A cryptocurrency startup exploited a backdoor in its own platform to protect its customer’s funds after threat actors had spotted and attempted to exploit the flaw.

Researchers on the npm, Inc security team discovered a backdoor in the Agama cryptocurrency wallet on the Komodo platform during a security audit of the platform.

“This attack focused on getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases used within the application,” npm researchers said in a June 5 blog post.

Upon further investigation, the researchers identified a malicious update that lead them to the discovery of a supply chain attack aimed at another app downstream, which was exploiting the newly discovered backdoor.

Researchers used the same vulnerability to seize its user’s funds, 8 million KMD and 96 BTC collectively worth nearly $13 million, and transport them to safety before the threat actors could gain access to them. The vulnerable wallet has since been discontinued and those who were affected are recommended to create new KMD and BTC addresses that use new seeds and passphrases.