Cyber Threat Actor: Nirvana Hacker
| Actor Type | Location | Known Incidents |
Hacker
|
United States of America
|
1 incident |
|---|
Profile
Nirvana Hacker is the alias used by an individual or group known to operate from the United States of America. The actor came to public attention through a specific exploit against a decentralized finance protocol on the Solana blockchain, where they were identified as the perpetrator of a flash loan‑based attack. No other aliases or additional biographical details have been disclosed in open sources.
The actor’s observed activity focuses on the cryptocurrency sector, specifically targeting decentralized finance platforms that rely on smart contract logic and tokenomics. The July 2022 incident demonstrated an interest in protocols that facilitate lending, token minting, and liquidity provision, suggesting a pattern of seeking vulnerabilities in the financial layer of blockchain ecosystems. While the actor’s location is confirmed as the United States, the scope of their targeting appears to be global in nature, given the cross‑chain nature of the exploit and the use of bridging tools that connect multiple blockchain networks.
In the reported operation, Nirvana Hacker employed a flash loan obtained from the Solend Protocol to borrow substantial capital, which was then used to mint an excessive supply of the protocol’s native ANA token. By inflating the token’s price through artificial market pressure, the actor exchanged the over‑minted ANA for stablecoins, effectively draining liquidity pools and causing the token to lose approximately 90 % of its value. The attack also resulted in the depegging of the protocol’s stablecoin NIRV from the US dollar. After the exploit, the actor disabled the protocol’s trading functionality and transferred the stolen assets to the Ethereum blockchain via the Wormhole bridge. These tactics—flash loan acquisition, token supply manipulation, arbitrage‑style swaps, and cross‑chain bridging—represent the core technical themes observed in the actor’s known activity. No further details regarding malware families, initial access vectors beyond the flash loan mechanism, or affiliations with state or criminal entities are publicly available.
