Key Insights:
- Bonk.fun domain hijack involved the use of an artificial TOS prompt, and some users signed it, losing SOL in wallets.
- Team warnings went out rapidly, and the exploit was contained shortly after it was found.
- Ledger researchers discovered a MediaTek vulnerability that revealed PIN data and crypto seed phrases.
The Bonk.fun domain hijack has raised security concerns within the Solana ecosystem after attackers gained access to a team account and deployed a wallet-draining prompt through the memecoin launchpad’s website.
Bonk.fun Domain Hijack Used Fake TOS Prompt to Drain Wallets.
According to statements published on X, the incident involved a malicious actor who used the hijacked domain to distribute a fraudulent message requesting wallet authorization. The prompt reportedly asked visitors to sign what appeared to be a routine terms-of-service agreement but was designed to approve transactions capable of draining funds from connected wallets.
Moreover, project representatives said the exploit targeted only users who interacted with the malicious message after the compromise. The team added that previously connected wallets and trades executed through external terminals were not affected by the incident.
The Bonk.fun domain hijack was disclosed through posts on the project’s official X account and updates from a team operator identified as Tom. In a warning shared early Thursday, the project stated that a malicious actor had compromised the Bonk.fun domain and urged users to avoid visiting the website until the situation was resolved.
According to Tom, the attackers attempted to exploit the wallet-signing process used by many decentralised applications to confirm user agreements. Once approved, such requests can grant permission for blockchain transactions associated with the user’s wallet.
Tom posted additional warnings on X, urging users to avoid interacting with the domain while the issue was being investigated. He stated that hackers had forced a drainer onto the domain after compromising a team account.
Early Reports Suggest Limited Losses After Bonk.fun Domain Hijack
Reports of financial losses began appearing in replies to the Bonk’s warning messages.fun team. Several users reported that funds were drained after signing the fraudulent prompt.
One user reported that approximately 50 SOL had been removed from their wallet, while another reported losing about 10 SOL. Other users reported varying amounts of loss in their responses to the incident alerts.
Moreover, project representatives said they were continuing to secure the domain and address the compromise. Bonk.fun has operated for approximately 8 months and serves as a memecoin launchpad within the Bonk ecosystem, built on the Solana blockchain.
Ledger Research Reveals MediaTek Smartphone Vulnerability
In addition, the company’s internal security research group, known as the Donjon, reported discovering a vulnerability affecting certain Android smartphones powered by MediaTek processors.
According to Ledger, the flaw could allow attackers to extract encrypted user data in less than a minute via a USB connection alone. The research team demonstrated the vulnerability using a Nothing CMF Phone 1 device connected to a laptop.
Ledger said the Donjon researchers compromised the device’s security in under 45 seconds. During the demonstration, the team reportedly recovered the phone’s PIN, decrypted the device’s storage, and accessed sensitive wallet data.
Charles Guillemet, Ledger’s chief technology officer, said the vulnerability underscores potential security limitations in smartphones used to manage digital assets. However, he stated that the research showed attackers could extract user data, including seed phrases and PINs, even when a device is powered off.
Seed Phrases Extracted From Multiple Mobile Crypto Wallets
During testing, the Donjon researchers said they extracted seed phrases from several mobile cryptocurrency wallets installed on the affected device. The wallets included Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s mobile wallet, and Phantom.
According to Ledger’s findings, the data extraction process did not require booting the Android operating system. Instead, the researchers accessed the encrypted storage directly after connecting the phone to a computer via a USB cable.
The research indicated that the vulnerability could affect millions of Android devices powered by MediaTek processors.
