The Solana ecosystem faced another security scare after a hacker briefly took control of the website of the meme launch platform Bonkfun, tricking users into approving a malicious message that allowed attackers to drain funds from their wallets.
Early blockchain analysis suggests that at least 35 users have been affected, with roughly $23,000 stolen so far.
Blockchain analytics platform Bubblemaps first highlighted the scope of the exploit, noting that while some social media users claim much larger losses, the verifiable on-chain data currently points to a smaller figure.
The incident underscores a growing problem in crypto: social engineering attacks disguised as legitimate wallet approvals. Rather than exploiting the blockchain itself, attackers manipulate users into signing messages that give them access to funds.
Bonkfun Website Compromise Triggers Wallet Draining Incident
The exploit began earlier today when the official Bonkfun website was compromised by a hacker. According to the platform, the attacker modified the site in a way that prompted visitors to sign a fake terms-of-service message.
Users who interacted with the compromised interface were unknowingly granting permissions that allowed the attacker to drain funds from their wallets.
Bonkfun confirmed the breach publicly in a statement posted on X (formerly Twitter), explaining that the attacker temporarily gained control of the site infrastructure and injected malicious prompts.
The platform clarified that not all users were affected. Only individuals who visited the compromised website and signed the fake message after the breach occurred had their wallets exposed.
That distinction is important. Simply visiting the site did not trigger the exploit. The wallet-draining activity only occurred when users approved the fraudulent signature request presented as a standard agreement.
Security experts frequently warn that signing arbitrary messages can be dangerous because these approvals may grant hidden permissions to external contracts or scripts.
Bubblemaps Analysis Identifies Attacker Wallet Network
Shortly after the exploit surfaced, blockchain analytics firm Bubblemaps began tracing the funds. Using public blockchain data, the firm identified 13 wallet addresses linked to the attacker.
According to the investigation, those addresses collectively carried out the exploit operations and received the stolen funds.
In a statement shared on X, Bubblemaps reported that the attacker had already extracted funds from dozens of users.
The analytics firm summarized its findings:
- 35 users exploited so far
- $23,000 in total funds drained
- 13 addresses linked to the attacker
These figures are based on verified on-chain data combined with reports submitted by affected users.
Blockchain analysis tools make it possible to trace fund movements across addresses. While attackers can move assets between wallets, the public nature of most blockchains allows investigators to map relationships between addresses and identify patterns.
In this case, Bubblemaps said the attacker appears to be distributing stolen funds across several addresses tied to the same entity.
Claims Of Larger Losses Lack On-Chain Evidence
While the confirmed losses currently sit at around $23,000, several social media posts claim that individual users lost far larger sums—some even suggesting damages exceeding $100,000.
However, Bubblemaps says those claims have not been supported by blockchain evidence so far.
The firm explained that it reviewed wallet activity connected to the exploit and did not find transactions that would indicate six-figure losses. The investigation also involved attempts to contact individuals who claimed to be victims.
According to Bubblemaps, several alleged victims were contacted directly, but none responded with verifiable proof of larger losses.
That doesn’t necessarily mean the claims are false, but at this stage investigators say the blockchain data simply does not support the higher estimates circulating online.
In crypto incidents, misinformation often spreads quickly, especially in communities built around high-volatility assets like meme coins. Analysts usually rely on on-chain evidence rather than anecdotal reports when estimating the scale of an exploit.
Social Engineering Attacks Continue To Target Crypto Users
The Bonkfun exploit highlights a tactic that has become increasingly common across the crypto industry: wallet-draining scams that rely on user approvals rather than smart-contract vulnerabilities.
Instead of hacking the blockchain or breaking cryptographic security, attackers design malicious interfaces that trick users into signing approvals they don’t fully understand.
These approvals can allow the attacker to:
- Transfer tokens from the victim’s wallet
- Execute transactions on their behalf
- Interact with contracts using their wallet permissions
The fake terms-of-service prompt used in the Bonkfun exploit is a typical example of this strategy. Because signing messages is common in decentralized applications, many users approve requests quickly without reviewing the details.
Security researchers often recommend that users carefully check any wallet prompt before approving it—especially if the request appears unexpectedly.
Many modern wallet tools now include transaction simulation features that display exactly what will happen if a message is signed. However, not all users take advantage of these safeguards.
Investigation Continues As Analysts Monitor Attacker Wallets
The situation is still developing, and investigators say they will continue monitoring the wallets associated with the exploit.
Because blockchain transactions are public, analysts can track whether the attacker attempts to move the funds through exchanges, bridges, or mixing services.
If the stolen assets eventually interact with centralized exchanges, it may be possible for platforms to flag or freeze the funds, depending on compliance policies.
For now, Bubblemaps says it will continue tracking the 13 identified addresses connected to the attacker and update the community if new activity appears.
Meanwhile, Bonkfun has regained control of its website and is working to ensure the platform remains secure. The team also urged users to remain cautious and verify any wallet requests before signing them.
The incident serves as another reminder that in crypto, the biggest risks often come from interface manipulation rather than protocol-level vulnerabilities.
As decentralized platforms grow more popular—especially meme-driven ecosystems on networks like Solana—security experts warn that attackers will likely continue targeting users through similar social-engineering tactics.
For now, the confirmed damage appears relatively limited compared with other recent exploits. But even a $23,000 incident shows how quickly funds can disappear when users unknowingly approve malicious transactions.
And with blockchain investigators still watching the attacker’s wallets, the final chapter of the Bonkfun exploit may not be written just yet.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Source: https://nulltx.com/hacker-drains-23k-from-bonkfun-users-after-fake-terms-message-exploit-on-solana/
