Two wallet drainers have successfully stolen millions of dollars worth of crypto assets from Solana users in the last month alone, according to a new report based on public blockchain data.

Deployers of both programs, Rainbow Drainer and Node Drainer, have stolen a combined $4.17 million worth of assets from 3,967 Solana wallets since late November, according to analysis by Scam Sniffer and crypto analytics platform Dune. The majority of those thefts have occurred since mid-December.

Malicious actors appear to have stolen the majority of these funds by targeting specific Solana token communities with NFT airdrops, then attaching phishing website links to those NFTs. Legitimate airdrops—that is, the launch of free tokens or NFTs tied to protocols and apps—are on the rise lately, but so are social media scams presented as real giveaways.

Users of Rainbow Drainer, for instance, targeted holders of ZERO, the native token of Solana meta protocol Analysoor, by airdropping them NFTs that claimed to offer vouchers for 1,000 free ZERO tokens. Curious recipients then proceeded to click the external link affiliated with the NFT, and sign a transaction linking their wallets to the site (presumably in hopes of receiving free tokens). Within seconds, these unsuspecting users’ wallets were drained of all digital assets.


Such attacks using Rainbow Drainer have netted thiefs $2.15 million in the last few weeks, according to data compiled by Dune Analytics. Assets stolen in these exploits include BONK, ZERO, USDT, and USDC, among other tokens. 

Using Node Drainer, hackers placed similar phishing links in Discord groups and infiltrated Twitter accounts to post them, including that of cybersecurity firm and Google subsidiary Mandiant. All told, such exploits netted Node Drainer deployers $2.025 million, primarily in the form of ANALOS and BONK.

While it is unknown how many individuals were behind these attacks, on-chain evidence suggests at least a solid portion of them stemmed from a single individual or small group.


According to Scam Sniffer, a single wallet address associated with the wallets drains used AllBridge to transfer over $1 million worth of stolen assets cross-chain to Ethereum, where the funds were exchanged for ETH and transferred again. 

Whereas many crypto scams on Ethereum can often focus on fooling users into handing over wallet access when those users don’t want to, malicious exploits on Solana often see hackers attempt to convince unsuspecting users to connect wallets for a false pretense—typically, self-enrichment.

Edited by Andrew Hayward

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.