Solana Wallets Targeted in Latest Multimillion-Dollar Hack

Over 8,000 internet-connected "hot" wallets have been compromised so far, but the source of the attack remains unknown.

AccessTimeIconAug 3, 2022 at 12:29 a.m. UTC
Updated May 11, 2023 at 6:16 p.m. UTC

The Solana ecosystem appears to be the victim of crypto’s latest exploit, with users reporting their funds have been drained without their knowledge from major internet-connected “hot” wallets including Phantom, Slope and TrustWallet.

The attack is still ongoing, and over 8,000 wallets have been compromised thus far, according to blockchain auditors OtterSec. Several Solana addresses have been linked to the attack (1, 2, 3, 4), with those wallets amassing at least $5 million worth of SOL, SPL and other Solana-based tokens from unsuspecting users.

The exact cause of Tuesday evening's attack remained unclear throughout the night, though it appears to have predominantly impacted mobile wallet users. The attacker somehow obtained the ability to sign (i.e., initiate and approve) transactions on the behalf of users, suggesting a trusted third-party service may have been compromised in a so-called supply chain attack.

Engineers across several networks have found that the bug isn't connected with Solana core code, but in software used by several software wallets, according to a tweet by SolanaStatus.

The attack will inevitably reignite a long-running debate around the security of hot wallets, which stay connected to the internet at all times in order to provide users a convenient way to send, store and receive crypto. Cold wallets – USB drives that must be plugged into a computer to sign transactions – are heralded as a more secure, albeit less convenient, alternative.

"We are evaluating the incident impacting Solana wallets and are working closely with other teams in the ecosystem to get to the bottom of this. We will issue an update once we gather more information,” a representative of Phantom, the largest Solana hot wallet, told CoinDesk in a statement. “The team doesn't believe this is a Phantom-specific issue at this time.”

Some users initially suspected the hack could be related to transactions on Magic Eden’s Solana-based non-fungible token (NFT) marketplace, though this link became less clear as the attack wore on. The marketplace tweeted a warning for users to revoke wallet permissions for any suspicious links to avoid being attacked. It also suggested users "[m]ove everything to a cold wallet/ledger."

Twitter continues to be flooded with reports of Solana users noticing that tokens have suddenly been drained from their accounts.

“I was getting my sunglasses refit when I got a push notification from my mobile wallet that I had sent all the SOL from my wallet,” Solana community member @gostak_gm told CoinDesk. “It was my main hot wallet, so I had it connected to lots of different mobile and web extension wallet providers as well as a lot of dapps. Not clear to me what could have been the root cause. Glad to have most of my funds on a cold wallet.”

It is unclear at this point whether the vulnerability is limited to the Solana blockchain. A TrustWallet and Slope wallet user reported losing USDC on both Solana and Ethereum.

Solana – the fifth-largest blockchain by total value locked (TVL), according to DefiLlama – has grown in popularity over the past year owing to its quick transactions and low fees. Its native token, SOL, dropped 4% in the hours following the attack.

UPDATE (Aug. 3, 2022, 00:41 UTC): Adds additional information.

UPDATE (Aug. 3, 2022, 01:30 UTC): Adds additional information.

UPDATE (Aug. 3, 2022, 04:58 UTC): Adds additional information.

UPDATE (Aug. 3, 2022, 13:30 UTC): Adds additional information from Solana in fourth paragraph.

UPDATE (Aug. 4, 2022, 02:58 UTC): Removes embedded tweet from Magic Eden with outdated information.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Eli Tan

Eli was a news reporter for CoinDesk. He holds ETH, SOL and AVAX.

Sam Kessler

Sam is CoinDesk's deputy managing editor for tech and protocols. He reports on decentralized technology, infrastructure and governance. He owns ETH and BTC.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.