While the cryptocurrency community focused on DeFi exploits in April 2025, a quieter but equally significant threat was compromising the infrastructure that supports crypto operations worldwide. Arctic Wolf researchers revealed on April 19 that threat actors had been actively exploiting SonicWall Secure Mobile Access (SMA) appliances since January 2025, targeting VPN credentials that could grant access to internal networks, including those managing cryptocurrency operations and digital asset custody.
The Threat Landscape
The exploitation campaign targeted a known vulnerability tracked as CVE-2021-20035, an OS command injection flaw in the SMA100 management interface with a CVSS score of 7.1. While SonicWall patched this vulnerability in September 2021, the exploit campaign running from January through April 2025 demonstrates that many organizations, including those in the cryptocurrency space, continue to run unpatched or misconfigured network infrastructure.
The vulnerability allows a remote authenticated attacker to inject arbitrary commands as a “nobody” user, potentially leading to arbitrary code execution. This is particularly concerning for cryptocurrency exchanges, mining operations, and DeFi platforms that rely on VPN access for remote management of sensitive systems. The timing coincides with a period of heightened crypto security concerns, as Bitcoin traded at approximately $85,063 and Ethereum at $1,612, according to CoinMarketCap data for April 19, 2025.
On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to remediate the flaw by May 7, 2025. SonicWall subsequently updated its advisory, confirming active exploitation in the wild.
Core Principles
The SonicWall campaign exposes a fundamental truth about crypto security that often gets overlooked in the focus on smart contract vulnerabilities and DeFi exploits: the perimeter protecting your private keys and wallet infrastructure matters just as much as the blockchain code itself. The attackers exploited the default super admin account (admin@LocalDomain), which on many deployments still uses the weak default password “password.” This is a credential hygiene failure, not a cryptographic one.
The core security principles violated in this campaign are straightforward but frequently neglected. First, default credentials must be changed immediately upon deployment. Second, multi-factor authentication should be mandatory for all VPN and administrative access. Third, unused accounts must be disabled, and all local account passwords should be regularly rotated. Arctic Wolf emphasized that even fully patched devices can be compromised if password hygiene is poor.
Tooling and Setup
For organizations operating cryptocurrency infrastructure, protecting VPN access requires a layered approach. Start with a comprehensive asset inventory to identify all network appliances, including legacy devices that may have been forgotten during upgrade cycles. Deploy network monitoring tools that can detect anomalous VPN login patterns, particularly logins from unexpected geographic locations or during unusual hours.
Implement a privileged access management (PAM) solution that enforces credential rotation and eliminates the use of static passwords for administrative accounts. For crypto-specific operations, consider implementing hardware security modules (HSMs) behind additional network segmentation, so that even if VPN credentials are compromised, access to key material requires a separate authentication layer.
Network segmentation is particularly critical. VPN access should not provide a flat network path to cryptocurrency wallets, signing servers, or custody infrastructure. Instead, implement jump boxes and bastion hosts with session recording, ensuring that all administrative actions are logged and auditable.
Ongoing Vigilance
The SonicWall exploitation campaign spanned four months before public disclosure, highlighting the importance of continuous monitoring rather than periodic security assessments. Organizations should subscribe to CISA’s KEV catalog updates and immediately assess whether their infrastructure includes any newly cataloged vulnerabilities. Automated vulnerability scanning should run weekly at minimum, with critical findings escalated within hours.
Threat intelligence feeds specific to the cryptocurrency sector can provide early warning of campaigns targeting infrastructure commonly used by exchanges, mining pools, and DeFi platforms. The intersection of traditional network security threats and cryptocurrency operations means that security teams must understand both domains to effectively protect digital assets.
The campaign also underscores the importance of incident response planning. Organizations should have playbooks for responding to VPN credential theft, including procedures for rotating all potentially compromised credentials, revoking active sessions, and conducting forensic analysis to determine what the attackers accessed during their window of unauthorized access.
Final Takeaway
The SonicWall SMA exploitation campaign is a reminder that cryptocurrency security extends far beyond blockchain code. The same computing infrastructure that supports crypto operations also exposes it to conventional network attacks. Default credentials, unpatched vulnerabilities, and inadequate access controls remain the most reliable entry points for attackers, whether they are targeting corporate networks or cryptocurrency wallets. In a market where Bitcoin holds steady above $85,000 and institutional adoption continues to grow, the attack surface only expands. Securing the perimeter is not optional; it is foundational.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making security decisions for your crypto infrastructure.
it’s wild that everyone is chasing the latest defi rug while the actual infrastructure we use every day is wide open. using an old vpn without checking for these sonicwall exploits is basically leaving your vault door unlocked for anyone with a scanner. stay safe and update your hardware before you get drained.
CVE from 2021 still being exploited in 2025. patch management is the unsexy problem nobody wants to fund
a CVE from 2021 still active in 2025. the crypto industry is somehow worse at patching than traditional finance
This Arctic Wolf report is a major wake-up call for smaller crypto firms that might be neglecting their traditional IT security. We focus so much on on-chain transparency that we forget how vulnerable the legacy hardware stack can be. If you’re managing any kind of custody, you need to be auditing these access points monthly, not just when a headline drops.
I’ve been saying for years that VPN credentials are the single biggest point of failure for remote crypto teams. This campaign shows that threat actors are specifically looking for that entry point into internal networks. Moving toward a zero-trust architecture is no longer optional if you’re handling digital assets at scale.
zero trust is the answer but implementing it across a distributed crypto team is expensive and slow. most teams just hope they are not a target
zero trust is expensive? getting drained because you forgot to patch your vpn is more expensive