Threat Management, Breach, Incident Response

Criminals steal $4 million from Solana as theft trend hits its crypto blockchain

Stickers depicting Guy Fawkes masks (Anonymous mask) and the bitcoin logo are seen at a stand
The Solana became the latest victim of cybercriminals as about 9,000 cryptocurrency wallets on its blockchain were robbed of more than $4 million. (Photo by Marco Bello/Getty Images)

Cryptocurrency exchanges and bridge sites have been suffering a spate of attacks aimed at stealing funds, personal credentials and account access. One of the latest victims: Roughly 9,000 crypto wallets on the Solana blockchain, which were reportedly robbed of more than $4 million late last week.

Tricky threat actors — continuously finding new inroads to cryptocurrency systems, customers and employees through ever-more sophisticated webs of malicious downloads, trojans, social engineering and fraud — exploited another wrinkle in this attack on Solana. Bad actors specifically accessed and drained funds held in both Solana and USD Coin currencies from account held, in most cases, on Slope mobile wallets.

The evidence in the investigation of this breach “currently points to stolen private keys as the culprit for the attacks on Solana users who use specific wallet apps,” according to Paul Bischoff, privacy advocate at Comparitech.

The passwords could have been stolen from “a database, a supply chain attack that infected some wallet apps, or by phishing users for individual passwords,” Bischoff added. “Given the number of wallets affected, one of the former two seems more likely.”

For its part, Solana is reserving judgment on how attackers were able to gain access.

“The details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service,” according to a statement Solana issued last week on Twitter. “There is no evidence the Solana protocol or its cryptography was compromised.”

A few of Solana’s account holders with Phantom mobile wallets were also reportedly impacted, but Phantom tweeted that all of its customers’ issues were connected to “importing accounts to and from” Slope. In a statement issued by Slope last week, the mobile payments developer said it is still investigating the breach of its wallets, though the company stated it had “some hypotheses as to the nature of the breach, but nothing is yet firm.” Many of Slope’s own employees and founders had their wallets emptied, as well, according to the statement.

“We are actively conducting internal investigations and audits, working with top external security and audit groups,” the Slope statement continued. “We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify.”

Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, pointed out that the Solana attack, along with the recent Nomad attack, attacks on Coinbase and a plethora of other blockchain and online currency breaches “is just one of the latest crypto-related thefts.”

“Billions have been stolen so far this year alone,” Grimes said. “In general, the cryptocurrency industry is not securing their products as strongly as they could. They and their employees are often running and operating as a mainstream, much lower-level security operation might.”

Cryptocurrency organizations and their software are essentially operating as financial trading organizations and banks, and as such, should treat their internal security and application security as any other high-security organization would, Grimes added. Hence all cryptocurrency and blockchain developers should be trained in security development lifecycle (SDL) techniques, use secure-by-default coding languages, and should test their applications extensively before release — conducting multiple, internal code reviews, internal penetration testing, and external bug bounties and external penetration testing, “until they can, to the best of their ability, decrease the risk of malicious bugs being present.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.