Bonk.Fun, the Solana-based memecoin launchpad, has become the latest victim of a high-profile front-end cyberattack. On Wednesday, a malicious actor seized control of its official website and deployed a wallet drainer disguised as a standard interaction.
This prompted a member of the platform’s core team to issue an urgent warning to users, asking them not to interact with the website until further notice. However, those who connected their wallets and signed the malicious prompt now face immediate loss of their assets.
Hackers Hijack Solana Memecoin Launchpad Bonk.Fun’s Website
An operator associated with Bonk.fun, known as “SolportTom” on X, said that a team account had been compromised, which allowed attackers to push a malicious prompt through the domain. This prompt reportedly asks users to sign a fake terms-of-service message designed to authorize transactions that could drain connected crypto wallets.
Those who visit the website are now greeted with a fake terms-of-service pop-up that mimics standard compliance requests, but is actually a trigger mechanism. Once the request is signed, the protocol grants the attacker permission to empty the signee’s wallet, which will take place within seconds.
While Bonk.fun hasn’t confirmed the exact amount of crypto lost to the phishing attack, they stated that losses are minimal, attributing the low damage to rapid action by their development team. Only users who interacted with the fraudulent prompt during the active hijack window were affected.
Crypto media outlet Decrypt confirmed that visitors attempting to access the site late Wednesday were greeted with browser security warnings flagging the page for suspected phishing. According to the company, users who had previously connected their wallets to the site or those who traded tokens launched on the platform through external terminals are unaffected.
wstETH Pricing Oracle Glitch Triggers $27 Million in Liquidations on Aave
The Bonk.fun incident mirrors broader risks in the sector. On March 10, an oracle glitch on leading decentralized finance (DeFi) Aave undervalued wrapped staked Ether (wstETH) on the platform by 2.85% against its actual market rate, triggering $27 million in liquidations. 34 users were affected by the oracle error, as liquidation bots executed against positions that should not have been eligible for liquidation at that moment.
Aave founder and CEO Stani Kulechov confirmed in a Wednesday X post that the protocol generated no bad debt from the incident. Of the 499 ETH, worth approximately $1.2 million, the exchange managed to reclaim 141 ETH ($285,000) through BuilderNet refunds and an additional 13 ETH in liquidation fees. Those recovered funds will be used to reimburse affected users, with DAO treasury funds covering any remaining shortfall up to the full 345 ETH identified as the excess liquidation windfall.
While the mechanics of the Aave exploit differ from those of Bonk.fun, the result was unexpected losses to users due to a technical compromise. According to Chainalysis, overall losses from crypto-related scams hit $17 billion in 2025. The shift towards domain hijacking indicates attackers are bypassing protocol security to target the user interface directly.
Bonk.fun users who visited the site in the last 24 hours have been asked to take the following precautions immediately:
- Disconnect Bonk.fun from connected sites listed in your wallet’s settings.
- Use tools like Revoke.cash to revoke any recent permissions granted to Bonk.fun contracts.
- Verify that no unauthorized transfers have occurred on your wallet.
