Kontigo, a Latin America–focused stablecoin banking startup, has reimbursed over 1,000 users after a wallet breach drained more than $340,000 from customer-linked wallets.
Key Takeaways
- Over $340,000 in USDC was stolen from 1,005 Kontigo users in a recent security breach.
- Kontigo fully reimbursed affected users by January 6, restoring customer funds quickly.
- CEO Jesus Castillo confirmed his own account was targeted and warned hackers of legal consequences.
- The incident comes amid rapid growth and recent banking challenges for the startup.
What Happened?
On January 5, Kontigo disclosed a security breach affecting 1,005 user wallets, resulting in the loss of $340,905 in USDC. The fintech company immediately activated internal security protocols, isolated the compromised systems, and began a reimbursement process which was completed within 24 hours.
CEO Jesus A. Castillo revealed that even his own account was compromised in the breach, calling the attack both personal and targeted. The company has since ramped up monitoring efforts and brought in independent cybersecurity experts to investigate the incident.
Detectamos un acceso no autorizado que afectó fondos de algunos usuarios. Tus fondos están protegidos y cualquier monto afectado será repuesto por Kontigo.
— Kontigo.com (@kontigo_app) January 5, 2026
Próxima actualización: 2:00 p.m. VE pic.twitter.com/Opw2SqB8G6
Kontigo’s Response: Swift Action and Public Accountability
Kontigo, based in San Francisco and focused on providing stablecoin banking services to Latin American users, responded to the breach by promising full refunds. The company announced:
“Your funds are protected and any affected amounts will be reimbursed by Kontigo.”
By January 6, all affected users had been compensated, according to a company update. Castillo took to X (formerly Twitter) to take public responsibility and issued a sharp message to the attackers:
The company continues to investigate how the breach occurred and has yet to disclose full technical details. However, early signs of unauthorized access were first reported by users on social media, who shared screenshots of suspicious activity in their accounts.
Rapid Growth Meets Security and Regulatory Hurdles
The breach came just weeks after Kontigo announced a $20 million seed funding round in December 2025, with backing from Y Combinator, DST Global, and Coinbase Ventures. The funding valued Kontigo at $100 million, marking a major milestone for the year-old company.
Prior to the hack, Castillo had set bold goals for Kontigo, including scaling revenue from $30 million to $100 million within 60 days. The company also claimed it had reached 1 million active users, processed $1 billion in transactions, and was operating with a small team of just seven employees.
However, Kontigo’s momentum has been challenged by banking issues. In December, JPMorgan Chase froze accounts associated with Kontigo and fellow stablecoin firm BlindPay, citing concerns over compliance and rising transaction disputes. These accounts were accessed through Checkbook, a payments intermediary.
PJ Gupta, CEO of Checkbook, said Kontigo and BlindPay were linked to a spike in chargebacks, prompting the bank’s action. Castillo pushed back, saying JPMorgan acted on misinformation and denied allegations of facilitating unverified payments to Venezuela.
In the same report, Castillo also revealed legal action had been initiated against a not-for-profit group that accused Kontigo of bypassing ID checks for users in sanctioned regions.
Wider Context: Stablecoin Security Under Scrutiny
Kontigo’s breach is just one in a series of recent crypto wallet security issues:
- Trust Wallet, a Binance-owned platform, suffered a supply-chain attack in December 2025, resulting in over $7 million in losses
- MetaMask users were targeted in phishing campaigns involving fake 2FA prompts and spoofed security updates
- On the same day as Kontigo’s announcement, Ledger users experienced a separate breach via its payment partner Global-e
These incidents have reignited debates about the safety of stablecoin platforms. As Bloomberg reported, critics argue that unlike traditional banks, non-regulated stablecoin startups lack FDIC protection, which puts users at greater risk if such companies fail.
CoinLaw’s Takeaway
In my experience covering fintech, how a company responds to a breach often defines user trust more than the breach itself. Kontigo’s immediate acknowledgment, full reimbursements, and transparent communication are commendable, especially given the startup’s rapid rise. But while the company claims to know who the attackers are, follow-through and accountability will matter most now.
Also, Kontigo’s recent struggles with banking access, regulatory scrutiny, and now security challenges show just how difficult it is to build a stablecoin platform that users can trust long-term. If they want to keep growing, robust compliance and bulletproof security are no longer optional. They are the bare minimum.
