Keypoints
- Solana Drainer source code and a Russian instruction manual were leaked as a ZIP archive on a cybercrime forum, enabling replication and modification by other actors.
- The leak includes frontend and backend code (index.html, main.js, index.js) plus configuration files (database.json, config.php, settings.json) that control phishing behavior and exfiltration.
- Deployment guidance in the manual recommends renting an Ubuntu 20.04 VPS, using FileZilla to transfer files, and registering domains with specific hosting providers to host phishing pages.
- Settings.json contains phishing parameters (fake SOL amounts, fake transactions, Phantom wallet phishing modes, double-popup bypass) and a hardcoded high‑balance Solana address used to simulate legitimate transfers.
- The backend exposes a POST /inf route that captures seed phrases and other metadata, then sends them to a Telegram chat via a bot token specified in configuration.
- Researchers observed phishing sites (hxxps[:]//wondera.app/ and hxxps[:]//dflow.life/) whose UI matched the leaked source, indicating active testing and deployment.
- Included SHA256 hashes were identified for known drainer builds, enabling detection and blocking by defenders (example hashes provided in IOCs).
MITRE Techniques
- [T1566] Phishing – Used to lure victims via fake airdrop/phishing schemes and counterfeit websites (‘fake airdrop or phishing schemes’).
- [T1189] Drive-by Compromise – Malicious advertisements and promoted posts direct users to phishing pages (‘malicious advertisements to disseminate crypto drainers’).
- [T1036] Masquerading – Creation of counterfeit profiles and imitation sites to impersonate legitimate entities (‘Generating counterfeit profiles that mimic well-known entities’).
- [T1204] User Execution – Victims are manipulated into interacting with malicious smart contracts or approving transactions (‘manipulated into interacting with a malicious smart contract’).
- [T1056] Input Capture – The backend captures sensitive inputs such as seed phrases from victims (‘stealing seed phrases’).
- [T1071] Application Layer Protocol – Telegram is used as a communication/exfiltration channel to relay captured data (‘send them … to a Telegram chat’).
- [T1048] Exfiltration Over Alternative Protocols – Stolen funds and data are moved to attacker-controlled wallets and services over blockchain and other channels (‘transferring the stolen assets’).
- [T1505] Server Software Component – Attackers host phishing pages and server components on rented VPS instances for persistence and operation (‘rent a VPS with Ubuntu 20.04 … transfer files to the server’).
- [T1027] Obfuscated Files or Information – Leaked drainer source code and scripts are often obfuscated or packaged to hinder detection (‘source codes and malicious scripts are often obfuscated’).
Indicators of Compromise
- [URL] Phishing sites – hxxps[:]//dflow.life/, hxxps[:]//wondera.app/
- [SHA256] Drainer binaries/hashes – 05bc32a2589c3784970e71d549268e2d832cd51a61ecbdc912e9d527444e9b09 (Solana Drainer), 7bc6e936176a03e719d55d7597ed47fc72ce63eeca20470cad94a66f9f3b3ae7 (SpaceX Drainer)
- [Crypto Address] Hardcoded Solana owner used in fake transactions – 9WzDXwBbmkg8ZTbNMqUxvQRAyrZzDsGYdLVL9zYtAWWM
- [Domain] Hosting/VPS providers referenced in deployment guides – 4vps.su (VPS), 4host.su / 4domain.su (web hosting)
Solana Drainer technical procedure (condensed):
The leaked ZIP contains an instruction manual (Russian) and a SOLANA_DRAINER.zip with frontend and backend source. Deployment guidance instructs operators to rent an Ubuntu 20.04 VPS (examples: 4vps.su), upload files via FileZilla, configure a domain and PHP (PHP8/FastCGI), and start the backend service. Defenders should note the referenced hosting providers and the phishing test sites whose UI matches the leaked templates.
Configuration files define operational parameters: database.json holds telegramBotToken, ownerPublicKey (attacker Solana address), connectionKey, and RPC endpoints (solanaRPCHostHTTPS/WSS) plus backendPort. config.php sets $BACKEND_HOST, $BACKEND_PROTOCOL, $BACKEND_KEYCODE, $GROUP_CHAT_ID and $IS_CLOUDFLARED. settings.json controls phishing UX and behavior (fake SOL amounts, number of fake transactions, modal types, phantomWallet.type for drain vs seed phishing, doublePopup bypass settings) and includes a hardcoded ‘phantomWallet.doublePopup.solanaOwner’ used to simulate real transfers.
The front end (index.html, modals.js, main.js) renders phishing pages and triggers wallet interactions/popups to prompt Connect and approval flows; main.js contains logic for constructing and submitting transactions to drain assets. The backend (index.js) exposes routes (notably POST /inf) that accept seed phrases and related metadata, then send alerts and captured data to a Telegram chat via a configured bot (sendMessageToChat). Operational alerts implemented include new-transaction, user-connected, site-opened, request-rejected, seed-phrase-received, and withdrawal-request notifications, enabling rapid attacker response and asset exfiltration to attacker-controlled wallets.