DogWifTools is an example of a fake liquidity generator used on Solana. When someone is setting up a memecoin for a rug pull, they want their token to look legitimate and popular. To do so, they’ll use a tool like DogWifTools to automatically generate fake trading activity on-chain to create the illusion of liquidity, widespread interest, and high potential return on investment (ROI) for potential buyers.

However, an attacker gained access to the GitHub token for the DogWifTools repo and had been silently weaponizing this tool for a future attack. The tool had notably poor security, including requesting a range of dangerous permissions that weren’t actually needed for its role.

A few hours after the official copies of versions 1.6.3 through 1.6.6 of the tool were released, the attacker released a new version that included a Remote Access Trojan (RAT). Once installed, the RAT scanned the user’s system for blockchain private keys, login information for crypto exchanges, and ID photos of the users.

When the attacker finally took advantage of their access, they stole an estimated $10 million from users' accounts, but that’s not all. With the ID documents stolen from users’ computers, they also allegedly completed KYC and opened Binance accounts in their victims’ names. With these accounts, they could withdraw their stolen crypto while posing as the legitimate account owner.

In a manifesto published on TOR, the attacker pointed out that all of their victims were scammers who targeted retail investors. They claimed it was morally correct to take back money that was stolen in the first place.

The DogWifTools incident is a classic example of a supply chain attack. The attackers leveraged access to the project’s GitHub repo to deploy malware in their target environments. With this access, they could collect private keys, login credentials, and other sensitive data from scammers’ computers.

One key takeaway from this incident is the importance of permissions management. When installing a tool, it’s vital to check the access that it requests and evaluate the risk that it creates. In this case, the wide-reaching permissions requested by DogWifTools positioned the RAT it carried well for collecting sensitive data.

Another key takeaway is that data security is vital to protecting on-chain accounts. In this case, stolen private keys, credentials, and identity documents led to lost crypto and alleged identity theft. To learn more about keeping your crypto safe, check out these private key security best practices.