Solana Wallet Drain Tactics: Innovating Strategies for Building Trust

Solana Wallet Drain Tactics: Innovating Strategies for Building Trust


Solana wallet drainers have recently adopted a new strategy to appear legitimate after siphoning over $900,000 worth of SOL. This involves the use of vanity addresses to enhance their credibility and deceive unsuspecting victims.

Understanding the New Strategy

Scam Sniffer, a platform dedicated to exposing Web3 scams, reported that Solana wallet drainers are creating vanity addresses ending with ‘11111’ to give an illusion of trustworthiness. An example provided by Scam Sniffer highlighted a wallet address, eWxJC…11111, as evidence of this tactic.

Expansion into Other Ecosystems

These scammers have not limited their activities to Solana alone. They have also infiltrated Ethereum (ETH), Solana, and Tron (TRX) ecosystems. A previous report by Coingape revealed their involvement in an airdrop scam, falsely marketed as an “exclusive opportunity” for crypto enthusiasts.

Impact and Victim Statistics

Given the popularity of Ethereum, Solana, and Tron, the number of victims falling prey to these phishing scams is likely substantial. The situation worsens as these crypto hackers relentlessly brand themselves as ‘legitimate.’

Recent Solana Losses

On January 3, 2024, Mandiant’s X account was compromised, leading to the distribution of links to a cryptocurrency drainer phishing page. The cybersecurity firm managed to regain access and released information about the CLINKSINK drainer used in the attack.

According to Mandiant’s report, since December 2023, scammers have employed the CLINKSINK drainer in campaigns targeting Solana users, resulting in over $900,000 worth of SOL losses. The identified campaigns involved 35 affiliate IDs associated with a drainer-as-a-service (DaaS), where operators supply scripts to affiliates for a 20% share of stolen funds.

Modus Operandi of the Scammers

In observed campaigns, crypto scammers utilized social media and chat apps like X and Discord to distribute CLINKSINK-themed phishing pages. These pages mimicked legitimate cryptocurrency resources like Phantom and DappRadar, enticing victims with fake token airdrop rewards. Victims unknowingly connected their wallets and signed transactions for the fake airdrop, allowing the CLINKSINK drainer to siphon their funds.