Squads has flagged an active address poisoning attack targeting Solana multisig users. No funds lost yet, but the threat is real and growing fast.
Squads, the leading multisig platform on Solana, went public Monday with a security warning that most users probably weren’t expecting to wake up to. An address poisoning attack is actively targeting its user base. No funds have been lost.
Not yet, anyway.
According to @multisig on X, attackers are exploiting how Solana indexes public on-chain data. Because every public key and its associated accounts are visible onchain, bad actors are programmatically spinning up new multisig accounts that include real Squads users as members. Those fake accounts show up in the Squads UI.
The Trick Is Subtle But Effective
The attack doesn’t need a protocol bug to work. It doesn’t need your private keys either.
What it needs is your attention to slip, just once. As @multisig explained in the post, attackers are also grinding public keys that match the first and last characters of real Squads vault addresses. That makes a fake account look indistinguishable from a real one at a glance. The goal is simple: get users to copy a vault address that belongs to the attacker, then send funds there.
Or sign a transaction they never created.
The address poisoning playbook isn’t new. What’s different here is the multisig angle. Attackers aren’t poisoning a wallet history with a lookalike transfer. They’re injecting fake multisig accounts directly into a user’s Squad list, making them appear as if they belong there.
No Protocol Breach, But the Risk Is Real
Squads was direct about the scope of the threat. The attacker cannot execute transactions, cannot touch existing multisigs, and cannot move funds without user action. It is, as @multisig put it in the X post, “purely a UI-level social engineering attempt.”
That framing matters. This is not a hack in the traditional sense. But social engineering has cost users far more than most protocol exploits ever have.
In the hours after the announcement, Squads said UI updates were shipping within two hours. A warning banner alerting users to the attack was one of them. The platform also said an alert would appear on any multisig a user had never interacted with before. Both changes went out to help users separate real accounts from injected fakes faster.
Longer-term, @multisig confirmed a whitelist system is coming within days. New multisig accounts will start in a pending state and require manual approval before appearing in a user’s Squad list. That effectively cuts out the attack vector at the UI level.
What Squads Told Users to Do Right Now
The platform gave its users four clear steps. First, ignore and do not interact with any multisig you didn’t create or weren’t added to by your team. Second, stop relying on matching just the first and last characters of a wallet address to verify it. That partial check is exactly what attackers are counting on.
Third, if anything looks off, check with your team before signing anything. Fourth, and the one Squads pushed hardest: set your real accounts as default. That pins them to the top of the Squad list, making impostors easier to spot. Users can do that by clicking the three-dot menu next to their Squad.
Fake address detection tools are becoming a standard response to this category of threat. Squads is building one directly into its workflow.
The team said it will continue posting updates on X as fixes roll out.