Audit log

Every state-changing event for Solana Blinks / Durable-Nonce Drainer Kits (2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-02 20:27:25Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,881,804

   sig

   4sre1ekn6d28…deE9TKevcopyexplorer ↗

   hash

   4PU7Xz5oNkri…MM2wYgDzcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (40851 B) ▸

   {"actor":"system:backfill","investigation_id":"aa6fdc14-f59a-4b01-b300-fddbf2224685","kind":"publish","page_slug":"solana-blinks-durable-nonce-drainer-kits-2026","published_at":"2026-06-02T20:27:25.183Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Solana Blinks / Durable-Nonce Drainer Kits (2026)","sections":[{"content":"Solana Blinks/Durable-Nonce Drainer Kits are not a single product but a threat category: a generation of wallet-drainer toolkits that share the characteristic of defeating Solana wallet transaction simulation. Earlier Solana drainers (circa 2023–early 2024) relied on straightforward token-approval abuse and were largely detectable by wallet simulation previews. The 2024–2026 generation exploits three distinct Solana protocol primitives to produce transactions that simulate as benign but execute maliciously: (1) the system 'assign' instruction, which can silently reassign an account's Owner field; (2) durable nonces, which replace expiring blockhashes and allow a pre-signed transaction to remain valid indefinitely; and (3) Solana Actions/Blinks, shareable HTTP-backed links that auto-construct and present signing prompts in any social or web context. These techniques are sold as modular components within scam-as-a-service (SaaS) drainer kits on private Telegram channels and darknet markets. Named operators whose toolkits have been publicly attributed to this category include Rublevka Team (Recorded Future, February 2026), Riddance (attributed by on-chain researchers including AlanReports, 2024–2025), and earlier bitflip-capable kits Aqua and Vanish (Blowfish, February 2024).","heading":"Overview and Classification","severity":"critical","sources":[{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer: Owner Reassignment, Durable Nonces, and Blinks Phishing — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"Blowfish Uncovers Two New Solana Drainers Capable of Bit-Flip Attacks — Crypto Daily","type":"research","url":"https://cryptodaily.co.uk/news-in-crypto/crypto-intelligence/blowfish-uncovers-two-new-solana-drainers-capable-of-bit-flip-attacks"}]},{"content":"Three core simulation-bypass techniques have been documented by independent security researchers.\n\n**1. The 'Assign' Instruction / Owner Reassignment.** Solana's system program includes a built-in 'assign' instruction that changes the Owner field of any account the signer controls. Unlike Ethereum externally owned accounts (EOAs), whose ownership is immutable, Solana accounts permit owner reassignment. Attackers embed a hidden assign instruction in an otherwise ordinary-looking transaction — such as an airdrop claim or allowlist verification — that transfers the victim's account ownership to an attacker-controlled program. Wallet simulations report no token balance changes because no tokens move at signing time; control transfers silently. Once ownership is reassigned, the attacker can drain any assets in the account via CPI calls without further victim interaction. SlowMist documented a case in December 2025 in which a victim lost over $3 million through this mechanism, with an additional $2 million locked in DeFi protocols. The attack mirrors the 'malicious multisig' pattern seen previously on TRON.\n\n**2. Durable Nonce Pre-signed Transactions.** Solana durable nonces replace a transaction's expiring blockhash with a fixed nonce value, rendering the signed transaction valid indefinitely until the nonce account is advanced. Drainer kits exploit this by presenting victims with a transaction that appears routine at signing time; the kit holds the signature and, before submitting it, can alter on-chain program state so that execution produces a different outcome than simulation showed. Researchers at Blockaid documented this TOCTOU (time-of-check-time-of-use) pattern, in which the attacker modifies program state across a gap of as few as seven blocks between user signature and transaction execution. The Aqua and Vanish drainers (Blowfish, February 2024) pioneered a 'bitflip attack' variant: after obtaining a signed transaction, the drainer flips a conditional flag in the dApp's on-chain program so that a transaction simulated as sending SOL to the user instead drains their account on execution.\n\n**3. Solana Blinks as Phishing Delivery.** Solana Actions, introduced in mid-2024, are HTTP endpoints that return structured transaction payloads; Blinks (blockchain links) are shareable URLs that auto-render these payloads as wallet signing prompts in any context — social media posts, messaging apps, QR codes. Because Blinks execute whatever transaction the Action endpoint returns, an attacker who controls the endpoint can deliver any valid Solana transaction, including assign-instruction or durable-nonce attacks, with a single shared link. In Q1 2026, a Blink circulated on X (formerly Twitter) under the guise of an NFT free-mint; the Action endpoint returned a three-instruction transaction including an assign instruction. Wallets were drained within minutes of users clicking the link. The delivery mechanism reduces victim friction to a single click and requires no cloned website infrastructure.","heading":"Technical Attack Vectors","severity":"critical","sources":[{"credibility":2,"name":"Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered — SlowMist","type":"research","url":"https://slowmist.medium.com/beware-of-solana-phishing-attacks-wallet-owner-permissions-may-be-altered-708bbb30518e"},{"credibility":2,"name":"Dissecting TOCTOU Attacks: How Wallet Drainers Exploit Solana's Transaction Timing — Blockaid","type":"research","url":"https://www.blockaid.io/blog/dissecting-toctou-attacks-how-wallet-drainers-exploit-solanas-transaction-timing"},{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":2,"name":"Beware of Solana Phishing Attacks — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/beware-of-solana-phishing-attacks/amp/"},{"credibility":2,"name":"SlowMist Warns of $3M Solana Wallet Phishing Threat — Phemex","type":"news_article","url":"https://phemex.com/news/article/slowmist-alerts-solana-users-to-3m-phishing-scam-42641"},{"credibility":3,"name":"SlowMist on X — Solana Wallet Owner Permissions Can Be Altered","type":"social_media","url":"https://x.com/SlowMist_Team/status/1996528328061382860"}]},{"content":"Multiple drainer kit operators have been identified or attributed by security researchers in this threat category.\n\n**Rublevka Team.** Documented by Recorded Future's Insikt Group in a February 4, 2026 report (CTA-2026-0204), Rublevka Team is a Russian cybercriminal syndicate named after the wealthy Moscow suburb. The operation is structured as a fully automated scam-as-a-service platform offering affiliates a Telegram bot, landing page generator, cloaking and DDoS protection, and automated payout infrastructure. The drainer supports over 90 Solana wallet types including Phantom, Solflare, Backpack, Coinbase, Bitget, OKX, and Metamask. The operation began by targeting The Open Network (TON) and pivoted to Solana in spring 2025. Financial losses attributed to the platform's Solana campaign total approximately $8.2 million (as of Recorded Future's reporting period ending December 2025), with total theft across platforms exceeding $10.9 million. Over 240,000 successful drain events are documented in the operation's private 'profits' Telegram channel. Commission structure offers affiliates 75–80% of proceeds. Leadership includes a founder operating as 'denisssss_inactive' on LolzTeam Forum, with administrators identified as 'Jesse Pinkman' and 'Shell.'\n\n**Riddance.** An on-chain-attributed Solana WDaaS (Wallet Drainer-as-a-Service) active since January 2024. Researchers (AlanReports GitHub) identified the platform fee address as G8Zot3kvzPVriX4bwLkgM384jPUyiCUMvbd2VnofziNT and the operator address as riddyRAMQa5TQcdMbXvM3Eb8LPX4DTparuYuV6PXjAD. The kit operates on a 10% commission model and is attributed to approximately $8 million in total theft, with the largest single transaction exceeding $500,000. Stolen funds are laundered via Jupiter, Raydium, Orca, and Meteora DEXs, with exit via Allbridge, Mayan Finance, Relay.link, and FixedFloat. An ENS domain (riddances.eth) associated with the platform operator has been linked in external research to a $30 million Bitforex incident.\n\n**Aqua and Vanish.** Two drainer scripts disclosed by Blowfish on February 9, 2024, that pioneered the bitflip-attack technique on Solana. These scripts are sold as scam-as-a-service products and represent the earliest documented generation of simulation-bypass drainers on Solana. Blowfish implemented automatic blocking for these patterns across partner wallets.","heading":"Named Threat Actors and Kit Ecosystems","severity":"critical","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future (PDF)","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"},{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"Hard Working Thieves: Rublevka Team Steals $10M in Solana Scam-as-a-Service — SecurityOnline","type":"news_article","url":"https://securityonline.info/hard-working-thieves-rublevka-team-steals-10m-in-solana-scam-as-a-service/"},{"credibility":2,"name":"Russian Crypto Gang Caught Stealing Millions on Solana and TON — CyberNews","type":"news_article","url":"https://cybernews.com/cybercrime/russian-crypto-criminals-behind-solana-ton-draining-campaigns/"},{"credibility":2,"name":"Part 4. Tracing a Drainer on Solana — Joe LeFever, Medium (March 2026)","type":"research","url":"https://medium.com/@sicher_height/part-4-tracing-a-drainer-on-solana-d184d0283e6a"},{"credibility":2,"name":"Scam-as-a-Service: New Solana Drainers Identified — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/scam-as-a-service-new-solana-drainers-identified"},{"credibility":2,"name":"Blowfish Exposes Aqua, Vanish Bit-Flip Drainers on Solana — Crypto.news","type":"news_article","url":"https://crypto.news/blowfish-exposes-aqua-vanish-bit-flip-drainers-solana/"}]},{"content":"Quantified losses across the Solana drainer ecosystem are substantial and growing, though precise aggregation across all kit families is difficult due to on-chain attribution complexity.\n\nSecurity firm Kerberus, presenting findings at Solana Breakpoint, documented approximately $90 million in phishing-driven losses on Solana in H1 2025, representing approximately 15% of the $594 million in total cross-chain phishing and social engineering losses during that period. These figures predate the wide deployment of durable-nonce and assign-instruction simulation bypass, meaning losses in H2 2025 and 2026 may be higher per-event as defensive tooling becomes less effective.\n\nIndividual cases documented by researchers include: a $3 million loss in a single assign-instruction attack (SlowMist, December 2025); over $8 million attributed to the Riddance kit across its operational period; $10.9 million attributed to the Rublevka Team as of December 2025; and approximately $8.2 million from Rublevka's Solana-specific campaign.\n\nThe Drift Protocol exploit of April 1, 2026, while attributed to a state-level North Korean threat actor (UNC4736/AppleJeus) rather than a commodity drainer kit, demonstrates the maximum ceiling of the durable nonce attack surface: $270–$286 million drained from a single DeFi protocol in under one minute by exploiting pre-signed durable nonce transactions held by compromised multisig participants. This incident validated the theoretical maximum of the durable-nonce vector at industrial scale.\n\nGrowing concerns over a Solana wallet-draining community of over 6,000 members were reported by Chainalysis in January 2024.","heading":"Financial Losses and Scale","severity":"critical","sources":[{"credibility":2,"name":"Solana Users Phished For $90M in H1 2025, Finds Kerberus — AlexaBlockchain","type":"research","url":"https://alexablockchain.com/solana-users-phished-for-90m-in-h1-2025/"},{"credibility":1,"name":"Here is how Drift attackers drained more than $270 million using a Solana feature designed for convenience — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":1,"name":"Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"Solana Users Phished For $90M in H1 2025, Finds Kerberus — MEXC News","type":"news_article","url":"https://www.mexc.com/en-NG/news"},{"credibility":2,"name":"Growing Concerns Over Solana Wallet Drainer Community With 6,000 Members — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a48a0-growing-concerns-over-solana"}]},{"content":"The April 1, 2026 Drift Protocol exploit is the highest-consequence documented use of the durable nonce attack vector and provides the clearest technical evidence of how the primitive scales from retail-targeted drainer kits to institutional-level DeFi protocol attacks.\n\nDrift is a Solana-based borrow-lend and perpetuals protocol. Starting in approximately fall 2025, operatives linked to North Korean state-sponsored group UNC4736 (also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces by various researchers) infiltrated the protocol by posing as a quantitative trading firm. Operatives deposited over $1 million of their own capital, participated in working sessions with contributors across multiple countries, and built sufficient trust to gain access to multisig signing contexts.\n\nOn March 23, 2026, attackers created four durable nonce accounts — two legitimate, two attacker-controlled. By March 27, following a Security Council member swap, new multisig approvals were obtained under the revised configuration. The attackers used a weaponized Visual Studio Code project ('tasks.json' with 'runOn: folderOpen') and a fraudulent wallet application distributed via Apple TestFlight to compromise contributor devices and obtain signatures for transactions that signers believed were routine.\n\nOn April 1, 2026 at 16:05:18 UTC, two pre-signed durable nonce transactions were submitted four blockchain slots apart. Within one second, admin control of the protocol was transferred to attacker-controlled addresses. Total assets drained were approximately $270–$286 million (figures vary across reporting: CoinDesk reported $270 million, Elliptic $286 million, TRM Labs $285 million), including $155.6 million in JPL tokens, $60.4 million in USDC, $11.3 million in cbBTC, and substantial amounts of USDT, wETH, DSOL, WBTC, and other tokens.\n\nFund movement routed stolen tokens through NEAR intents, Backpack exchange, the Wormhole bridge, and Circle's CCTP cross-chain transfer protocol, with over $230 million ultimately bridged to Ethereum via USDC. Attribution to UNC4736 is supported by on-chain fund flows linking the operation to wallets used in the October 2024 Radiant Capital exploit ($53 million) and confirmed by Mandiant/Google forensic analysis.","heading":"Drift Protocol Exploit (April 2026) — Durable Nonce at Scale","severity":"critical","sources":[{"credibility":1,"name":"Here is how Drift attackers drained more than $270 million using a Solana feature designed for convenience — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":1,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol in $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"Drainer kits in this category are distributed through private Telegram channels and darknet marketplaces on scam-as-a-service models, with pricing typically based on commission (10% for Riddance; 20–25% for Rublevka Team affiliates) or flat monthly fees (documented at $250/month for entry-level kits).\n\nThe Rublevka Team operation provides affiliates with a fully automated Telegram bot for conducting campaigns, a landing page generator that spoofs legitimate Solana projects (Phantom, Jito, Bitget, and others), free domain and hosting services, built-in cloaking features, and DDoS protections. The group operated an affiliate leaderboard via a private Telegram profits channel that logged over 240,000 successful drain transactions as of the Recorded Future report date. Infrastructure uses domain generation algorithms (DGA) for rapid rotation, Cloudflare masking across shared domains, and RPC endpoints from Helius, WalletConnect, PublicNode, and Solflare.\n\nBlinks-based delivery further reduces attacker infrastructure requirements: a single HTTP endpoint that returns a malicious transaction payload can be packaged as a Blink and distributed across social media without requiring a cloned phishing domain. The March 12, 2026 compromise of Bonk.fun, a Solana memecoin launchpad, demonstrated that domain hijacking remains a parallel delivery vector: attackers hijacked the domain via a team account compromise, injected a drainer script, and displayed a fake terms-of-service signing prompt to users visiting the legitimate domain. The Bonk.fun team reported the site was restored and affected users were refunded at 110%.\n\nThe Riddance kit routes laundered funds through a hub-and-spoke network of satellite addresses, with three primary satellite addresses identified by researchers holding approximately 95,751 SOL, 84,245 SOL, and 37,776 SOL respectively. Exit routes include cross-chain bridges (Allbridge, Mayan Finance, Relay.link) and CEX deposits, with some funds observed routing through Stake.com for gambling-based layering.","heading":"Delivery Infrastructure and Distribution","severity":"high","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"Part 4. Tracing a Drainer on Solana — Joe LeFever, Medium","type":"research","url":"https://medium.com/@sicher_height/part-4-tracing-a-drainer-on-solana-d184d0283e6a"},{"credibility":1,"name":"Bonk.fun Hacked: Domain Hijacked, Crypto Drainer Planted — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/03/12/bonk-fun-hacked-domain-hijacked-crypto-drainer-planted"}]},{"content":"The primary defense Solana users have historically relied on is wallet transaction simulation: before a user signs, the wallet simulates the transaction on-chain and shows a preview of expected balance changes. The entire simulation-bypass threat category exists specifically to defeat this control.\n\nThe assign-instruction vector defeats simulation because no token balance changes appear in the simulation preview; the account ownership change is not surfaced in standard wallet UIs. The TOCTOU/bitflip vector defeats simulation because the program state is altered after simulation completes but before the pre-signed transaction executes. The durable-nonce vector defeats the time-based transaction expiry safety boundary, enabling delayed execution in a context the signer did not anticipate.\n\nSecurity firm Blockaid documented a mitigation approach called Lighthouse Protocol, which injects assertion instructions into transactions to verify that the final transaction state matches simulation expectations. However, researchers note that adding instructions can exceed Solana's transaction size limits, and the approach requires wallet integration. Kerberus reported in late 2025 that only 13% of available Web3 security tools offer real-time transaction-level defenses against human-targeted attacks.\n\nBlowfish implemented automatic blocking for Aqua/Vanish bitflip transactions across partner wallets. Rublevka's multi-mode attack variants (Honeypot, Honeypot2, Fake Return, Crasher, Warning) are designed to rotate techniques and defeat single-mechanism defenses.\n\nUser-level mitigations recommended by SlowMist, Blockaid, and Kerberus include: verifying link legitimacy before clicking, using separate wallets for daily interaction versus long-term asset storage, rejecting signing requests for instructions that are not fully understood, reviewing the program IDs and instruction types (not just balance changes) shown in simulation previews, and using hardware wallets where feasible. Solana's official Actions/Blinks framework recommends that wallets always simulate and decode transactions before presenting them, allowlist reputable Action domains, and surface the full underlying URL to users.","heading":"Defensive Gaps and Mitigation Landscape","severity":"high","sources":[{"credibility":2,"name":"Dissecting TOCTOU Attacks: How Wallet Drainers Exploit Solana's Transaction Timing — Blockaid","type":"research","url":"https://www.blockaid.io/blog/dissecting-toctou-attacks-how-wallet-drainers-exploit-solanas-transaction-timing"},{"credibility":2,"name":"Only 13% Of Web3 Tools Offer Real-Time Defense — Kerberus at Solana Breakpoint","type":"research","url":"https://mpost.io/only-13-of-web3-tools-offer-real-time-defense-kerberus-expands-sentinel3-protection-to-solana-users/"},{"credibility":2,"name":"Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered — SlowMist","type":"research","url":"https://slowmist.medium.com/beware-of-solana-phishing-attacks-wallet-owner-permissions-may-be-altered-708bbb30518e"},{"credibility":2,"name":"How the Solana False Top-Up Attack Works — Liminal Custody","type":"research","url":"https://www.liminalcustody.com/blog/how-the-solana-false-top-up-attack-works-and-how-to-stop-it/"},{"credibility":1,"name":"Blockchain Links and Solana Actions — Official Solana Foundation","type":"official","url":"https://solana.com/solutions/actions"}]},{"content":"Researchers have identified several emerging developments within this threat category that suggest the attack surface is expanding rather than contracting.\n\n**Agentic drainer variants.** The DEV Community article documenting assign-instruction and Blinks techniques notes the emergence of alleged 'agentic drainer' variants — AI-assisted drainer tooling capable of autonomously identifying targets, constructing delivery campaigns, and adapting prompts. This variant is assessed by the intake source as a next-generation threat; however, as of the research date (June 2026) no Tier 1 or Tier 2 source has independently quantified losses attributable to an AI-guided drainer specifically. This claim is noted but rated low-confidence pending further documentation.\n\n**Broader Solana infrastructure targeting.** The August 2025 incident in which an AI-generated malicious npm package drained Solana funds from over 1,500 developers before takedown (The Hacker News) illustrates that the attack surface extends to the Solana developer supply chain, not just end users. Drainer code embedded in widely used JavaScript packages can reach users without any phishing link interaction.\n\n**Supply-chain and domain-hijacking integration.** The Bonk.fun incident (March 2026) demonstrates that drainer payloads are increasingly delivered through compromised legitimate domains rather than purely spoofed sites, reducing users' ability to detect attacks by URL inspection alone.\n\n**State-actor adoption of commodity primitives.** The Drift Protocol exploit demonstrates that durable-nonce techniques are not limited to retail-targeted commodity kits; nation-state threat actors are incorporating the same Solana primitives into billion-dollar operations. This implies that defensive tooling designed for retail phishing (simulation-preview tools, domain reputation lists) will not be sufficient against adversaries who can compromise signing environments directly.","heading":"Emerging Variants and Future Risk","severity":"high","sources":[{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":1,"name":"AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html"},{"credibility":1,"name":"Bonk.fun Hacked: Domain Hijacked, Crypto Drainer Planted — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/03/12/bonk-fun-hacked-domain-hijacked-crypto-drainer-planted"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring","type":"research","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"}]},{"content":"Primary documentation for the simulation-bypass techniques in this threat category comes from a combination of Tier 1 and Tier 2 sources. The Recorded Future Insikt Group report on Rublevka Team (CTA-2026-0204, February 4, 2026) is the highest-credibility attribution source for a named kit operator. The Drift Protocol analysis has been covered by CoinDesk, The Hacker News, Elliptic, TRM Labs, Chainalysis, and Mandiant/Google, providing strong Tier 1 corroboration of the durable nonce attack vector at scale.\n\nThe DEV Community article ('Anatomy of a Solana Wallet Drainer,' cited as a March 2026 publication by the intake queue) and Joe LeFever's Medium series 'Tracing a Drainer on Solana' are Tier 2 sources — researcher-authored technical analyses without third-party editorial oversight — but their technical claims are consistent with and corroborated by the Tier 1 and Tier 2 reporting from Blockaid, SlowMist, Blowfish, and Kerberus.\n\nThe $90 million H1 2025 loss figure originates from Kerberus (a specialized Web3 security firm) and has been republished by multiple crypto media outlets; it is treated as a Tier 2 figure given Kerberus's domain specialization but absence of an independently audited methodology. The figure represents an estimate rather than an on-chain-verified aggregate.\n\nThe 'agentic drainer' claim remains unverified by any Tier 1 or Tier 2 source and should be treated as low confidence.","heading":"Research Documentation and Source Quality","severity":"low","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future (PDF)","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"},{"credibility":2,"name":"Solana Users Phished For $90M in H1 2025, Finds Kerberus — AlexaBlockchain","type":"research","url":"https://alexablockchain.com/solana-users-phished-for-90m-in-h1-2025/"},{"credibility":2,"name":"SolPhishHunter: Towards Detecting and Understanding Phishing on Solana — arXiv","type":"research","url":"https://arxiv.org/html/2505.04094v1"}]}],"sources_used":[{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer: Owner Reassignment, Durable Nonces, and Blinks Phishing — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":2,"name":"Part 4. Tracing a Drainer on Solana — Joe LeFever (Medium, March 2026)","type":"research","url":"https://medium.com/@sicher_height/part-4-tracing-a-drainer-on-solana-d184d0283e6a"},{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":1,"name":"Rublevka Team Report PDF — Recorded Future (CTA-2026-0204)","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"},{"credibility":2,"name":"Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered — SlowMist","type":"research","url":"https://slowmist.medium.com/beware-of-solana-phishing-attacks-wallet-owner-permissions-may-be-altered-708bbb30518e"},{"credibility":2,"name":"Dissecting TOCTOU Attacks: How Wallet Drainers Exploit Solana's Transaction Timing — Blockaid","type":"research","url":"https://www.blockaid.io/blog/dissecting-toctou-attacks-how-wallet-drainers-exploit-solanas-transaction-timing"},{"credibility":1,"name":"Here is how Drift attackers drained more than $270 million — CoinDesk (April 2, 2026)","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":1,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk (April 5, 2026)","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol in $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"Solana Users Phished For $90M in H1 2025, Finds Kerberus — AlexaBlockchain","type":"research","url":"https://alexablockchain.com/solana-users-phished-for-90m-in-h1-2025/"},{"credibility":2,"name":"Hard Working Thieves: Rublevka Team Steals $10M in Solana Scam-as-a-Service — SecurityOnline","type":"news_article","url":"https://securityonline.info/hard-working-thieves-rublevka-team-steals-10m-in-solana-scam-as-a-service/"},{"credibility":2,"name":"Russian Crypto Gang Caught Stealing Millions on Solana and TON — CyberNews","type":"news_article","url":"https://cybernews.com/cybercrime/russian-crypto-criminals-behind-solana-ton-draining-campaigns/"},{"credibility":1,"name":"Bonk.fun Hacked: Domain Hijacked, Crypto Drainer Planted — CoinDesk (March 12, 2026)","type":"news_article","url":"https://www.coindesk.com/tech/2026/03/12/bonk-fun-hacked-domain-hijacked-crypto-drainer-planted"},{"credibility":2,"name":"Beware of Solana Phishing Attacks That Let Hackers Initiate Unauthorized Account Transfer — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/beware-of-solana-phishing-attacks/amp/"},{"credibility":2,"name":"Blowfish Exposes Aqua, Vanish Bit-Flip Drainers on Solana — Crypto.news","type":"news_article","url":"https://crypto.news/blowfish-exposes-aqua-vanish-bit-flip-drainers-solana/"},{"credibility":1,"name":"AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown — The Hacker News (August 2025)","type":"news_article","url":"https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html"},{"credibility":2,"name":"Only 13% Of Web3 Tools Offer Real-Time Defense — Kerberus at Solana Breakpoint","type":"research","url":"https://mpost.io/only-13-of-web3-tools-offer-real-time-defense-kerberus-expands-sentinel3-protection-to-solana-users/"},{"credibility":2,"name":"SolPhishHunter: Towards Detecting and Understanding Phishing on Solana — arXiv","type":"research","url":"https://arxiv.org/html/2505.04094v1"},{"credibility":2,"name":"Growing Concerns Over Solana Wallet Drainer Community With 6,000 Members — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a48a0-growing-concerns-over-solana"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring","type":"research","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"New Drainer Reportedly Can Bypass Transaction Simulation — CoinPaper","type":"news_article","url":"https://coinpaper.com/3392/wallet-drainer-promises-to-bypass-any-transaction-simulation-now-available-for-sale"},{"credibility":1,"name":"Blockchain Links and Solana Actions — Official Solana Foundation","type":"official","url":"https://solana.com/solutions/actions"}],"summary":"A family of increasingly sophisticated wallet-drainer toolkits targeting the Solana ecosystem that weaponize legitimate Solana protocol features — Blinks (blockchain action links), durable nonces, and the system 'assign' instruction — to bypass the transaction-simulation safety layer that most Solana wallets rely on as their primary defense. Documented in detail by security researchers from February 2024 onward and materially escalated in late 2025 and early 2026, these kits are distributed as scam-as-a-service products supporting 90+ wallet types; losses attributable to Solana phishing reached approximately $90 million in H1 2025 alone, before the simulation-bypass generation was widely deployed. A state-level durable-nonce attack on Drift Protocol (April 2026) demonstrated that the same primitive can scale to $285 million in a single operation.","timeline":[{"date":"2024-01-01","event":"Riddance WDaaS begins operations on Solana, operating on a 10% commission model targeting 90+ wallet types.","source":"Joe LeFever — Tracing a Drainer on Solana (Medium)","source_url":"https://medium.com/@sicher_height/part-4-tracing-a-drainer-on-solana-d184d0283e6a"},{"date":"2024-01-01","event":"Chainalysis reports a Solana wallet-draining community with over 6,000 members on private forums and Telegram channels.","source":"CryptoRank — Growing Concerns Over Solana Wallet Drainer Community","source_url":"https://cryptorank.io/news/feed/a48a0-growing-concerns-over-solana"},{"date":"2024-02-09","event":"Blowfish discloses Aqua and Vanish drainers employing bitflip attacks on Solana — the first documented simulation-bypass technique on the network.","source":"Crypto Daily / CryptoIntelligence.co.uk","source_url":"https://www.cryptointelligence.co.uk/blowfish-uncovers-two-new-solana-drainers-capable-of-bit-flip-attacks/"},{"date":"2024-02-20","event":"Advertisements for drainer kits claiming to bypass all transaction simulations appear in underground markets, with pricing up to 10 ETH (~$30,000) for premium scripts.","source":"CoinPaper — New Drainer Reportedly Can Bypass Transaction Simulation","source_url":"https://coinpaper.com/3392/wallet-drainer-promises-to-bypass-any-transaction-simulation-now-available-for-sale"},{"date":"2025-01-01","event":"Rublevka Team pivots from TON to Solana, launching a campaign that ultimately generates approximately $8.2 million from Solana victims.","source":"Recorded Future — CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-06-30","event":"Kerberus reports Solana users lost approximately $90 million to phishing in H1 2025, representing 15% of all Web3 phishing losses in the period.","source":"AlexaBlockchain — Solana Users Phished For $90M in H1 2025","source_url":"https://alexablockchain.com/solana-users-phished-for-90m-in-h1-2025/"},{"date":"2025-10-01","event":"UNC4736 (North Korea/AppleJeus) begins a six-month infiltration of Drift Protocol, posing as a quantitative trading firm and depositing over $1 million into an Ecosystem Vault.","source":"The Hacker News — $285 Million Drift Hack Traced to Six-Month DPRK Operation","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2025-12-03","event":"SlowMist documents a $3 million loss via Solana assign-instruction phishing, in which a victim signed a transaction containing a hidden assign instruction that transferred account ownership to an attacker program with no visible balance change in simulation.","source":"SlowMist — Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered","source_url":"https://slowmist.medium.com/beware-of-solana-phishing-attacks-wallet-owner-permissions-may-be-altered-708bbb30518e"},{"date":"2026-02-04","event":"Recorded Future (Insikt Group) publishes CTA-2026-0204 documenting the Rublevka Team operation: Russian-attributed SaaS drainer supporting 90+ Solana wallets, $10.9 million total theft.","source":"Recorded Future — Rublevka Team: Anatomy of a Russian Crypto Drainer Operation","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2026-03-12","event":"Bonk.fun Solana memecoin launchpad has its domain hijacked; attacker injects a drainer and displays a fake terms-of-service prompt. Losses estimated at approximately $30,000; users refunded at 110%.","source":"CoinDesk — Bonk.fun Hacked: Domain Hijacked, Crypto Drainer Planted","source_url":"https://www.coindesk.com/tech/2026/03/12/bonk-fun-hacked-domain-hijacked-crypto-drainer-planted"},{"date":"2026-03-23","event":"UNC4736 creates four durable nonce accounts on-chain in preparation for the Drift Protocol exploit, two of which are attacker-controlled.","source":"CoinDesk — How a Solana Feature Designed for Convenience Let an Attacker Drain $270 Million from Drift","source_url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"date":"2026-04-01","event":"UNC4736 executes the Drift Protocol durable-nonce exploit: two pre-signed transactions submitted four blockchain slots apart drain approximately $270–$286 million in under one minute, the largest DeFi hack of 2026.","source":"CoinDesk — Drift $270M Exploit / Elliptic — $286M DPRK Attribution","source_url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"date":"2026-04-05","event":"Drift Protocol publishes attribution findings linking the exploit to North Korean state actor UNC4736/AppleJeus, describing the operation as a six-month intelligence campaign.","source":"CoinDesk — Drift Says $270M Exploit Was a Six-Month North Korean Intelligence Operation","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 27e811f6-5638-4e3f-b999-5a50dca30ad1copy