What happened

The domain web-phantoms.app clones the Phantom wallet site and drains Solana wallets the moment a user connects and approves a transaction. As of April 9, 2026 it was flagged by 5 independent security vendors. Infrastructure resolves to IP 147.45.211.115, associated with multiple active drainer campaigns.

Distribution

Typically pushed via DM impersonating support staff on Discord, Telegram, and X.