Monad Airdrop Gone Wrong: Here How 56 Users Lost 1.5M MON Tokens

Monad Airdrop News: How Session Hijack Sent 1.5M MON to Hacker Wallet?

A growing number of Monad users are reporting missing airdrops after a wallet-binding exploit redirected tokens to a hacker-controlled address, exposing serious security gaps in the project’s claim mechanism.

What Happened with the Monad Airdrop?

Long-awaited Monad airdrop distribution turned chaotic when users discovered they never received their allocated MON tokens despite successfully completing the claim process. 

Reports surfaced on X (formerly Twitter) revealing that several wallets displayed incorrect claiming addresses during the airdrop event. 

The issue escalated after SlowMist founder Yuxian (evilcos) confirmed a potential session hijacking vulnerability in Monad’s official claim portal, claim.monad.xyz.

Dozens of affected users raised concerns that the address shown as "connected" was not their actual wallets, leading to tokens being sent to an unknown third-party wallet.

Source: Evilcos on X

How and When the MON Airdrop Hijacked?

The exploit appears linked to a flaw that allowed attackers to hijack a user’s session on the page and alter the bound claims address without any additional confirmation. According to SlowMist’s disclosure, even hardware wallet users were not fully protected.

Most fraudulent redirections occurred shortly before or during Monad mainnet launch on November 24, 2025, when the airdrop distribution went live. Once MON tokens hit the manipulated addresses, they were instantly consolidated into a single hacker-controlled wallet:

0xde8c91E1033912F184b4ff6a1cC84Bc6eb68602c

Source: Onefly X

Which Accounts Faced Loss?

The most publicized victim is user @Onefly, who lost 22,206 MON (~$666 at $0.03/MON). Their OneKey hardware wallet displayed a “green connected” status, but the address was secretly replaced.

On-chain data from Monadscan shows:

• 1.5 million+ MON drained to the hacker address

• 56 confirmed victims

• 49+ incoming transfers within minutes of launch

• Estimated total loss: ~$45,000

Many victims noticed the issue only after checking explorer data, as the fraudulent address was an empty, unused wallet before receiving stolen airdrops.

Why Did All This Happen?

Security researchers assume that the root cause is the blind signing events weeks before the airdrop- particularly communicating with questionable dApps such as "Xia Ji Ba Da X402." These events may have:

• Inoculated malicious scripts, or

• Captured user sessions

• Premeditated altered claim responses before the launch.

• Signatures that were accepted by users without their knowledge subsequently enabled attackers to tamper with their airdrop bindings.

What Are the Loopholes in the System?

• No secondary authentication of binding or altering claims addresses.

• Session hijacking front-end vulnerability.

• Absence of logs or alerts on claim address modification.

• Excessive use of UI display, which deceives even hardware wallet users.

• Lack of large-scale claim operations failsafes.

Who Is at Fault?

• Monad has not had sufficient verification and has failed to deliver address-change logs.

• Blind signing presents dangerous transactions to users.

• Hackers who took advantage of user behavior and system vulnerabilities.

• Experts, such as SlowMist, encourage Monad to examine the history of all claims-bound address modifications

How to be safe from such Hacks?

• Always ensure that complete wallet addresses are verified on the wallet and dApp interface.

• Keep experimental dApps and airdrops in different wallets.

• Do not blindly sign, particularly on unfamiliar sites.

• Trust hardware wallets and verify raw transaction data.

• Bookmark official sites and do not deal through redirected links.

• Pre-use test transactions before a significant claims.

Conclusion

This underscores the importance of Web3 security in that both users and developers need to be cautious and verify that even official portals must be verified with high levels of diligence, transparency, and care to avoid losing money.