Verify a decision

{"actor":"system:backfill","investigation_id":"8a9f2d4d-75fa-4b2b-99f4-3c7fb4efd376","kind":"publish","page_slug":"thunder-terminal","published_at":"2026-05-19T16:03:18.628Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Thunder Terminal","sections":[{"content":"Thunder Terminal is an on-chain trading terminal operating on the Solana blockchain, offering users a fast interface for trading tokens on-chain. The platform maintained approximately 14,000 connected wallets at the time of the December 2023 security incident. As a non-custodial-style interface, Thunder Terminal processes withdrawal requests on behalf of users via session tokens, a design that proved to be an exploitable attack surface.","heading":"Platform Overview","severity":"low","sources":[{"credibility":2,"name":"Thunder Terminal $240K Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"credibility":2,"name":"Thunder Terminal Hack Leads to More Than 86 ETH and 439 SOL Drained — NFT Now","type":"news_article","url":"https://nftnow.com/news/thunder-terminal-hack-leads-to-86-eth-and-439-sol-drained/"}]},{"content":"On December 27, 2023, beginning at 12:11:47 AM UTC and concluding at 12:20:35 AM UTC, Thunder Terminal suffered a security exploit lasting approximately nine minutes. A total of 86.5 ETH (approximately $192,500) and 439 SOL (approximately $49,160) were drained from 114 user wallets, for combined losses of roughly $240,000. The attack affected fewer than 1% of the platform's roughly 14,000 connected wallets. Thunder Terminal confirmed the incident via an on-chain incident report and publicly stated that no private keys or user wallets were directly compromised, and that desktop wallets were not affected.","heading":"December 2023 Security Breach","severity":"high","sources":[{"credibility":2,"name":"Thunder Terminal Loses $240k in Exploit — The Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2023/12/27/thunder-terminal-loses-240k-in-exploit-more-funds-on-risk/"},{"credibility":2,"name":"Thunder Terminal $240K Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"credibility":2,"name":"Thunder Terminal Hack — Crypto.news","type":"news_article","url":"https://crypto.news/thunder-terminal-suffers-hacker-attack-losses-amount-to-240k/"}]},{"content":"The root cause of the exploit was unauthorized access to a MongoDB connection URL. Thunder Terminal attributed the breach to a separate compromise of its MongoDB provider that had occurred approximately eight days prior to the attack, in mid-December 2023. The attacker used the database connection string to extract active session tokens, which the platform's server recognized as legitimate authorization credentials. Using these session tokens, the attacker was able to execute withdrawal requests on behalf of users without possessing their private keys. Thunder Terminal stated: 'The exploit happened through withdrawal requests our server considered as authorized because of leaked session tokens.' Following containment, Thunder Terminal revoked all session token access and transaction signing capabilities and implemented two-factor authentication for future withdrawals.","heading":"Attack Vector: MongoDB Session Token Compromise","severity":"critical","sources":[{"credibility":2,"name":"Thunder Terminal Loses $240k in Exploit — The Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2023/12/27/thunder-terminal-loses-240k-in-exploit-more-funds-on-risk/"},{"credibility":2,"name":"Thunder Terminal $240K Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"credibility":2,"name":"Thunder Terminal Mitigates Attack, FBI Called In — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/thunder-terminal-mitigates-attack-fbi-called-in-for-investigation-report/"}]},{"content":"On-chain investigator ZachXBT identified and publicly flagged the suspicious activity on his Telegram channel during or shortly after the attack, and traced the movement of stolen funds. According to ZachXBT's reporting and corroborating blockchain data, approximately 86.3–86.5 ETH was transferred to the Railgun protocol, a privacy-focused smart contract system designed to anonymize Ethereum transactions. The routing of stolen funds through Railgun is a documented obfuscation technique used by threat actors to obscure the on-chain trail and complicate asset recovery. The Block reported ZachXBT's initial alert and tracing findings at the time of the incident.","heading":"ZachXBT On-Chain Tracing and Railgun Laundering","severity":"high","sources":[{"credibility":2,"name":"On-chain trading platform Thunder Terminal hacked for 86.5 ETH: ZachXBT — The Block","type":"news_article","url":"https://www.theblock.co/post/269269/on-chain-trading-platform-thunder-terminal-hacked-for-86-5-eth-zachxbt"},{"credibility":2,"name":"Thunder Terminal Hack — Crypto.news","type":"news_article","url":"https://crypto.news/thunder-terminal-suffers-hacker-attack-losses-amount-to-240k/"}]},{"content":"Following the exploit, the attacker communicated publicly via an on-chain Etherscan message, directly refuting Thunder Terminal's public statements. The message read: 'All lies. We have all the user data. 50 ETH and we will delete the data.' The hacker demanded 50 ETH (equivalent to approximately $110,000 at the time) in exchange for the alleged deletion of stolen user data. Thunder Terminal disputed that any sensitive user data had been exfiltrated and maintained that no private keys had been compromised. In response to the ransom demand, Thunder Terminal stated it was 'willing to negotiate with the exploiter if they return user funds,' while also threatening to 'pursue this crime to the fullest extent of the US judicial system' if funds were not returned. No public record of ransom payment or negotiated resolution has been identified in subsequent reporting.","heading":"Attacker Ransom Demand and Disputed Claims","severity":"high","sources":[{"credibility":2,"name":"Thunder Terminal Claims Funds Safe After $240K Attack, Hacker Says Otherwise — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/thunder-terminal-hack-exploit-wallet-compromise-hacker-demands-ransom"},{"credibility":2,"name":"Thunder Terminal — Milk Road","type":"news_article","url":"https://milkroad.com/news/thunder-no-wallets-compromised-86-5-eth-hack-hacker-claims-all-lies/"},{"credibility":2,"name":"Thunder Terminal Rapid Response — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/thunder-terminals-rapid-response-to-240-000-hack-security-measures-and-hackers-ransom-demand"}]},{"content":"Thunder Terminal's incident response included: (1) revoking all session tokens and transaction signing permissions to halt further withdrawals; (2) pledging full reimbursement of all stolen funds to the 114 affected users; (3) offering affected users a compensation package of 0% platform fees and $100,000 in platform credits; (4) engaging its legal team and notifying the Federal Bureau of Investigation (FBI); (5) implementing two-factor authentication (2FA) for all future withdrawals; and (6) commissioning a comprehensive technical security audit. Thunder Terminal's representative, identified in reporting as 'Jackson,' confirmed the FBI's active involvement. No subsequent public reporting has confirmed that reimbursements were fully completed or that the attacker was identified or prosecuted.","heading":"Platform Response and Reimbursement Commitments","severity":"medium","sources":[{"credibility":2,"name":"Thunder Terminal Mitigates Attack, FBI Called In — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/thunder-terminal-mitigates-attack-fbi-called-in-for-investigation-report/"},{"credibility":2,"name":"Thunder Terminal $240K Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"credibility":1,"name":"Cryptohack Roundup: Thunder Terminal Repels Attack — BankInfoSecurity","type":"news_article","url":"https://www.bankinfosecurity.com/cryptohack-roundup-thunder-terminal-repels-attack-a-23990"}]},{"content":"The Thunder Terminal breach is notable as a supply-chain or third-party infrastructure attack. The platform's reliance on MongoDB for session token storage and authentication management created a single point of failure that was exploited via a prior breach of MongoDB's own systems in mid-December 2023. This pattern — where a trading platform's security posture is bounded by that of its cloud or database vendors — has been observed in multiple crypto platform exploits. Thunder Terminal did not disclose the specific MongoDB service tier or configuration details that allowed the connection URL to be exposed.","heading":"Third-Party Infrastructure Risk","severity":"high","sources":[{"credibility":2,"name":"Thunder Terminal Loses $240k in Exploit — The Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2023/12/27/thunder-terminal-loses-240k-in-exploit-more-funds-on-risk/"},{"credibility":2,"name":"Thunder Terminal $240K Exploit — CoinSpeaker","type":"news_article","url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"}]}],"sources_used":[],"summary":"Thunder Terminal is a Solana-based on-chain trading terminal that suffered a $240,000 exploit on December 27, 2023, when an attacker leveraged compromised MongoDB credentials to steal session tokens and drain 86.5 ETH and 439 SOL from 114 user wallets in under nine minutes. The attacker subsequently routed the stolen ETH through the Railgun privacy protocol and demanded a 50 ETH ransom for deletion of alleged user data, directly contradicting Thunder Terminal's public claim that no user data or private keys were compromised. Thunder Terminal pledged full reimbursement of stolen funds, engaged the FBI, and implemented additional security controls, though no public confirmation of completed reimbursements has been verified.","timeline":[{"date":"2023-12-19","event":"MongoDB discloses a breach of its own systems approximately eight days before the Thunder Terminal attack, which allegedly exposed Thunder Terminal's database connection credentials.","source":"CoinSpeaker, The Crypto Times","source_url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"date":"2023-12-27","event":"Thunder Terminal exploit begins at 12:11:47 AM UTC. Attacker uses a stolen MongoDB connection URL to extract session tokens and execute unauthorized withdrawals from 114 wallets, draining 86.5 ETH and 439 SOL (~$240,000 total).","source":"The Crypto Times, CoinSpeaker, Crypto.news","source_url":"https://www.cryptotimes.io/2023/12/27/thunder-terminal-loses-240k-in-exploit-more-funds-on-risk/"},{"date":"2023-12-27","event":"Attack concludes at 12:20:35 AM UTC — nine minutes after it began. Thunder Terminal detects the activity and revokes all session tokens and transaction signing capabilities to halt further withdrawals.","source":"CoinSpeaker, Crypto.news","source_url":"https://www.coinspeaker.com/thunder-terminal-240k-exploit-funds/"},{"date":"2023-12-27","event":"ZachXBT flags the suspicious activity on his Telegram channel and traces approximately 86.3–86.5 ETH being routed to the Railgun privacy protocol. The Block reports ZachXBT's findings.","source":"The Block","source_url":"https://www.theblock.co/post/269269/on-chain-trading-platform-thunder-terminal-hacked-for-86-5-eth-zachxbt"},{"date":"2023-12-27","event":"Thunder Terminal issues a public incident report, stating no private keys or user wallets were compromised, and pledging full reimbursement of stolen funds plus 0% fees and $100,000 in platform credits for affected users.","source":"CoinTelegraph, CryptoPotato","source_url":"https://cryptopotato.com/thunder-terminal-mitigates-attack-fbi-called-in-for-investigation-report/"},{"date":"2023-12-27","event":"The attacker sends an on-chain message via Etherscan demanding 50 ETH (~$110,000) ransom for deletion of alleged stolen user data, calling Thunder Terminal's public statements 'all lies.'","source":"CoinTelegraph, Milk Road","source_url":"https://cointelegraph.com/news/thunder-terminal-hack-exploit-wallet-compromise-hacker-demands-ransom"},{"date":"2023-12-27","event":"Thunder Terminal contacts the FBI and its legal team. Representative 'Jackson' confirms FBI active involvement. Platform implements 2FA for withdrawals and initiates a full security audit.","source":"CryptoPotato, BankInfoSecurity","source_url":"https://cryptopotato.com/thunder-terminal-mitigates-attack-fbi-called-in-for-investigation-report/"}]},"v":1}