A dangerous new wave of phishing attacks is targeting Solana users by changing wallet ownership permissions rather than stealing private keys.
A victim lost more than USD 3 million in a single attack, with an additional USD 2 million locked in investment platforms.
What makes this attack unique is that the user’s funds remained visible but became impossible to move or control.
The attack works in two surprising ways. First, when users approve a transaction, wallets show the wallet balance to help users feel safe.
Attackers craft special transactions that appear harmless because they cause no visible balance changes.
Second, unlike other blockchains like Ethereum where ownership is locked to your private key, Solana allows wallet owners to be reassigned through a technical operation.
This difference leaves many users unprepared for such attacks. SlowMist security analysts identified and studied this emerging threat after a user reached out for help.
Beware of Solana #Phishing Attacks: Wallet Owner Permissions Can Be Altered
1⃣Recently, we assisted a victim of a phishing attack that resulted in the unauthorized transfer of his account’s Owner permission. This is similar to the "malicious multisig" –style attack commonly… pic.twitter.com/7yO1uAJT5a— SlowMist (@SlowMist_Team) December 4, 2025
Upon on-chain investigation, the researchers discovered that the attacker had already transferred the account Owner permission to a different wallet address.
Victim attempted to initiate a transfer from the compromised account to their own address to verify control (Source – Medium)
This meant the victim could not move funds, remove approvals, or use their assets in decentralized finance platforms, despite still owning them.
Understanding the Technical Mechanism Behind Account Ownership Changes
The core of this attack centers on Solana’s account model. When you create a wallet, its Owner is typically the system program, which acts as a default security authority.
Solana systems use this Owner field to verify that transaction requests come from legitimate signers.
SlowMist security researchers noted through technical analysis that the attackers exploited the “assign” instruction, a built-in Solana command that can change an account’s Owner field.
The instruction takes a simple form: it specifies which account to reassign and identifies the new owner.
When victims unknowingly approve transactions containing this instruction, they essentially sign away control of their wallets.
The reassignment happens quietly without causing any token balance changes, making detection extremely difficult for average users.
What makes detection harder is that Solana’s architecture allows program-derived accounts to have their ownership changed if the accounts contain no data.
However, regular user wallets follow different rules. Standard accounts can have their Owner reassigned through program invocations, meaning attackers can abuse this feature if users approve the right signature request.
To protect yourself, always verify the transaction source before clicking links or approving signatures. Never grant permission from unfamiliar websites or messages claiming to be official announcements.
Consider maintaining separate wallets: one for daily activities with limited funds and another cold storage wallet for valuable assets.
When in doubt about any signature request, reject it immediately. Your caution is your strongest defense against these evolving threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Beware of Solana Phishing Attacks That Let Hackers Initiate Unauthorized Account Transfer appeared first on Cyber Security News.
