In recent weeks, a disturbing trend has emerged within the Solana ecosystem, where two malicious programs, Rainbow Drainer and Node Drainer, have successfully pilfered millions of dollars in crypto assets from unsuspecting users. According to a comprehensive analysis conducted by Scam Sniffer and the crypto analytics platform Dune, these nefarious actors have managed to abscond with a combined total of $4.17 million from 3,967 Solana wallets since late November, with the majority of the thefts occurring in mid-December.
Solana users lose funds to airdrop scammers
The primary modus operandi involves targeting specific Solana token communities through NFT airdrops and subsequently attaching phishing website links to these airdropped NFTs. While legitimate airdrops, which entail the distribution of free tokens or NFTs associated with various protocols and applications, have been on the rise, so too have social media scams masquerading as genuine giveaways. For instance, users of Rainbow Drainer focused on holders of ZERO, the native token of the Solana meta protocol Analysoor.
These individuals received NFTs claiming to offer vouchers for 1,000 free ZERO tokens. Intrigued recipients, in the hope of receiving free tokens, clicked on the external link affiliated with the NFT and unwittingly signed a transaction linking their wallets to the deceptive site. The result was swift and devastating – the wallets of these unsuspecting users were drained of all their digital assets. Rainbow Drainer alone has managed to amass $2.15 million in ill-gotten gains in the past few weeks, with stolen assets including BONK, ZERO, USDT, and USDC, among others.
Node Drainer, on the other hand, employed a similar strategy by disseminating phishing links in Discord groups and infiltrating Twitter accounts to post them. Notably, even the cybersecurity firm Mandiant, a Google subsidiary, fell victim to this tactic. The exploits orchestrated by Node Drainer yielded $2.025 million, primarily in the form of ANALOS and BONK. While the exact number of individuals behind these attacks remains unknown, on-chain evidence suggests that a substantial portion of them may be attributed to a single individual or a small group.
Scam Sniffer identified a wallet address associated with the drains, which utilized AllBridge to transfer over $1 million worth of stolen assets cross-chain to Ethereum. Subsequently, the funds were exchanged for ETH and transferred once again. What sets these Solana-based attacks apart is the tactic employed by hackers. Unlike many crypto scams on Ethereum that focus on deceiving users into surrendering wallet access, malicious exploits on Solana often revolve around convincing unsuspecting users to connect wallets under pretenses, typically involving promises of self-enrichment.
The rise of such targeted attacks underscores the need for heightened awareness and caution among crypto users, especially within emerging ecosystems like Solana. As the crypto space evolves, it becomes crucial for users to stay vigilant against phishing attempts, dubious airdrops, and other tactics employed by bad actors seeking to exploit vulnerabilities. Security measures, both at the individual and community levels, must be bolstered to mitigate the risk of falling victim to these increasingly sophisticated attacks.