An attacker drained roughly 13.71 billion SWEAT tokens from multiple Sweat Foundation accounts on NEAR Protocol on Wednesday, April 29, stealing assets worth approximately $3.5 million at the time. The Block reported that the Sweat Foundation had thwarted the exploit and restored user balances, though the attacker had already moved a portion of funds to secondary wallets and converted a small amount before any freeze could occur.

Sweatcoin is a fitness app launched in 2016 that rewards users with SWEAT tokens for walking, a move-to-earn model that requires no upfront investment and no prior crypto experience. The SWEAT token launched on September 13, 2022, on NEAR Protocol. The app has accumulated more than 200 million registered users globally, making SWEAT one of the more widely distributed tokens in the ecosystem.

Security firm Blockaid detected the breach in real time as it unfolded at around 13:36 UTC. The entire drain took less than 30 seconds. According to Blockaid's analysis, the attacker ultimately controlled roughly 17.71 billion SWEAT tokens across multiple wallets, valued at approximately $3.46 million, a figure that may reflect tokens accumulated across wallet hops rather than the initial drain alone. The primary attacker wallet (identified on-chain as 3be304b2151870b2be88b9de0b80acab921337ad152584138bd852fc6e9ae018) held an estimated $2.68 million worth of tokens, with around $761,000 moved to secondary wallets and roughly $20,000 already converted to NEAR and USDC before any freeze could occur. Independent on-chain analyst SomaXBT pegged total losses closer to $2.5 million.

The stolen tokens represented approximately 65 to 67 percent of SWEAT's total supply, a staggering concentration for a single incident. What makes the numbers more striking is the context: SWEAT's total market capitalization at the time of the attack was roughly $1.59 million, meaning the value drained in the exploit exceeded the protocol's own market cap. The attacker routed funds through Ref Finance, NEAR's primary decentralized exchange, and then used Wormhole and Portal Bridge to move assets across chains. The largest single transaction in the attack was recorded as DvrSMfY85Anc6AuLUmoEDkDdab7qX5NUZLu76HN8NoPn on NEAR. The exploit vector appears to have been a compromise of Foundation-controlled accounts rather than a flaw in the token's smart contract logic.

The Block reported that the Sweat Foundation successfully restored user balances following the attack. However, readers should note that "restoration" in this context may mean the Foundation issued replacement tokens or reversed on-chain state rather than recovering the stolen funds directly from the attacker. A full post-mortem from the Foundation had not been published as of the time of writing.

This is the second major security incident on NEAR Protocol within the same month. On April 16 through 18, Rhea Finance, the dominant DeFi protocol on NEAR formed from the 2025 merger of Ref Finance and Burrow Finance, lost $18.4 million to an oracle manipulation attack staged across 423 wallets and fake token pools. Tether later froze approximately $3.29 million in stolen USDT, and some additional funds were returned beyond that freeze. Ref Finance, whose infrastructure was central to the setup of that earlier attack, also served as the primary launder route in Wednesday's SWEAT exploit. The repeated involvement of Ref Finance in exploit pathways raises questions that NEAR ecosystem developers and the Rhea/Ref Finance team will likely face. Combined, NEAR Protocol has now seen more than $22 million stolen in April 2026 alone.

The broader DeFi environment provides bleak context. More than $1.08 billion has been stolen across 68 on-chain incidents so far in 2026, with April alone accounting for over $606 million drained in 12 incidents. Security analysts at Phemex note that attackers have shifted focus away from smart contract bugs toward bridges, oracle systems, signing infrastructure, and multisig key holders. The two NEAR incidents illustrate distinct vectors from that list: the Rhea Finance attack exploited oracle manipulation, while the SWEAT exploit appears to have involved compromise of Foundation-controlled accounts with cross-chain bridges used to move funds afterward.

For users outside the United States, the implications are particularly direct. Sweatcoin has active communities in Nigeria, Kenya, Ghana, and India. The move-to-earn model requires no upfront capital and no prior crypto knowledge, only a smartphone, making it one of the few genuine on-ramps into Web3 for users in markets where buying crypto outright is not accessible. In Nigeria, which leads sub-Saharan Africa in crypto adoption, and in India's large smartphone-using youth population, SWEAT's near-zero transaction costs and low token price (around $0.0002 before the attack) made it an unusually low-barrier entry point. Any lasting damage to trust in the protocol could slow that organic onboarding. Users in these regions also tend to have fewer safety nets if funds are lost, and already face thinning liquidity: both OKX and Bitfinex delisted SWEAT in March 2026. SWEAT had hit an all-time low of $0.0001812 just four days before the exploit, on April 25.

The Sweat Foundation has not yet published an official post-mortem. Developers and holders should watch for a technical breakdown via the Foundation's Medium account or official social channels, particularly regarding how user balances were restored and what changes are being made to Foundation account security. Given that Blockaid's real-time detection flagged the attack as it happened, the incident also serves as a practical case for integrating on-chain security monitoring across NEAR-based protocols before the next incident, not after.