'Malicious actor' drains $5.2 million in crypto assets from 8,000 digital wallets in one go

Cyber Crime Button
(Image credit: Getty images)

Update: Solana posted a statement via a Twitter thread regarding the status of its investigation:

"After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure. While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service. There is no evidence the Solana protocol or its cryptography was compromised."

Original story: Thousands of digital wallets on the Solana blockchain were drained of funds by a "malicious actor" last night. Over $5.2 million in crypto assets were lost in the attack, but Solana is blaming external software, stating that it's not an issue with its own blockchain.

Cybersecurity experts have surmised that it may be a vulnerability in the wallet software, not the Solana blockchain itself, which will at least be a relief for some. The last update from Solana from this morning says: "This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network."

The attack drained over 8,000 wallets though that number could rise if more and more users report compromised wallets. The affected wallets include but are not limited to Solflare, Trust Wallet, Phantom, and Slope.

Trust Wallet CEO, Eowyn Chen, said, "Trust Wallet doesn't log the private keys or secret phrase anywhere. It takes 20 hours to zoom in again to ensure our security. Here's the closure to the past 20 hours. Upward and onward!" Chen also recommends that users not "use the same wallet on different wallet apps to reduce exposure like this."

Phantom took to Twitter to say that it, too, is working with Solana though it says at "this time, the team does not believe this is a Phantom-specific issue."

Solflare has posted some security updates and said, "we are following the situation closely, and we feel the pain in the community," and accompanied it with a sad face emoji. 

See more

The root cause of the exploit is still being looked into, but OtterSec, a blockchain auditor, said on Twitter that the transactions were "signed by the actual owners, suggesting some sort of private key compromise." They also claim that some users on the Ethereum blockchain might be affected, though not as prevalent as Solana.

Elliptic, a blockchain analysis firm, says the assets stolen were "SOL, a small number of non-fungible tokens (NFTs) and over 300 Solana-based tokens."

Solana also strongly encourages people to use hardware wallets (or cold wallets), since there is no evidence that the exploit has affected them, and to move their funds to a centralized platform. If you had your wallet drained, consider it compromised and do not continue using it. It's also good practice to keep your funds in a cold wallet and only use wallet software (or hot wallets) in small amounts for making transactions.

Solana is asking victims to complete a survey to help its engineers investigate exactly what happened.


Best CPU for gaming: Top chips from Intel and AMD
Best gaming motherboard: The right boards
Best graphics card: Your perfect pixel-pusher awaits Best SSD for gaming: Get into the game first

Jorge Jimenez
Hardware writer, Human Pop-Tart

Jorge is a hardware writer from the enchanted lands of New Jersey. When he's not filling the office with the smell of Pop-Tarts, he's reviewing all sorts of gaming hardware, from laptops with the latest mobile GPUs to gaming chairs with built-in back massagers. He's been covering games and tech for over ten years and has written for Dualshockers, WCCFtech, Tom's Guide, and a bunch of other places on the world wide web.