On March 12, 2026, Solana memecoin launchpad Bonk.fun warned users to stop using its site after attackers hijacked the domain and pushed a wallet-draining prompt designed to trick visitors into signing a malicious transaction. Cointelegraph reported that hackers gained access via a compromised team account and used it to display a fake message on the site and it’s still there.
It’s the kind of incident that can hit anyone, including experienced traders, because it looks “normal” at first. You’re on the right website. The UI looks familiar. Then a pop-up asks you to sign something that seems harmless—like a terms-of-service update. And that single click can be enough to authorize asset transfers.
Let’s break down what happened, why wallet drainers are so effective, and what you can do right now to protect yourself.
What happened to Bonk.fun
Cointelegraph’s timeline is straightforward:
- The Bonk.fun domain was hijacked, and a malicious actor used compromised access to push a fake message designed to get users to sign a transaction.
- The project warned users not to interact with the website until the team secured the domain.
- The operator behind Bonk.fun (referred to as Tom) said the exploit targeted users who signed a fraudulent terms-of-service prompt that appeared during the breach.
Decrypt’s coverage matched the same key details: a compromised team account, a wallet-draining phishing prompt, and a fake “TOS” signature request. Decrypt also noted browser security systems later flagged the website as suspected phishing, and that the team believed losses were limited because the issue was detected quickly.
Who was affected (and who wasn’t)
This part is crucial, because it explains how these attacks are designed.
Both Cointelegraph and Decrypt reported that users were affected only if they interacted with the malicious prompt and signed the fake TOS message after the compromise. Users who had previously connected wallets to Bonk.fun were not necessarily impacted by that fact alone, and people trading tokens elsewhere were generally fine—because the attack needed fresh user approval to drain funds.
Cointelegraph also reported some users claimed losses, including examples of 50 SOL and 10 SOL drained, though the team did not publish a total dollar estimate at the time.
What is a wallet drainer, exactly?
A crypto wallet drainer is not “magic hacking.” It’s usually a malicious flow that convinces you to approve a transaction (or token permission) that gives the attacker control.
Kaspersky describes a crypto drainer as malware designed to quickly empty wallets by siphoning valuable assets into attacker-controlled wallets—often after victims are tricked into approving something.
That’s why drainers are so dangerous: the blockchain does exactly what you authorized. The attacker isn’t always bypassing security—they’re exploiting human trust and confusing signing prompts.
How domain hijacks turn into drained wallets
Most people assume “I’m safe if I’m on the correct website.” Unfortunately, that’s not always true.
A domain hijack can happen when attackers gain control of something in the site’s publishing chain—like DNS settings, a registrar account, or an internal admin account used to push updates. In the Bonk.fun incident, both Cointelegraph and Decrypt said attackers gained access through a compromised team account and used that to push the malicious prompt via the real domain.
That’s the nightmare scenario: you’re not clicking a fake link. You’re visiting the real site, but the site itself is temporarily weaponized.
From there, the playbook is simple:
- Show a prompt that looks routine (“accept updated terms”)
- Ask the user to sign
- The signature approves a transaction or permission that enables theft
Why Solana users are frequent targets
Solana has fast confirmations and a huge retail user base—perfect conditions for phishing campaigns. Academic work has documented that phishing on Solana includes multiple transaction tricks and has led to meaningful losses across detected cases.
It’s not that Solana is uniquely “insecure.” It’s that Solana is popular, fast-moving, and memecoin-heavy—so attackers know there’s always a fresh stream of users clicking fast.
What to do if you interacted with Bonk.fun during the incident?
If you visited Bonk.fun around the hijack window and signed anything that looked like a “terms” prompt, treat it as an emergency.
1) Move remaining funds to a fresh wallet
If you signed a malicious approval, the attacker may still have permissions.
2) Revoke token approvals (where possible)
If the drainer involved token approvals, revoking permissions can help stop further losses. (The exact steps depend on the network and tools you use.)
3) Check recent transactions
Look for unfamiliar transfers, token approvals, or repeated attempts.
4) Don’t “test” the site again
Wait for an official all-clear from the team. Cointelegraph reported the project explicitly told users not to interact with the site until secured.
How to avoid wallet drainers going forward
Here’s the practical anti-drainer checklist—especially relevant for memecoin launchpads and new dapps:
Use a “burner wallet” for high-risk activity
Keep a small “trading wallet” for memecoins and experimental sites. Keep your long-term holdings in a separate wallet that never touches random dapps.
Read signing prompts like you read bank transfer screens
If a prompt is vague, unexpected, or asks for broad permissions—stop.
Drain attacks often succeed because people sign quickly during hype moments.
Be suspicious of “TOS updates,” “verification,” and “security prompts”
Bonk.fun’s attack specifically used a fake terms-of-service signature prompt.
Any time a site asks you to sign something that doesn’t clearly connect to what you’re doing, assume risk.
Use browser and wallet warnings—but don’t rely on them
In this case, browsers later flagged the site for phishing.
That helps, but it’s not instant, and some users will click before warnings propagate.
Slow down when it feels urgent
Scams thrive on urgency: “sign now,” “claim now,” “confirm now.” The best defense is often a 10-second pause.
Why this story matters beyond Bonk.fun
Bonk.fun is one platform, but the pattern is bigger:
- Attackers are increasingly targeting the web layer (domains, admin accounts, publishing tools), not only smart contracts.
- “Wallet drainer” attacks don’t need sophisticated exploits—just believable prompts.
- The fastest-growing parts of crypto (memecoins, launchpads, airdrops) are also the easiest to weaponize.
Cointelegraph’s report makes it clear: the domain hijack wasn’t a rumor—it was confirmed by the team and involved a real malicious prompt delivered through the official site.
That’s why “I only use official links” is necessary but not sufficient in 2026. The internet supply chain is part of your threat model now.