Affected wallets were all confirmed to be either created or used in Slope mobile wallet apps.

Developers behind the Solana blockchain are saying the closed-source Slope wallet may be responsible for an ongoing exploit that has resulted in millions of dollars’ worth of crypto tokens being stolen from more than 9,000 hot wallets.

In the second day of the exploit that has caused at least $6 million in various tokens to be stolen from users of the Slope and Slope-tied Phantom wallets, the Twitter account run by the Solana Foundation is blaming the software of the wallets and not its own code for the attack.

“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” the network said in a tweet on Wednesday morning.

The stolen funds were drained from unsuspecting hot wallets, which are wallets whose keys are stored online as opposed to on a hardware device.

In a statement, Slope developers said "a cohort" of wallets was compromised, but the developers didn't confirm whether the private key storage practices may have been involved. A Slope representative told CoinDesk, "we are not storing any personal data on centralized server." (The representative would later admit that this was an incorrect statement.)

Phantom wallet developers, for their part, said they have "reason to believe the reported exploits are due to complications related to importing accounts to and from Slope."

Solana Labs CEO Anatoly Yakovenko initially tweeted that he suspected the hack could be linked to an Apple iOS supply chain issue, but has since narrowed the source to a Slope-related exploit.

A supply chain attack is when a bad actor inserts his or her own malicious code into the software of a larger system. An iOS supply chain attack, in this instance, would likely be an attacker accessing private keys by infiltrating internet-connected data.

Other developers on Twitter increasingly say they believe that Slope stored private keys as plain text on a centralized server, which was compromised by the attacker.

An on-chain sleuth would later reveal that Sentry, a third-party event logging platform connected to Slope, was doing just that.

Several users and organizations have taken to Twitter to collect information from victims of the exploit, though no sort of retribution plan has been laid out. The 9,000 drained wallets make up just a small fraction of the 25 million total Solana hot wallets in existence.