Solana — hacks & exploits

DPRK social-engineers tricked Drift Security Council members into blind-signing durable-nonce txs that handed over admin control, draining $285M on Solana.

Step Finance lost 261,854 SOL ($27M) from treasury and fee wallets to a 'sophisticated' actor. STEP fell 96%; Step, SolanaFloor and Remora all shut down.

SwissBorg's SOL Earn lost $41.5M (193,000 SOL) via a compromised API at staking vendor Kiln. SwissBorg itself wasn't breached; the third-party infra was.

Attackers drained $44M from CoinDCX's internal liquidity account for partner-exchange reserves; the exchange absorbed the loss from treasury.

Solana's Loopscale lost $5.8M 16 days post-launch via RateX PT token oracle manipulation enabling undercollateralized loans. All funds returned for 10% bounty.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

$13.7M drained from UAE-based M2 Exchange hot wallets across BTC, ETH and Solana; identified, contained and customer funds restored in just 16 minutes.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

$4.4M drained from Raydium's Solana liquidity pools after malware stole the pool-admin private key, then used admin functions to withdraw fees.

SIM-swap operation drained $477M from FTX wallets within hours of the Chapter 11 filing, exploiting the chaos of crypto's biggest collapse since Mt. Gox.

Avraham Eisenberg pumped the MNGO oracle 2,300% in 10 minutes, borrowed $117M against the inflated collateral, and walked — reframing on-chain manipulation law.

~9,231 Solana wallets lost $4.1M after Slope Wallet's app logged users' seed phrases in plain text to a Sentry server, traced back via on-chain forensics.

A $10M USDC flash loan inflated Nirvana's ANA token 4x against its own oracle; the attacker swapped ANA for $13.49M USDT and the NIRV stablecoin depegged 90%.

A fake tick account bypassed Crema's owner check and harvested fictitious fees via CLMM accounting, draining $9.6M on Solana. $8M returned in white-hat deal.

Two missing collateral checks let an attacker mint 2 billion fake CASH stablecoins on Cashio, dropping TVL from $48M to zero in one transaction.

A signature-verification bypass on Wormhole's Solana side let the attacker mint 120,000 wETH out of thin air — backed by no Ethereum collateral.