Hackers have compromised the Windows version of the DogWifTools software for promoting meme coins on the Solana blockchain in a supply-chain attack that drained users' wallets.

The developers claim that a malicious threat actor compromised the project's private GitHub repository after reverse engineering the software to extract a GitHub token.

The maintainers of the platform said on the official Discord channel that the threat actor gained access to the GitGub repository and trojanized DogWifTools versions 1.6.3 through 1.6.6.

DogWifTools is a platform that assists developers in launching and promoting meme coins on the Solana blockchain. It offers volume automation, bundling, comment bots to boost engagement, and high activity simulation to help tokens trend on Pump.fun.

Stealthy malware injection

As the platform explain Discord, a malicious threat actor compromised the project's private GitHub repository after reverse engineering the software to extract a GitHub token.

After gaining access, the threat actor did not start publishing malicious updates immediately, as it happened in similar cases recently. Instead, the threat actors waited for DogWifTools developers to release a new version, which the threat actors then trojanized and uploaded a couple of hours later.

“After each update we released, this individual waited a couple hours downloaded the update, reversed it, and injected a Remote Access Trojan (RAT) into our legitimate builds (this did not show up in any GitHub logs, we were only able to see this after an update that was released a week prior showed it had been replaced in the last couple days,” explained DogWifTools.

“This targeted malicious activity affected versions 1.6.3 through 1.6.6 of our platform and specifically impacted Windows users. macOS users were not affected by this breach.”

When launched, the malicious DogWifTools application downloaded a file (updater.exe) into the local AppData folder that targeted users’ cryptocurrency wallet private keys.

Accusations and mixed feelings

On X (Twitter), many users accuse the platform of “rug pulling,” though there’s no evidence of this or signs of fraudulent activity from DogWifTools themselves.

The reason behind these accusations is that DogWifTools is built in a way that allows many memecoin scammers to abuse it for fraudulent token launches.

Blockchain investigator ZachXBT explained to BleepingComputer that "the platform 'optimizes' token launches through the bundler, which discreetly holds a large quantity of the launched coin." The bundler also has a volume bot that automates the buy/sell transactions to inflate activity.

Over the past two days, DogWifTools users reported that the trojanized application drained all their wallets, hot and cold, and they lost access to their cryptocurrency exchange accounts (Binance, Coinbase).

According to crypto community member solboy, access to sensitive data would be possible because DogWifTools asks "for very intrusive permissions on your computer." This allegedly gave the hacker access to ID photos that could be used to hijack accounts at cryptocurrency exchanges.

According to community estimates, the threat actor drained more than $10 million from DogWifTools users but someone claiming the attack says that the figure is "completely off," without offering any further clarification.

The alleged hacker also said that they did not steal any user data, except for DogWifTools walled files stored locally, and did not engage in identity theft.

In the incident disclosure on Discord, the DogWifTools team flatly denies its staff being directly involved in the breach and emphasizes that they will do everything possible to rebuild trust with their community.

The platform is working on implementing additional security measures while it is also collaborating with investigators to identify the attacker and hold them accountable.