A Fake Terms of Service Prompt Became a Wallet Drainer
Hackers compromised a BONK.fun team account on March 12, 2026, and used that access to embed a crypto drainer directly on the bonk.fun domain. The attack targeted users of the Solana-based meme coin launchpad by displaying a fraudulent "Terms of Service" prompt that, when signed, authorized the drainer to siphon funds from connected wallets.
CoinDesk reported the alert shortly after the BONK.fun team confirmed the breach. The team warned users to avoid the bonk.fun website entirely until further notice. DEGEN NEWS published a screenshot of the team's warning, confirming the drainer was embedded at the domain level.
The attack comes during a period of broad market weakness. As of March 12, 2026, SOL trades at $85.24 (down 1.5% in 24 hours and 5.8% over seven days), while BTC sits at $69,420 (down 0.9%) and the Fear & Greed Index reads 25, firmly in "Fear" territory.
BONK.fun Is Not a Minor Platform
BONK.fun, also known as LetsBonk.fun, is one of the largest token launchpad platforms on Solana. Built on the BONK meme coin ecosystem and integrated with Raydium, the platform competes directly with Pump.fun for memecoin launches. At its peak, BONK.fun flipped Pump.fun in daily token creation volume, making it one of the highest-traffic DeFi interfaces on Solana.
The platform connects to Raydium's automated market maker for token liquidity, meaning a compromise at the domain level puts any user who visits the site at risk, not just those actively trading BONK tokens. The launchpad's user base skews toward retail Solana traders who frequently connect wallets and sign transactions, the exact behavior the drainer exploited.
How the Phishing Drainer Worked
The attack vector was a domain-level compromise, not a smart contract exploit. Hackers gained access to a BONK.fun team account (likely an admin credential for the domain registrar or hosting provider) and injected malicious code into the website itself.
When users visited bonk.fun after the compromise, they were presented with what appeared to be a standard Terms of Service approval prompt. Clicking "Accept" or signing the transaction did not agree to terms. It authorized a wallet drainer contract to transfer tokens out of the user's wallet.
This attack pattern, known as a "Drainer-as-a-Service" (DaaS) deployment, has become increasingly common across the crypto ecosystem. Drainer kits are available on underground markets for as little as $250 per month, and they target high-traffic DeFi frontends precisely because users are conditioned to sign approval transactions without reading the details.
The critical distinction: only users who visited bonk.fun after the compromise and signed the fake TOS were affected. Users who had connected wallets before the hack, traded through external terminals like Jupiter or Raydium directly, or used BONKbot via Telegram were not impacted.
If You Signed Anything on BONK.fun, Act Now
Anyone who visited bonk.fun in the hours before the team's warning should take immediate steps:
-
Revoke token approvals. Use a tool like Solana's revoke.cash or the built-in approval manager in Phantom or Solflare to check for and revoke any suspicious token approvals.
-
Move remaining funds. If your wallet interacted with bonk.fun during the compromised window, transfer all assets to a fresh wallet. A compromised approval can drain tokens even after the initial interaction.
-
Check transaction history. Review your recent transactions on Solscan or Solana Explorer. Look for any outbound transfers you did not initiate.
-
Do not revisit bonk.fun. The team has not yet confirmed that the domain is safe. Major browsers have begun displaying phishing warnings for the site, but do not rely on browser detection alone.
Users who hold assets in self-custody wallets had the advantage of controlling their own keys, but the approval-based attack demonstrates that self-custody does not eliminate all risks. Signing a malicious transaction can be just as devastating as a custodial platform being hacked.
Domain Hijacking Is the New Smart Contract Exploit
This incident follows a pattern that has accelerated in 2025 and 2026. Attackers have shifted from targeting smart contracts (which are increasingly audited and battle-tested) to targeting the frontend infrastructure that connects users to those contracts.
Notable precedents include:
- Curve Finance (2022): DNS hijack redirected curve.fi traffic to a cloned site with a drainer.
- Balancer (2023): Frontend DNS attack affected the Balancer website.
- Mandiant's X account (2024): Hackers took over Google's cybersecurity division's X handle to promote a drainer.
- Solareum/BONKbot ecosystem (2024): 302 wallets drained of approximately $523,000 through a related Solana ecosystem exploit.
The bonk.fun attack is a textbook example of why security audits focused exclusively on smart contracts miss the bigger picture. The underlying Raydium contracts were not compromised. The BONK token itself was not affected. The vulnerability was in the web2 layer: the domain, the hosting, the team credentials. That is the weakest link in most DeFi protocols today.
For users of crypto spending cards, this is a reminder that the bridge between your wallet and the real world has multiple layers of risk. Even if your card provider uses a non-custodial architecture, the frontend you use to load funds or manage your card is a potential attack surface. Bookmark official URLs, verify domain certificates, and never sign transactions from unfamiliar prompts.
The Broader Solana Security Landscape
Solana's high throughput and low fees have made it the default chain for memecoin activity, but that popularity comes with a larger attack surface. The chain processes millions of transactions daily, and the memecoin trading culture encourages rapid wallet connections and frequent transaction signing, exactly the behavior that drainer attacks exploit.
The BONK.fun hack also raises questions about launchpad security standards. Pump.fun, BONK.fun, and similar platforms handle enormous volumes of user interactions, but their security infrastructure often lags behind the DeFi protocols they connect to. A domain hijack on a launchpad with this kind of traffic volume could theoretically drain millions before detection.
The BONK team's quick response, warning users within hours and getting browser-level phishing flags activated, limited the damage. But the attack window between compromise and detection is the critical variable. Every minute of exposure is a minute where unsuspecting users sign away their assets.
Overview
Hackers compromised a BONK.fun team account on March 12, 2026, injecting a wallet drainer disguised as a Terms of Service prompt on the Solana launchpad's domain. Only users who signed the fake TOS were affected; those who traded through external terminals or BONKbot were not impacted. The attack targeted the web2 infrastructure layer (domain and hosting), not the BONK token or Raydium smart contracts. Users who interacted with bonk.fun during the compromised window should revoke token approvals immediately, move assets to a fresh wallet, and wait for the team's official all-clear before revisiting the site.
