A new Solana signature phishing attack is draining wallets without visible token transfers. On January 7, 2026, OKX Wallet publicly confirmed the emergence of this threat, describing it as one of the most deceptive phishing methods seen in the Solana ecosystem to date. Phantom Wallet and other providers have since acknowledged similar risks, as attackers exploit a lesser-known but powerful feature of Solana’s account architecture. Monitoring by industry researchers indicates the attack marks a shift in crypto fraud tactics toward authority-based exploits.
Security researchers describe this as a “silent account takeover” rather than a conventional theft. At the center of the attack is Solana’s Owner permission field, a design feature that allows flexible control over accounts, useful for delegated programs, automated trading, or smart contract interactions. However, attackers are exploiting this same mechanism by requesting permission to change the account owner rather than to transfer tokens. Once approved, control of the account is effectively transferred to the attacker, and the original wallet holder can see their assets but cannot move them.
From that point forward, the original wallet holder no longer has authority, even if they still possess their private key or recovery phrase. Security teams at OKX and Phantom outline a consistent pattern behind most reported cases: attackers lure users to a malicious website, prompt them to connect their wallet and sign a transaction, and present a transaction preview that shows no immediate balance change. The hidden instruction embedded in the transaction changes the account owner, allowing the attacker to drain funds at any time. Wallet transaction simulations are designed to show token transfers, not authority modifications, creating a dangerous blind spot for users.
This leads to a situation where victims realize the issue only after they can no longer move their funds. OKX Wallet and Phantom Wallet have started deploying safeguards and risk indicators to help users recognize when a transaction could alter account ownership. Industry observers warn that Solana’s flexible permission model, while powerful, creates new attack surfaces that require better user education and wallet safeguards. Solana ecosystem stakeholders stress that users should treat signature requests with the same caution as transfers and verify requests through official channels.
Leave a Reply