Kenzo ARAI

Posted on Apr 29

Drained for $7.95 — How a Solana Phishing Attack Became a Multi-Chain AML Platform

#blockchain #security #solana #phishing

Every product has an origin story. Ours starts with the founder getting drained for $7.95 on a Sunday afternoon in a Discord server he thought he could trust.

Two months later, that $7.95 lesson turned into the first entry of a crypto scam database. Four months later, it turned into a multi-chain AML platform. Today it powers ChainAnalyzer, covers 9 blockchains (8 live for self-serve, BNB Smart Chain on Enterprise rollout) with 76+ detection rules, an MCP server on the official registry, an x402 pay-per-call API listed on x402scan, and is being used in enterprise-grade transaction monitoring for Japanese stablecoin operators.

This is the full story of how that happened — and why it matters.

The Drain — 2026-02-09, 14:28 UTC

I was in the Orynth Discord. Regular member, followed the project for months.

A post appeared in the #FCFS channel from an account with ORY admin badge. First-come-first-served airdrop. Link to solland.cc. That redirected to hibit.app. Big "Claim" button. Connect wallet → sign → done.

Except "done" meant "your SOL just went to the drainer."

Detail	Value
Loss	0.093668917 SOL (~$7.95)
Attack method	System Program Transfer disguised as a Claim
Drainer address	`7kMpieh2THdaC5eUvxFJDL3TdsQWVQCwdhsEjLj1eL26`
Domains	`solland.cc`, `hibit.app`
Entry point	Compromised ORY admin account on Discord
Transaction	Solscan

The punchline isn't the loss — it's that I fell for it because the account had the admin badge. Authority-based trust, weaponized. If I could fall for it after years in crypto, anyone could.

What I Did the Next 48 Hours

Instead of posting a warning on Twitter and moving on, I dug in.

I traced the drainer wallet. It had been funded via FixedFloat (KYC-free exchange) and was laundering via Jupiter swap (SOL → USDT) before moving everything back out through FixedFloat. Within hours of my drain, the same wallet hit multiple other victims with Flip.gg and "FREE Spins" lures. It had stolen $3,700+ total across at least 3,640 USDT and 0.67 SOL across dozens of victims over the prior two weeks.

This wasn't an opportunist. It was a pipeline:

flowchart LR
    FF[FixedFloat<br/>KYC-free exchange] -->|SOL funding| D[Drainer Wallet<br/>7kMpieh2TH...j1eL26]
    C[Compromised Orynth<br/>admin account] -->|posts solland.cc| V[Victim — me]
    V -->|signs tx| D
    D -->|Jupiter swap| U[USDT]
    U -->|withdrawal| FF

Same pattern, industrialized. That's when I realized: the problem wasn't "I made a mistake." The problem was that no tool existed that would have caught this before I signed.

Existing scanners could tell you if a token was a rug. None of them could tell you "hey, this address you're about to send SOL to has already drained 40 people this week."

ScamDB Entry #1

Before I wrote a single line of UI code, I started a JSON file called scamdb.json. The first entry:

{
  "id": "SCAM-001",
  "drainer_address": "7kMpieh2THdaC5eUvxFJDL3TdsQWVQCwdhsEjLj1eL26",
  "domains": ["solland.cc", "hibit.app"],
  "method": "FCFS airdrop phishing → System Program Transfer",
  "source": "Orynth Discord (compromised admin account)",
  "reported_at": "2026-02-09T14:28:33Z",
  "reported_by": "ChainAnalyzer founder (firsthand victim)",
  "drainer_profile": {
    "total_stolen": "$3,700+",
    "assets": "3,640 USDT + 0.67 SOL",
    "laundering": "Jupiter (SOL→USDT) + FixedFloat withdrawal",
    "funded_by": "FixedFloat Exchange (KYC-free)"
  }
}

That entry still lives in the production ScamDB today. And it's still the index-1 row in our database. Every scan that ChainAnalyzer does checks against this and ~100+ other curated entries, plus OFAC SDN, Chainabuse, CryptoScamDB, GoPlus, and community reports.

The $7.95 is the most valuable $7.95 I've ever spent.

From TokenForge to ChainAnalyzer

The consumer product we shipped in February 2026 was called TokenForge. Solana-only, 14 detection rules, one-click scan of any mint address or wallet. No login required. Free.

Two weeks in, something unexpected happened: a friend was investigating an Avalanche address and asked if I could scan it. I didn't have EVM support yet. He showed me what he was seeing — fake Cyrillic UЅDT tokens being spammed at legitimate wallets, looking pixel-identical to real USDT in every wallet UI.

I added Avalanche support. Then Ethereum. Then Polygon. Bitcoin later.

Then I pointed the scanner at that Avalanche address. It flagged CRITICAL with 20 detections. I turned on Follow Mode — a graph exploration feature I'd just shipped — and let it crawl the transaction graph.

Fourteen wallets became fifty. Fifty became two hundred and sixty-four. Together they moved $5.3M across three chains. Every one of them funded by a single upstream wallet I nicknamed "Master Funder." (Full investigation writeup →)

That's when I realized what I was actually building. Not "a consumer scam scanner." An AML-grade investigation platform for the retail Web3 era.

In March 2026, we rebranded to ChainAnalyzer and pivoted toward enterprise AML:

Multi-chain support (9 chains supported, 8 live for self-serve, BNB Smart Chain on Enterprise rollout, 76+ detectors)
Bitcoin coverage that most Chainalysis-style competitors deprioritize
ML anomaly scoring (Isolation Forest + Autoencoder + GraphSAGE ensemble)
Neo4j graph analysis for fund flow reconstruction
PDF compliance reports for Japanese regulatory hand-off
REST API + MCP server + x402 micropayments (listed on x402scan)

What Changed Between TokenForge and ChainAnalyzer

	TokenForge (2026-02)	ChainAnalyzer (2026-04)
Chains	Solana only	9 supported (BTC, ETH, POL, BASE, ARB, OP, AVAX, SOL live + BSC Enterprise rollout)
Detection rules	14	76+
OSINT	Our ScamDB	ScamDB + OFAC + Chainabuse + GoPlus + Reddit
ML	None	3-model ensemble
Audience	Retail Solana traders	Exchanges, compliance teams, law enforcement
Differentiator	Fill Solana OSINT gap	$5.3M network discovery, JPYC stablecoin AML coverage, native Japanese-language compliance UX
Interfaces	Web UI only	Web UI + REST API + MCP + x402 + PDF reports

What stayed the same: every feature is still exercised against the kind of attack that cost me $7.95.

Lessons I Wish Someone Had Told Me

1. Admin badges mean nothing. Discord/Telegram admins get their accounts taken over constantly. Treat a post in your favorite project's server the same way you'd treat a cold DM from a stranger.

2. "Connect wallet" is not a safe operation. The moment you approve a transaction, you've taken an action with financial consequences. Read what you're signing. If you can't read what you're signing, don't sign.

3. Address-first verification. Before sending anything, scan the destination address in a tool like ChainAnalyzer. If it's been reported, you'll know. If it shows graph proximity to known drainers, you'll know. Takes three seconds.

4. FCFS airdrops are always scams. Real projects don't panic people into signing instantly. The urgency is the tell.

5. Post-mortem immediately. When you lose money, trace what happened on-chain before you spiral emotionally. Understand the attack. That understanding is more valuable than the money you lost.

Where We Are Today

ChainAnalyzer now:

Processes scans across 9 chains (8 live for self-serve, BNB Smart Chain on Enterprise rollout)
Runs on Azure Japan East, FISC-aligned hosting
Has an MCP server on npm and the official MCP registry, callable from Claude Desktop / Claude Code / ChatGPT / Gemini / Cursor
Supports pay-per-request via x402 USDC on Base or Solana — $0.003 to $0.05 per call, no API key, no subscription, listed on x402scan
Ships a JPYC-specific compliance suite for Japanese stablecoin issuers and handlers

All from a $7.95 drain two months ago.

What's Next

Two things pulling me forward:

1. The $5.3M network is still growing. Since our February report, the Master Funder has disbursed another 49,441 AVAX (~$1.24M) to 854 new destination addresses. The ETH collector has received $16.8M USDT from 1,450 senders in two months. These aren't numbers — they're 1,450 real people whose TX history got polluted hoping they'd copy the wrong address. Read the follow-up investigation.

2. AI agents are about to do this at scale. With MCP + x402, any autonomous agent can now screen addresses before signing. The attack vector I fell for — copy-paste from history — becomes impossible if the agent runs check_address_risk first. This is the biggest single leverage point for retail Web3 safety in years, and ChainAnalyzer is one of the first AML tools wired up to it.

Try It

Scan an address for free: https://chain-analyzer.com
Look up the ScamDB (public, no API key): https://chain-analyzer.com/scamdb
MCP server: npx chainanalyzer-mcp
REST API: https://chain-analyzer.com/en/docs/api
x402 endpoints: https://chain-analyzer.com/en/docs/x402

If you've been drained, reach out. Send me the TX. I'll add the drainer to ScamDB. The next person who tries to send to that address will get a CRITICAL flag. That's the whole point.

One person's $7.95 lesson becomes another person's saved $50,000.

refinancier, inc. is a Tokyo-based fintech company. We operate ChainAnalyzer, a multi-chain AML & security intelligence platform. Contact: https://chain-analyzer.com/en/contact_us

DEV Community