KEY POINTS

  • Slope and Phantom wallet users have been drained of SOL and USDC
  • More than 7,000 wallets have been targeted
  • Over $6 million have been lost in the exploit

Solana-based Phantom Wallet and Slope Wallet users saw their funds being withdrawn at a rapid pace Tuesday even as Twitter crypto analysts struggled to figure out the origin of the exploit.

According to a Twitter thread from @officer_cia, a self-proclaimed blockchain detective, the amount stolen from the wallets exceeds $5 million and they recommend unlinking "wallets from all sites" as a possible solution to prevent further drain.

A Solana-based decentralized exchange (DEX), Solar DEX, pointed out that multiple users received notifications that their crypto was being sent to some unknown address. According to Solar DEX, the attacker or attackers moved 0.1 SOL to four different wallets and "started the attack on all of Solana."

The price of SOL dropped 4% in the last 24 hours and it is priced at $38.70 as of 12.26 a.m. ET Wednesday.

Magic Eden, a Solana-based NFT marketplace, was one of the first Twitter accounts to reveal the exploit.

Solar DEX also listed some things common with all the affected people, including the fact they had not connected their wallets anywhere else.

Phantom tweeted that they are "working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue."

Some of the developers believe the attack could be initiated using the new version of the Luca Stealer that came out last week. Luca Stealer is a rust-based malware that suck out information from a device after being downloaded on it by an unsuspecting user.

The Solana blockchain also suffered a minor service outage, as per SolStatus. The official Twitter handle of Solana Status revealed that "engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted."

Adam Cochran, a partner at Cinneamhain Ventures, said Ethereum users are likely safe unless they have used their seed phrase across chain (Solana and Ethereum) on a wallet like Trust Wallet or Slope.

Emin Gün Sirer, the founder and CEO of Ava Labs – the firm behind the development of Avalanche (AVAX) – revealed that the reason for the SOL wallets being drained could be a "supply chain attack" where a "JS [JavaScript] library is hacked, and it exfiltrates (steals) users' private keys. Affected wallets seem to have been created in the last ~9 months, but there are reports of freshly created wallets also being affected."

Sirer pointed out that IOTA, another blockchain network, was earlier compromised by such an attack and "never quite recovered."

Binance CEO Changpeng Zhao confirmed that more than 7,000 Solana-associated wallets have been hacked and drained of SOL and USDC, a stablecoin.

"Don't know root cause yet," Zhao said in a Twitter post Tuesday. "Maybe permissions granted to apps. For remediation, send the funds to a cold wallet or CEX like Binance."

Ransomware allegedly sold by a Venezuelan-French doctor would encrypt information on the computers that had been hacked, then the attackers would demand money to decrypt it
Ransomware allegedly sold by a Venezuelan-French doctor would encrypt information on the computers that had been hacked, then the attackers would demand money to decrypt it AFP / NICOLAS ASFOURI