Hackers compromised the Windows version of DogWifTools, a platform for promoting meme coins on the Solana blockchain, through a supply-chain attack that led to the theft of users' cryptocurrency wallets.
The attack occurred after a threat actor reverse-engineered the software and extracted a GitHub token, allowing them to compromise the project's private GitHub repository. Instead of immediately deploying malware, the attackers waited for legitimate updates (versions 1.6.3 to 1.6.6) and then replaced them with trojanized versions, injecting a Remote Access Trojan (RAT).
Once installed, the malicious version of DogWifTools downloaded updater.exe into the local AppData folder, which targeted private keys of users' cryptocurrency wallets. This led to wallet draining, affecting both hot and cold wallets and even cryptocurrency exchange accounts (Binance, Coinbase). Some users speculate that intrusive permissions granted to the application may have allowed attackers to access identity documents, enabling potential account hijacking.
While accusations surfaced on social media about DogWifTools' potential involvement ("rug pulling"), no evidence supports these claims. The platform has denied any wrongdoing and is working on enhancing security measures and assisting investigators in identifying the attacker.