From Victim to Investigator: How One Scam Loss Turned Into a Full Blockchain Forensics Case

Umer Aziz — Mon, 22 Jun 2026 20:39:09 +0000

I Lost $20 to a Solana Scam. Then I Traced the $100K/Day Ring Behind It

From Victim to Investigator: How One Scam Loss Turned Into a Full Blockchain Forensics Case

TL;DR: I got scammed for $20 on a Solana memecoin. Instead of walking away, I traced the operation, identified a single operator running a $100K/day rug pull ring, and built a forensic tool to monitor their activity. Here's exactly how I did it.

The Scam

It started like every other memecoin play. I saw a token called ANTI-GRAVITY (AGRACING) pumping on DexScreener. The chart looked good. The community seemed active. I threw in $20 worth of SOL.

Two hours later, the liquidity vanished. The token was worthless. Classic rug pull.

Most people stop there. I didn't.

Step 1: Identifying the Scammer's Wallet

Every transaction on Solana is public. I pulled up the token's page on Solscan and found the creator wallet:

Scammer Wallet: 6GuAKzmZeiF9JckodyDCPXLUWPfFB9ehy35unCh7Swh4

I traced every transaction this wallet made. Within minutes, I noticed something: all the extracted SOL went to one central wallet.

Step 2: Finding the Hub

The scammer wasn't keeping the money in the creator wallet. They were consolidating it. Following the money trail, I found the master hub wallet:

Hub Wallet: DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX

This wallet was receiving massive amounts of SOL — 100 to 165 SOL per transaction — from multiple creator wallets. But it wasn't just receiving. It was also distributing funds to new wallets.

Step 3: The Bot Signature

Digging deeper into the hub's transactions, I found something bizarre. Every few transactions, the hub sent exactly 20.996123 SOL to another wallet:

Bot Wallet: 8cxba3FWd27P1fezJAujggnUd9rGc8hFXSR9EJK2WfeA

Not 20.99. Not 21.00. 20.996123 — to the 6th decimal. Every single time.

This isn't human behavior. This is a hardcoded value in a script. The bot was automatically executing liquidity removal or token sales at a fixed amount.

Step 4: Mapping the Network

I spent the next few hours tracing every wallet connected to the hub. The pattern became clear:

Hub wallet funds a new creator wallet (113-142 SOL)
Creator wallet launches a token on Pump.fun
Victims buy in
Creator extracts liquidity and sends it back to hub
Hub sends 20.996123 SOL to bot (automated cut)
Hub funds next creator wallet
Repeat

I identified 9 creator wallets in the network, each launching 1-2 tokens before being abandoned:

Creator Wallet	Known Token	Funding Received
`3n7XYTpdCu8KUbN574VRrAeteS7DG5zrBFpPtMycFhLK`	CatchCat #1	114.33 SOL
`4xTBVCzBapp83aRuBszkc42PVmV672zM4nNCETztvLkK`	CatchCat #2	121.73 SOL
`CKCwDNmbktewUwS1XTszQiFWBJNZD2og5xwyb8zQbkt`	Unknown	142.85 SOL
`7qqtdEf5VSvNWSYyyXFiRiLMoZWQN1XqcYGLxuDuT1hU`	Unknown	116.16 SOL
`cfM7zFfCWADmrwDvRtziFNnswk8g2f7TVTB2U93Lz3f`	Unknown	119.65 SOL
`CnHnEPpY4nQ6mzkDT1if36UhhBD71aU3G63845UhSDU5`	FIDGET	101.00 SOL
`8pQWvpxZkdJa5sjcSMK6Q5pGaApQ5Zb3eGU6BfSZiVmv`	Unknown	113.34 SOL
`A2w34GbXFSTMKTTT9mV8gibXiPhZQYKAWrhTymFZTGUv`	Unknown	116.07 SOL
`3gHDCqCnEQ5CiXNTJDnsHYr2NwAm926ZNvX4WAJvuqUC`	Unknown	114.46 SOL

Step 5: The Name-Squatting Trap

Here's where it gets clever. The operator launched multiple tokens with the same name but different mint addresses.

Example: "CatchCat"

Mint #1: 6jiiHkfD3zAd9XWHz1UDFfxtZu76cER6xYjifznyY8HP (RUGGED)
Mint #2: 9N4GQAukGxAsMZtaE7scE5McjUHYN7wsiL6aj6FCA5rN (RUGGED)

Why? Victim confusion. You search DexScreener for "CatchCat." You see one pumping. You buy the wrong mint. By the time you realize, the liquidity is gone.

This is deliberate, calculated deception.

Step 6: Financial Analysis

I ran the numbers:

Per token extraction: 100-142 SOL
Tokens per day: 10-20 (based on transaction frequency)
Daily revenue: 1,000-2,800 SOL
At $70/SOL: $70,000 - $200,000 per day
Operational cost: Negligible (fees are ~0.0001 SOL per transaction)

This is a $100K/day solo operation run by one person with a script.

Step 7: Why It's One Person (Not a Team)

The evidence points to a single operator:

Evidence	Interpretation
All activity in 2-hour window (13:00-15:00 local)	Single timezone, single operator
Exact same hardcoded amount everywhere	One script, one author
All creator wallets have ~10 transactions	Identical script template
No 24/7 activity	No shift rotation
Hub → Creator flow (not bidirectional)	Centralized control
Same naming patterns (CatchCat, FIDGET)	One person's taste
Bulk creation at same slot (20+ tokens)	One machine running a loop

A team would have variation. Different amounts. Different timing. Different styles. This is one person, one script, one machine.

Step 8: Building the Monitoring Tool

After mapping the network, I built a tool to monitor the hub in real-time. It's called hub_watcher.py — a Python-based blockchain forensics tool that:

Monitors the hub wallet for suspicious transactions
Detects hardcoded bot payments (the 20.996123 SOL signature)
Alerts on creator funding and hub-to-creator flows
NEW: Checks creator wallets for new token mints via Pump.fun and Token program analysis
Exports all alerts to JSON for reporting

GitHub Repo: github.com/Umer-Aziz/solana-scam-tracker

How the Token Mint Detection Works

When the hub funds a new creator wallet, the tool automatically:

Polls the creator's transaction history
Scans for interactions with the Pump.fun program (pAMMBay...)
Checks for Token program initializeMint instructions
Extracts the new token mint address from transaction metadata
Alerts with the mint address for further investigation

This links the entire chain: Hub → Creator → Token Mint — all automated.

Key Wallets (For Transparency)

Role	Address
Master Hub	`DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX`
Sell Bot	`8cxba3FWd27P1fezJAujggnUd9rGc8hFXSR9EJK2WfeA`
Original Scammer	`6GuAKzmZeiF9JckodyDCPXLUWPfFB9ehy35unCh7Swh4`
AGRACING Token	`DpNr3hZuoCjFubaPePLzKtwoJBR4ZNw6mUkdvPHErd9Y`

All data is from public blockchain records. No private information was accessed.

What I Learned

Blockchain forensics is pattern recognition. Hardcoded amounts, predictable timing, and reused wallets are operational security failures.
On-chain data is permanent. Every transaction, every wallet, every token is recorded forever. Scammers can't hide.
Solo operators are vulnerable. One person with one script leaves one fingerprint. Teams have variation.
The $20 was tuition. I paid $20 to learn skills that are worth thousands in the cybersecurity industry.

The Tool

If you want to monitor this network yourself or adapt the tool for other investigations:

git clone https://github.com/Umer-Aziz/solana-scam-tracker.git
cd solana-scam-tracker
pip install -r requirements.txt
python hub_watcher.py --hub DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX

The tool is open-source, MIT licensed, and actively maintained.

What's Next

I'm currently working on:

Discord/Telegram webhook alerts for real-time notifications
DexScreener API integration for liquidity monitoring
Machine learning anomaly detection for identifying new scam patterns
Multi-hub clustering to track multiple operations simultaneously

About Me

I'm Umer Aziz — MSc Cybersecurity, BSc Software Engineering. I build security tools, investigate blockchain fraud, and research AI security. Currently open to opportunities in cybersecurity.

LinkedIn: linkedin.com/in/umer-aziz-b13b841b2
GitHub: github.com/Umer-Aziz
Repo: github.com/Umer-Aziz/solana-scam-tracker

If you found this useful, share it. If you know someone who got scammed, show them how to trace it. Knowledge is the only weapon against these operations.

DEV Community: Umer Aziz

From Victim to Investigator: How One Scam Loss Turned Into a Full Blockchain Forensics Case

I Lost $20 to a Solana Scam. Then I Traced the $100K/Day Ring Behind It