mortem report for the community.