
Solana Phishing Prevention Guide: How to Identify and Guard Against Risks?
TechFlow Selected TechFlow Selected

Solana Phishing Prevention Guide: How to Identify and Guard Against Risks?
This article summarizes common Solana phishing attack methods to help users effectively avoid such incidents and reduce asset losses.
Author: Go+ Security
Recently, Solana's market capitalization has surged rapidly, briefly surpassing BNB to rank among the top three globally. This massive wealth effect has attracted a large number of active users, as well as numerous Wallet Drainer (wallet phishing) groups who have shifted from EVM chains to Solana. Phishing websites and airdrop scams targeting Solana are now being deployed on a large scale, resulting in significant losses for many users. In recent days, the GoPlus security team analyzed multiple Solana phishing incidents and discovered that scam groups are exploiting current shortcomings in certain Solana wallets’ security infrastructure to rapidly upgrade their airdrop deception tactics and carry out social account theft. Below, GoPlus summarizes the most common phishing attack methods on Solana to help users effectively avoid such incidents and reduce asset loss.
Attack Types
In several recent phishing incidents, GoPlus found that attackers mostly use tactics such as "fake airdrop claims", "counterfeit project websites", "free giveaways", and "NFT airdrops used as bait to lure users in". These methods closely resemble common phishing approaches seen on EVM chains. The key difference lies in how scammers exploit the technical differences between Solana and EVM to conduct phishing via distinct "token or authorization transfer" mechanisms. Below are several different transfer-based attack patterns we have observed.

Induced Transfer of Native Token SOL
This type of attack is the simplest. After users connect their wallets, the scammer’s frontend calculates the total $SOL balance and directly initiates a transfer using the SystemProgram.transfer function. For example, one phishing site displays a Swap interface UI, leading users to believe they can purchase a certain token at a discounted price.

However, what actually executes is merely a straightforward $SOL transfer.

Induced Transfer of Multiple Tokens
Beyond stealing the native $SOL token, scammers can also steal all tokens currently held in a user's wallet within a single transaction signature. On Solana, each transaction can consist of multiple instructions, with each instruction performing a separate operation—such as transferring tokens, interacting with programs, or creating accounts. This means phishing groups can pack multiple operations into a single transaction. For instance, if a user holds three different tokens, the phishing site only needs to include three separate transfer instructions for those tokens in the same transaction. This allows them to completely drain a wallet in one go without needing to trick users individually for each asset. As with the first method, hackers deceive users into clicking buttons to sign transactions. Such transactions will transfer all assets at once—including native $SOL, NFTs, and other fungible tokens. Scammers primarily leverage the Solana SPL Token createTransferCheckedInstruction to construct these non-native asset transfer instructions.

Phantom transaction simulation

Backpack transaction simulation
Induced Ownership Transfer of Token Accounts
In addition to direct token transfers, GoPlus has identified phishing sites using the createSetAuthorityInstruction operation to embed malicious instructions into transactions. This action fundamentally transfers ownership of a token account to another address. Unlike EVM, Solana’s account model creates a dedicated Token Account for every token held by an address. Each Token Account has an owner—the current wallet—and stores the corresponding token balance and metadata. The createSetAuthorityInstruction operation allows directly changing this ownership, effectively giving full control of the tokens to the new owner. We tested this behavior on both Phantom and Backpack wallets, and fortunately, both provided explicit warnings.


Even when users click the Ignore and proceed anyway option, transaction simulation still reveals changes in balances.

Note
Most mainstream Solana wallets today already support transaction simulation, enabling prediction of transaction outcomes. Users can clearly see post-transaction balance changes, so carefully reviewing each transaction result helps mitigate some phishing risks. This capability stems from Solana’s official JSON RPC API supporting "transaction simulation". However, as phishing techniques evolve, we’ve also uncovered some extremely subtle attack vectors.
Fraudulent Token Approval Requests
For users familiar with EVM, token approvals are common actions. However, on Solana, this mechanism differs. Scammers exploit users’ misunderstanding of EVM-style approval systems to execute fraud. Phishing sites trick users into seemingly normal interactions, but behind the scenes, they execute approval transactions (Delegate) via createApproveCheckedInstruction. The key here is that instead of directly transferring assets, attackers gain permission to control user assets. These attacks often hide behind attractive interfaces—like fake voting or staking pages—while silently altering account authorization settings.
Once attackers obtain control permissions over user assets, they can manipulate them at any time—including transferring or trading them. Such attacks are hard to detect immediately since no visible asset movement occurs initially. Their impact tends to be widespread because attackers wait until enough victims have granted access and accumulated sufficient funds before executing mass withdrawals. Users must remain vigilant: any request to modify authorization settings should raise red flags, especially on unfamiliar websites or apps. While transaction simulation can reveal authorization changes, users need to monitor not just direct balance changes but also hidden authorization risks.


Durable Nonce: Fraudulent Transaction Signatures
Durable Nonce is a feature on the Solana blockchain that allows creation of a special account storing a persistent, non-expiring nonce value. In Solana, every transaction requires a recent blockhash as part of its structure to ensure timeliness and uniqueness. Normally, this blockhash expires after about 150 blocks, rendering the transaction invalid. The Durable Nonce mechanism bypasses this limitation by providing a long-lived nonce, allowing transactions to remain valid over extended periods.
In phishing scams, attackers may abuse the Durable Nonce mechanism to trick users into signing seemingly legitimate transactions that contain hidden malicious operations. Because the Durable Nonce prevents expiration, these transactions stay valid indefinitely, giving attackers a longer window to execute them. For example, a scammer might present a transaction disguised as participation in an airdrop or event, while it secretly includes instructions to transfer user assets. Unaware users sign the transaction, but notice no immediate on-chain activity—because attackers only collect the signature without broadcasting the transaction yet. They can later broadcast it at any time. Importantly, we found that this type of signature does not interfere with transaction simulation results; major wallets can still simulate and parse such transactions accurately. Thus, our previous reliance on transaction simulation remains an effective defensive methodology.
Nevertheless, we have identified an extremely stealthy and sophisticated attack method capable of "slipping through undetected."
Contract Upgrades Evading Transaction Simulation Detection
This method combines Durable Nonce with a unique characteristic of Solana smart contracts—upgradability. The potential danger of this attack is significantly amplified due to contract upgradability. A Durable Nonce enables a transaction to remain valid indefinitely by referencing a long-lasting nonce stored in a designated account. Attackers first trick users into signing what appears to be a benign contract interaction. At signing time, even advanced wallets and simulation tools cannot detect anything suspicious. Once the attacker obtains the signed transaction containing the Durable Nonce, they do not immediately broadcast it. Instead, they exploit Solana’s contract upgrade functionality to replace the original legitimate contract with a malicious version capable of executing unauthorized actions like draining assets. After upgrading the contract, the attacker broadcasts the previously signed transaction against the now-compromised contract, successfully executing the malicious payload. This attack is exceptionally covert and poses severe risks—even experienced users may fail to recognize the threat during signing. To defend against this, users should thoroughly vet contract reputation and history, maintain skepticism toward unusual transaction behaviors, and avoid interacting with unknown or newly deployed contracts. We also urge all Solana wallet developers to recognize this threat and implement timely warnings and protective measures within their applications.
Preventive Measures
To combat phishing attacks on the Solana network, the following comprehensive preventive measures can help minimize risk:
-
Increase security awareness: Remain highly vigilant with all cryptocurrency-related transactions. Understand common Solana phishing tactics, including induced token transfers, token account ownership changes, and fraudulent transaction signatures.
-
Review transaction details carefully: Always inspect the specifics of any transaction before signing. Exercise extra caution with transactions involving Durable Nonce or contract interactions.
-
Use transaction simulation: Leverage your wallet’s transaction simulation feature to review expected outcomes. However, remember this is not foolproof, as certain advanced attacks may evade detection.
-
Monitor authorization changes: Stay alert to unexpected changes in token approvals, even when balances appear unchanged. Be especially cautious when granting authorizations on unfamiliar platforms.
-
Regularly revoke unused approvals: Use tools like Solana Revoke to periodically cancel unnecessary token approvals and protect your assets.
-
Stay updated on knowledge: Continuously educate yourself about blockchain and cryptocurrency developments, particularly emerging phishing techniques and defense strategies.
-
Keep software updated: Ensure your wallet and related applications are always up to date to benefit from the latest security patches and features.
-
Backup and protect private keys: Safeguard your private keys and sensitive information—never store or share them in insecure locations.
Additionally, the GoPlus Security Team calls upon the Solana blockchain and its ecosystem to deeply prioritize user security, accelerate improvements in user-facing security infrastructure, and provide a safer transaction environment to ensure long-term ecological stability and prosperity.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














