Bonk.fun domain hacked — fake “Terms” prompt drained wallets, users warned to avoid site
A memecoin launchpad on Solana, Bonk.fun, confirmed on March 12 that its main domain was compromised and a wallet-draining script was injected into the site, exposing anyone who interacted with a malicious prompt to immediate fund theft.
Tom (@SolportTom), an operator for the platform, alerted users on X (formerly Twitter), urging people not to use the bonk.fun domain “until further notice” after attackers hijacked a team account and pushed a drainer onto the frontend. The project’s official account — backed by Raydium and the BONK community — issued the same warning and advised users to avoid the site while the team secures infrastructure.
How the attack worked
According to Tom, the compromise wasn’t a smart-contract exploit: attackers took over the web frontend and presented a fake “Terms of Service” signature prompt. If users signed that prompt, the malicious approval allowed the drainer to move funds from their wallets. Tom emphasized that only users who signed that fake TOS were affected — previously connected users and those trading BONKfun tokens through third-party terminals were not impacted. The team said the breach was spotted quickly and losses remained minimal so far.
Why this matters
This incident is another example of Web2 failures bleeding into Web3 security. Domain hijacks, frontend compromises and UI-based approval phishing circumvent smart-contract safety by tricking users into granting dangerous permissions. Chainalysis estimates billions lost to on-chain scams — reporting roughly $14 billion in scam inflows in 2025 and projecting that number higher as more wallet compromises are uncovered.
The attack also follows a string of similar social- and frontend-based scams: in February last year Pump.fun’s X account was hijacked to push a fake token, and high-profile victims such as OG trader Sillytuna have been forced out of the market after multimillion-dollar thefts that combined online manipulation with real-world harassment.
Practical takeaways for traders
- Avoid interacting with project domains from links you don’t trust; check for official announcements before signing anything.
- Prefer interacting directly with verified contracts or using trusted aggregators and UIs.
- Regularly scan and revoke token approvals using wallet tools, and consider hardware wallets for large balances.
- Harden Web2 touchpoints: projects should protect domains, social accounts and team credentials to prevent frontend compromises.
Bonk.fun’s team continues to investigate and remediate the issue; users should stay tuned to official channels for updates and avoid the domain until the project confirms it’s secure.
Read more AI-generated news on: undefined/news
