The Great Drain
Thousands of Solana wallets are being emptied by a hacker in what Twitter users are calling "The Great Drain." So far, more than 15k Solana hot wallets, including Phantom, Slope, Solflare, and TrustWallet have had all their SOL and USDC stolen. Solana believes web browser extensions and mobile wallets on iOS and Android are affected.
Last night, @0xfoobar tweeted that an attacker was draining Solana wallets. Oddly, the affected wallets had been inactive for over 6 months before the hack.
What Caused the Hack?
It looks like the Slope wallet was hacked. Apparently, some sort of telemetry or monitoring software captured the Slope wallets’ private keys. The hackers then used these keys to empty the Slope wallets months later. Solana users who imported a compromised Slope wallet to Phantom, etc. can also have their funds drained, since the hacker still has the wallet’s private keys.
Currently, there is no indication that Phantom wallet or the Solana blockchain are compromised. The problem appears to be limited to wallets that originated with Slope.
How to Keep Your Solana Assets Safe
Transfer your funds to a hardware wallet, like a Ledger, or a CEX. That's it.
So far, no hardware wallets have been drained, and no CEXs are reporting issues with SOL. There's plenty of Twitter users claiming you should revoke permissions in the wallet, and that's a great idea, but it probably won't help this time.
According to @0xfoobar, you can't just revoke permissions, "because these SOL and SPL transfers are signed by the users themselves, not transferred away by a third party using approvals. So while you can revoke, it's likely something has caused widespread private key compromise."
If you have staked SOL, check out Nick’s advice for moving your SOL to a new wallet without waiting to un-stake it.