Specter Links BONK DAO Attacker Addresses To Realms Founder Exposure


Onchain analyst Specter alleged onchain exposure between attacker-linked addresses from the BONK DAO governance attack and wallets connected to the founder of Realms and crypto_notte, adding a new attribution layer to the Solana treasury-drain investigation.

The claim does not prove that either person carried out the attack. It points to wallet-level exposure, which can include direct transfers, shared counterparties, funding links or other onchain interactions. Specter framed the finding as part of a quick investigation into the governance attack, not as a completed attribution report.

The allegation lands less than a day after BonkDAO’s malicious governance proposal drained about $20 million from its treasury. The attacker used governance power rather than a direct smart-contract exploit, turning the DAO’s voting system into the route for the treasury transfer.

Realms Connection Raises Governance Questions

The Realms reference is sensitive because BonkDAO’s governance process ran through Solana’s Realms infrastructure. Realms is a Solana DAO governance platform used by onchain organizations to manage proposals, voting and treasury execution.

BonkDAO said the attack came through a malicious governance proposal, with an estimated $20 million in BONK drained from the treasury. The project also identified exchange wallets used to buy BONK ahead of the proposal and said it was working with exchanges, bridges, the Solana Foundation and law enforcement.

That structure keeps the investigation focused on voting power, token accumulation and proposal execution. It does not point to a base-chain failure or a conventional contract exploit. The attacker appears to have used token-weighted governance rules to pass a proposal that moved treasury assets.

Attribution Remains The Hardest Part

The new Specter thread shifts attention from the mechanics of the attack to wallet attribution. Exposure to attacker-linked addresses can help investigators build a map of funding paths and counterparties, but it is not the same as proof of control or culpability.

The unresolved question is whether the linked exposure reflects normal market activity, operational wallets, shared liquidity routes, or a stronger connection to the attacker’s funding and execution path. That distinction matters because governance attacks often involve exchange funding, wallet splitting, OTC movements and intermediary addresses that can create misleading proximity onchain.