Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Thousands of Solana Wallets Drained in Attack Using Unknown Exploit

An overnight attack on the Solana blockchain platform drained thousands of software wallets of cryptocurrency worth millions of U.S. dollars. The platform has started an investigation and is currently trying to determine how the malicious actors managed to drain the funds. In a statement today, Solana said that the attack impacted more than 7,700 wallets, including Slope and Phantom. According to public reports, Solflare and Trust Wallet users have also been impacted. A more recent count from blockchain analysis provider Elliptic puts the number of impacted wallets closer to 7,936 and the losses to $5.2 million in cryptoassets (SOL, NFTs, more than 300 Solana-based tokens). Solana says that wallets impacted in this attack should be considered compromised and users should use cold wallets, which appear to remain unaffected. The advice for this move is to not reuse the seed phrase and create a new one for the hardware wallet. For those without a cold wallet, transferring all assets to a trustworthy centralized exchange would be a good alternative to secure the assets from the attackers. While there is no definitive answer at the moment about how the wallets were drained, many believe it was due to a vulnerability in the wallet software. One clue that emerged from the attack is that the money-siphoning transactions are signed by the rightful owners, which points to a private key compromise. Therefore, revoking third-party approvals will probably not help stop the attack in this case, but it is still a recommended action. According to various blockchain security experts, the method used to gain access to several private keys at once could be a supply chain attack, a browser zero-day flaw, or a faulty random number generator used in the key generation process. Another explanation could be a nonce reuse bug, which would enable the threat actors to recover secret keys, if a signature and the nonce have been publicly exposed.

Analyst Notes

As such incidents are likely to happen again, it is a good practice to not keep all cryptocurrency funds in a hot wallet and only use them for storing smaller amounts used in transactions. Most assets should be placed into a cold wallet, which is disconnected from the internet and third-party services.