[NOTE For the most recent updates I come across on this matter, please scroll to the bottom of this page. Thank you!]

“Up to $6 million in crypto has been drained from Solana wallets within the last 10 minutes, according to CryptoSlate sources. Users are reporting that entire wallets have been drained of funds, with little currently known as to the source of the issue” [Wright, L. Solana wallets reportedly being drained to unknown address “Htp9MGP”. (Accessed August 2, 2022).]

“At the time of writing, Solana (SOL) is currently trending on Twitter as countless users are either reporting on the hack as it unfolds, or are reporting to have lost funds themselves, warning anyone with Solana-based hot wallets such as Phantom and Slope wallets to move their funds into cold wallets” [Quarmby, B. Ongoing Solana-based wallet hack has already seen millions drained. (Accessed August 2, 2022)].

Photo Source

Photo Source

“Comments on just this post alone include many users claiming also to have had their wallets drained. No trend or source of the exploit has currently been identified” [Wright, supra].

So far both Phantom and Magic Eden have commented on the issue, with wallet provider Phantom noting that it is working with other teams to get to the bottom of the issue, although it says it does not “believe this is a Phantom-specific issue” at this stage […] Magic Eden confirmed the reports by stating that “seems to be a widespread SOL exploit at play that’s draining wallets throughout the ecosystem” as it called on users to revoke permissions for any suspicious links in their Phantom wallets.

[Quarmby, supra].

Photo Source

Uncertainty is creating true fear, uncertainty, and doubt in real terms for wallet owners on the Solana blockchain at present. Although the cause of the exploit is yet unknown, one wallet, in particular, has been mentioned throughout the reports. “Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV” currently has a balance of $6 million, with the majority being stablecoins. The wallet received hundreds of transactions from unique addresses at 23:22:57 PM +UTC on Tuesday, August 2.

[Wright, supra].

“Popular scam detective and self-described “on-chain sleuth” @zachxbt also did some digging and revealed to their 274,800 followers that the hackers initially funded the primary wallet associated with this attack via Binance seven months ago. The transaction history shows that the wallet remained dormant until today before the hackers conducted transactions with four different wallets 10 minutes before the attack started” [Quarmby, supra].

Crypto trader Bilal Ahmed suggested to CryptoSlate that it may be related to an NFT mint by Rakkudo. Ahmed is aware of over 500 SOL being stolen from within his personal network of traders. Theorizing the cause of the event, Ahmed suggested, ‘Rakkudo minted today, currently, it seems to be wallets linked to wallets that tried to mint. But it’s really odd as it’s also draining main wallets, not just burners.’ There has been no official statement from the Rakkudo team on its official Twitter account at this point.

[Wright, supra]

Uncertainty is creating true fear, uncertainty, and doubt in real terms for wallet owners on the Solana blockchain at present. Although the cause of the exploit is yet unknown, one wallet, in particular, has been mentioned throughout the reports. “Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV” currently has a balance of $6 million, with the majority being stablecoins. The wallet received hundreds of transactions from unique addresses at 23:22:57 PM +UTC on Tuesday, August 2.

[Id].

“Youness Kasmi, founder of Private Foxes, also identified 2 other wallets draining users’ funds” [Id].

Photo Source

“At this stage it is unclear if the hack is ongoing, where it originated and if more user funds are still at risk” [Quarmby, supra].

UPDATE [August 3, 2022 @ 05:04 ET]

“Blockchain investigator PeckShield on August 2 said the widespread hack is likely due to a “supply chain issue” which has been exploited to steal user private keys behind affected wallets. It said the estimated loss so far is around $8 million.” [Quarmby, supra].

Photo Source

"Slope said it is currently working with Solana Labs and other Solana-based protocols to pinpoint the issue and rectify it, though there were ‘no major breakthroughs yet’. ‘Still war-rooming through it. No major breakthroughs yet. Will follow up as soon as possible with any major conclusions and/or recommended practices’ [Id].

UPDATE [August 3, 2022 @ 06:44 ET

"There have also been different reports on how many wallets have been affected and the extent of the damage so far […] Ava Labs CEO and founder Emin Gun Sirer stated that the number was at 7,000 plus wallets, a number which is rising at around 20 per minute. He said he believes that as the transactions appear to be signed properly, ‘it is likely that the attacker has acquired access to private keys’ [Quarmby, B. Ongoing Solana-based wallet hack has already seen millions drained. (Accessed August 2, 2022)].

Photo Source

Due to the on-going nature of this hack/exploit, updates will be posted by this author as information becomes known. If you have coins/tokens in either a Phantom or Slope wallets the call is out for you to move your assets to cold storage if possible (i.e. Ledger). If not possible a less reliable method of protection is to move your assets to a newly created wallet with no pre-authorizations.

UPDATE [August 3, 2022 @ 08:30 ET

• “Foobar is now declaring that the issue may be related to the compromised private keys of the affected wallets. The assumption is founded on the fact that tokens such as USDC have been sent as direct transfers to another wallet instead of interacting with a smart contract that requires approvals. Token transfers are signed by the users themselves, thus pointing toward private keys being compromised” [Wright, L. Solana wallets reportedly being drained to unknown address “Htp9MGP”. (Accessed August 3, 2022)].
• Photo Source

• “According to CoinMarketCap, which also cited a 45 percent increase in trading activity over the past 24 hours, news of the hack caused an 8 percent decline in Solana’s value. The price of SOL has since rebounded and it is currently trading down around 4 percent at 38.97, according to data from CoinMarketCap” [Merchant, M. Millions drained in latest Solana wallet hack

• Solana takes to Twitter:

Photo Source

• "As investigations begin to unpack the root cause that allowed an attacker to pillage thousands of wallets, affected users are being warned not to accept help from individuals online purporting to have solutions to the hack. Heidi Chakos, the host of the YouTube channel Crypto Tips, stressed that scammers would be looking to exploit the ongoing situation" [Jenkinson, G. Solana wallets 'compromised and abandoned’ as users warned of scam solutions. (Accessed August 3, 2022)].

Photo Source

• "Engineers from multiple ecosystems are investigating the root cause of the incident with assistance from security firms. Users affected by the exploit are being asked to provide their compromised wallet addresses to the Solana Foundation to assist in the investigation" [Id]. For access to the form to submit your compromised wallet address to Solana, click here

August 3, 2022 @ 15:50 ET

Solana co-founder Anatoly Yakovenko gave the latest update from the Solana team on his Twitter account, highlighting what other blockchain analysts had speculated was a supply chain attack that allowed the hackers to gain access to private keys. Yakovenko said preliminary investigations showed wallets that had only ever received Solana (SOL) and had no interactions beyond receiving have been affected. The exploit affected both iOS and Android devices and all the affected wallets had their private keys imported or generated on mobile.

[Jenkinson, G. Solana wallets 'compromised and abandoned’ as users warned of scam solutions. (Accessed August 3, 2022)].

Photo Source

“Data from Dune Analytics currently lists 7,941 wallets that have been affected by the exploit” [Id. See also, Dune Analytics. mystery exploit victims. (Accessed August 3, 2022)].

“According to Solana analyst OtterSec, a private key compromise could be to blame for igniting the exploitation of Slope Finance’s hot wallets. Moreover, the hardest hit victims of the shocking hack so far have been wallets that have been inactive for at least half a year. Moreover, some crypto experts have outlined their belief that the attack was planned 7 months ago, as the hacker’s wallet was funded through Binance in February 2022” Dailycoin. Massive Solana Hack Drains $8M Across 8,000 Wallets. (Accessed August 3, 2022)].

“Solana regularly experiences damning security incidents, which is why many initially assumed the attack was caused by a bug in its software code. After suffering a major decline due to the hack, the SOL token is now back in the green, according to data from CoinMarketCap” [CryptoNews. Solana Names Real Reason Behind Multimillion Dollar Hack. (Accessed August 3, 2022)].

‘The root cause is still not clear,’ Elliptic’s co-founder Tom Robinson said. 'It appears to be due to a flaw in certain wallet software, rather than in the Solana blockchain itself.

[Ossinger, J. and Shukla, S. Crypto Takes a New Hit as Thousands of Solana Wallets Hacked. (Accessed August 3, 2022)].

“Much remains unknown at this point – except that hardware wallets are not impacted,’ Solana spokesman Austin Federa said. While there’s speculation the incident was a supply-chain attack, the nature of the exploit remains unclear, Federa said. Supply-chain hacks occur when an outside party or provider with access to the victim’s systems and data is infiltrated. Some NFTs were also stolen in the hack – but the full impact of the exploit is still unclear, Elliptic’s Robinson said” [Id].

“Despite reports that it was an iOS hack, certainly, it was not. There are confirmed reports of wallet-drains from non-iOS wallets and extensions. The data suggests this is not an attack on a specific wallet provider but rather multiple wallets on many operating systems (mobile and desktop, iOS and Android),” Dmytro Budorin, CEO of Hacken, a blockchain cybersecurity specialist, said in an emailed comment. Also, according to him, while investigations into the attack have not been able to pinpoint the exact factors causing these hacks, in general, the attacker must have comprised a third party that must have ceded permissions to sign off on mass transactions.

[Kmieliauskas, L. SOL Drops as Thousands of Wallets Attacked on Solana, Millions in USD Stolen. (Accessed August 3, 2022)].

“Confirmed with the cross chain user that they imported their TrustWallet seed phrase into Slope. Both Slope & TrustWallet seem to use a single seed phrase cross-chain,” analyst Adam Cochran said. “Likely why we’ve seen so few cases on Ethereum directly. Suggests something exposing seeds w/ Solana apps?”

[Id].

Meanwhile, Solana validator Laine has denied claims that validators blacklisted or plan to blacklist the wallets associated with hackers. “We have not blacklisted anything nor are we aware of any discussion to do so. Explorers have blacklisted them, i.e. they are displaying warnings, but that doesn’t affect any transactions,” Laine said.

[Id].

"At around 10 UTC, the scanning tool for the Solana ecosystem, Solscan, provided a ‘real-time visualization dashboard’ that shows the total value in the hacker’s wallets, token allocation in each wallet, analytics of the victims’ wallets, most exploited wallets, etc. Per the dashboard, at 12:22 UTC, the total value transferred to the attacker’s wallet is USD 4.46m. Just below 50% of this is USDC, 35% is SOL, and 15% are other coins. ‘Low liquidity tokens are removed from the report as they do not reflect the accuracy of the report,’ Solscan said.

[Id].

Photo Source

Solana wallet platform Solflare told Cointelegraph that it had not suffered any loss of funds and that it was working with other wallet providers to provide support toward a solution. The uniform message to SOL holders from the wider cryptocurrency ecosystem is to move funds to cold storage or centralized exchanges and to revoke permissions from trusted apps in wallet settings. Solflare also warned that users with mnemonic seed phrases originating from other wallets were at risk of being exposed.

[Jenkinson, supra].

None of the major players in this current mess have made it clear to investors whether or not affected wallets will have their funds recouped or refunded after the incident.