Bonk.fun Website Was Hijacked and Used to Drain User Wallets: Here Is What to Do

The official Bonk.fun website, a Solana-based memecoin launchpad, was hijacked by attackers who compromised a team-associated domain account and injected a malicious wallet-draining script disguised as a standard Terms of Service prompt, with one trader already reporting a loss of $273,000.

How the Attack Worked

According to official statement by the Bonk.fun team and operator, known as Tom, the breach did not require exploiting smart contract vulnerabilities or breaking wallet encryption. Attackers gained control of the platform’s domain through a compromised team account, then replaced legitimate site functionality with a deceptive Terms of Service pop-up designed to appear as a routine interaction users would not question.

Signing the fake prompt grants the attacker wallet permissions that allow immediate asset transfer. The mechanism is a signature-based drainer, one of the most effective attack vectors in crypto because it bypasses technical security entirely by exploiting user trust in familiar interfaces.

Only users who visited the site and signed the fraudulent prompt during the hijack window beginning Wednesday March 11 are at risk. Users who previously connected wallets before the breach without signing the new prompt are reportedly unaffected. Traders accessing Bonk-related tokens through external terminals rather than the bonk.fun interface directly are also safe.

The $273,000 single-trader loss is the largest confirmed figure. Other reported losses range between 10 and 50 SOL per affected wallet, suggesting the drainer was operating across multiple victim accounts simultaneously during the exposure window.

What To Do

Do not visit bonk.fun until the team issues an explicit all-clear confirming the domain is fully secured and the malicious script has been removed. If you visited the site within the past 24 hours, open your wallet settings and remove Bonk.fun from the connected sites list. That step alone does not revoke permissions already granted. Go to Revoke.cash, connect your wallet, and cancel any approvals associated with the platform’s contracts from the past 24 hours. Check your transaction history for any unauthorized outbound transfers you did not initiate.

The attack pattern here mirrors the broader address poisoning and social engineering threats covered in this publication’s Trust Wallet security analysis earlier this week. The attack surface is not the blockchain or the wallet software. It is the moment a user signs something without fully verifying what they are authorizing. Fake ToS prompts, fake approval requests, and lookalike interfaces are all variations of the same exploit: manufacturing a context where signing feels routine.

Domain-level compromises are particularly dangerous because they affect every user who visits the legitimate URL. There is no way for a user to distinguish a hijacked legitimate domain from its clean version without examining the underlying scripts, which most users do not do. The only protection is speed of response once the breach is identified and immediate revocation of any permissions granted during the exposure window.

If funds have already moved, they are likely unrecoverable. Solana transactions are final and irreversible.

The post Bonk.fun Website Was Hijacked and Used to Drain User Wallets: Here Is What to Do appeared first on ETHNews.