Understanding Account Ownership on Solana
Every account on Solana has an owner, which is typically a program. When a new account is created, it is, by default, owned by the System Program. This is because all basic wallet accounts on Solana are created and managed by the System Program, which handles fundamental account operations like transferring SOL and allocating space.
You can view ownership information by looking up an address on Solscan.io. In the More Info section at the top of the page, the Owner field displays the address of the program or entity that owns the account.
While the concept of ownership is fundamental to how Solana works, bad actors often attempt to exploit it for malicious purposes.
Bit-flip attacks
In some scams, attackers trick users into signing malicious transactions that transfer ownership of their account to the scammer. Once ownership is transferred, the attacker has the authority to withdraw any funds that enter the account. In Solscan, the address listed next to Owner in the More Info section will indicate who currently has control over the account — If the account is no longer owned by the System Program, it’s potentially compromised.
Rotten Seed Phrases and Private Keys
Another common scam involves bad actors distributing seed phrases or private keys to accounts that appear to contain funds. These wallets, however, are set up in a way that transfers tokens to an attacker-controlled address, often through custom program logic or automated draining scripts. When a victim imports the “rotten” seed phrase or private key, they may believe they now control the funds—but because the account is still owned by the scammer, the attacker retains the ability to drain any assets that are deposited.