Yesterday, the cybersecurity firm CertiK reported a possible exploit that affected users of the BONKbot Solana Telegram trading bot. "Based on reports, it appears that at least approximately $208,000 has been stolen," CertiK estimated the losses.
CertiK’s team speculated that the potential cause of financial damage to cryptocurrency traders was a private key leak.
Read also: Wallet Drainers Target Almost 5 Million Video Game Players
BONKbot also shared news about the exploit with its community. It appeared that the team behind the bot attempted to clarify things, however, its comments on the situation caused confusion among the bot’s users. Although the BONKbot team admitted the breach, it also insisted on the safety of the bot, emphasizing that "there are exploits being triggered elsewhere in the ecosystem."
BONKbot explained that its logs "show that every user account being drained has previously exported their private keys," claiming that those users who had not exported their private keys were not affected by the exploit. According to BONKbot, wallets of other applications, not connected to BONKbot, were also drained.
The team has committed to identifying the compromised third-party application responsible for the financial losses experienced by BONKbot users who connected their wallets to this software. They assured that the funds of users who did not export their private keys are "100% SAFE," as BONKbot itself was not affected.
In its later posts, BONKbot provided its users with more details on the incident, highlighting that 113 victims, making up less than 0.1% of the bot’s users, were affected. Again, the team stressed that its analysis "strongly suggests the exploit occurred from those victims importing private keys into a specific application," adding that its data showed exactly 113 keys exported from BONKbot. The bot’s team also guaranteed that its "industry-grade AES-256 encryption will keep you safe," however, this protection would not work anymore if private keys are exported elsewhere.
According to BONKbot, altogether, the exploit affected 302 victims, who lost 2,808.38 SOL worth nearly $553,307.
Despite the cheerful tone of BONKbot’s messages, many users expressed strong skepticism since the team did not mention the name of the exploited application even once.
Furthermore, a crypto space influencer WazzCrypto stated that despite BONKbot's attempts to blame another "specific" app, it is the bot’s fault if the export caused a massive leak of private keys.
"Sorry, but if EVERY user being drained has previously exported their BONKbot private keys, it seems pretty obvious BonkBot itself is not 100% safe," WazzCrypto shared with their followers.
This comment further stirred a dispute, with opinions ranging from accusations against another project, Solareum, to claims that the fault lay in connecting to an unknown "malicious site or dApp" before exporting their private keys.
"Just because everyone who was drained exported does not mean everyone who exported got drained. I didn't," X user Zn2plusC commented on the exploit, stressing that "The only people getting drained are those that imported the wallet to Solareum, which is evidence that the issue is on Solareum’s end."
Some of the victims, including X user SoLorden who reported a loss of 44 SOL worth over $8,700 indeed relied on wallets generated through the bot while their private keys were imported into Solareum.
It appears that Solareum now has to defend itself against allegations coming from users who lost their funds in the exploit, some of whom believe their funds were drained because the project turned out to be an exit scam.
"We at the Solareum team can clarify that we do not steal money," Solareum stated firmly in its X post, adding that "a lot of Solar users' wallets got drained, but this is part of a widespread exploit affecting other bot projects and dApps as well."
According to the team behind Solareum, the cybercriminals might have stolen the Telegram bot token and gained access to all the messages contained in the bot's history, which could still include wallet generation messages with private keys as long as their owners did not remove them.
Meanwhile, some BONKbot users demonstrated their disbelief in the authenticity of the exploit statistics provided by the Telegram bot. User MaxOorigin was one of them, claiming they know around five people who suffered from the incident, making it seem unlikely that so few people were affected.
Still, the case seems to be even more mysterious. One of the victims, user MarcTheYolo, mentioned exporting the private key exclusively to Phantom, while the compromised wallet was connected only to Sol-Incinerator, a platform designed for the permanent removal of tokens from circulation.
Read also: Everything You Need to Know about Revoking Approvals and Revoke.Cash
Meanwhile, some victims, including user FortKnox, claim that although they had never exported their private keys, they were still drained.
The controversy surrounding the case was further intensified by reports from BONKbot user ShrekCrypto, who lost a staggering 620 SOL worth over $121,476.
"Trying to figure out exactly what drained my wallet, I got banned from the BonkBot chat. Additionally, when I shared my transaction details with the BonkBot team, I received more FUD and death threats for speaking up," ShrekCrypto complained about the lack of proper communication with the bot’s team.
