Cyber Incident Victim: Roll

On or around March 13, 2021, a security breach at cryptocurrency platform Roll resulted in the theft of approximately $5.7 million worth of digital assets. The attacker compromised the private keys securing Roll’s hot wallet—a system connected to the internet for processing transactions—and drained its contents. Roll confirmed the incident in a statement issued shortly after the breach, clarifying that the exploit did not stem from vulnerabilities in its smart contracts or token protocols but specifically from unauthorized access to the hot wallet’s credentials. The attacker swiftly converted the stolen social tokens—user-created cryptocurrencies hosted on Roll’s Ethereum-based platform—into Ethereum, liquidating the assets. In response, Roll temporarily disabled all withdrawals from its wallets to prevent further losses and initiated an internal investigation. The company emphasized that no immediate user actions were required but acknowledged the need to migrate its hot wallet infrastructure to secure remaining funds.

The breach significantly impacted creators and holders of Roll’s social tokens, including prominent currencies like $WHALE, $RARE, and $PICA, which experienced sharp declines in value following the attack. The creator of $WHALE disclosed that over 2% of its total tokens were stolen but described the overall effect as "minimally detrimental" to their project. Other users reported catastrophic losses, with one individual stating they had "lost everything." Roll announced a $500,000 relief fund to assist affected creators, though this measure drew criticism from some community members who deemed it insufficient relative to the scale of losses. The company committed to hiring a third-party firm to audit its security systems and conduct a forensic analysis to determine how the private keys were compromised. No additional details regarding the attack vector or the identity of the threat actor were disclosed publicly at the time of the statement.