Solana Blinks / Durable-Nonce Drainer Kits (2026)
Summary
A family of increasingly sophisticated wallet-drainer toolkits targeting the Solana ecosystem that weaponize legitimate Solana protocol features — Blinks (blockchain action links), durable nonces, and the system 'assign' instruction — to bypass the transaction-simulation safety layer that most Solana wallets rely on as their primary defense. Documented in detail by security researchers from February 2024 onward and materially escalated in late 2025 and early 2026, these kits are distributed as scam-as-a-service products supporting 90+ wallet types; losses attributable to Solana phishing reached approximately $90 million in H1 2025 alone, before the simulation-bypass generation was widely deployed. A state-level durable-nonce attack on Drift Protocol (April 2026) demonstrated that the same primitive can scale to $285 million in a single operation.
Connected Entities
3 entities · 10 linked investigations- riddyRAMQa5TQcdMbXvM3Eb8LPX4DTparuYuV6PXjAD→mentioned with→Solana Blinks / Durable-Nonce Drainer Kits (2026)(50%)
- + 4 more
Timeline(13 events)
2024-01-01
Riddance WDaaS begins operations on Solana, operating on a 10% commission model targeting 90+ wallet types.
Joe LeFever — Tracing a Drainer on Solana (Medium)2024-01-01
Chainalysis reports a Solana wallet-draining community with over 6,000 members on private forums and Telegram channels.
CryptoRank — Growing Concerns Over Solana Wallet Drainer Community2024-02-09
Blowfish discloses Aqua and Vanish drainers employing bitflip attacks on Solana — the first documented simulation-bypass technique on the network.
Crypto Daily / CryptoIntelligence.co.uk2024-02-20
Advertisements for drainer kits claiming to bypass all transaction simulations appear in underground markets, with pricing up to 10 ETH (~$30,000) for premium scripts.
CoinPaper — New Drainer Reportedly Can Bypass Transaction Simulation2025-01-01
Rublevka Team pivots from TON to Solana, launching a campaign that ultimately generates approximately $8.2 million from Solana victims.
Recorded Future — CTA-2026-02042025-06-30
Kerberus reports Solana users lost approximately $90 million to phishing in H1 2025, representing 15% of all Web3 phishing losses in the period.
AlexaBlockchain — Solana Users Phished For $90M in H1 20252025-10-01
UNC4736 (North Korea/AppleJeus) begins a six-month infiltration of Drift Protocol, posing as a quantitative trading firm and depositing over $1 million into an Ecosystem Vault.
The Hacker News — $285 Million Drift Hack Traced to Six-Month DPRK Operation2025-12-03
SlowMist documents a $3 million loss via Solana assign-instruction phishing, in which a victim signed a transaction containing a hidden assign instruction that transferred account ownership to an attacker program with no visible balance change in simulation.
SlowMist — Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered2026-02-04
Recorded Future (Insikt Group) publishes CTA-2026-0204 documenting the Rublevka Team operation: Russian-attributed SaaS drainer supporting 90+ Solana wallets, $10.9 million total theft.
Recorded Future — Rublevka Team: Anatomy of a Russian Crypto Drainer Operation2026-03-12
Bonk.fun Solana memecoin launchpad has its domain hijacked; attacker injects a drainer and displays a fake terms-of-service prompt. Losses estimated at approximately $30,000; users refunded at 110%.
CoinDesk — Bonk.fun Hacked: Domain Hijacked, Crypto Drainer Planted2026-03-23
UNC4736 creates four durable nonce accounts on-chain in preparation for the Drift Protocol exploit, two of which are attacker-controlled.
CoinDesk — How a Solana Feature Designed for Convenience Let an Attacker Drain $270 Million from Drift2026-04-01
UNC4736 executes the Drift Protocol durable-nonce exploit: two pre-signed transactions submitted four blockchain slots apart drain approximately $270–$286 million in under one minute, the largest DeFi hack of 2026.
CoinDesk — Drift $270M Exploit / Elliptic — $286M DPRK Attribution2026-04-05
Drift Protocol publishes attribution findings linking the exploit to North Korean state actor UNC4736/AppleJeus, describing the operation as a six-month intelligence campaign.
CoinDesk — Drift Says $270M Exploit Was a Six-Month North Korean Intelligence OperationDecision Log
- hash: 4PU7Xz5oNkriWKnkYxEvYzdZCnZqpPvFG35CMM2wYgDz
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/2/2026, 8:26:17 PM
last updated: 6/2/2026, 8:27:25 PM
avoid.net — verified advice for a post-truth world