I Lost $20 to a Solana Scam. Then I Traced the $100K/Day Ring Behind It
From Victim to Investigator: How One Scam Loss Turned Into a Full Blockchain Forensics Case
TL;DR: I got scammed for $20 on a Solana memecoin. Instead of walking away, I traced the operation, identified a single operator running a $100K/day rug pull ring, and built a forensic tool to monitor their activity. Here's exactly how I did it.
The Scam
It started like every other memecoin play. I saw a token called ANTI-GRAVITY (AGRACING) pumping on DexScreener. The chart looked good. The community seemed active. I threw in $20 worth of SOL.
Two hours later, the liquidity vanished. The token was worthless. Classic rug pull.
Most people stop there. I didn't.
Step 1: Identifying the Scammer's Wallet
Every transaction on Solana is public. I pulled up the token's page on Solscan and found the creator wallet:
Scammer Wallet: 6GuAKzmZeiF9JckodyDCPXLUWPfFB9ehy35unCh7Swh4
I traced every transaction this wallet made. Within minutes, I noticed something: all the extracted SOL went to one central wallet.
Step 2: Finding the Hub
The scammer wasn't keeping the money in the creator wallet. They were consolidating it. Following the money trail, I found the master hub wallet:
Hub Wallet: DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX
This wallet was receiving massive amounts of SOL — 100 to 165 SOL per transaction — from multiple creator wallets. But it wasn't just receiving. It was also distributing funds to new wallets.
Step 3: The Bot Signature
Digging deeper into the hub's transactions, I found something bizarre. Every few transactions, the hub sent exactly 20.996123 SOL to another wallet:
Bot Wallet: 8cxba3FWd27P1fezJAujggnUd9rGc8hFXSR9EJK2WfeA
Not 20.99. Not 21.00. 20.996123 — to the 6th decimal. Every single time.
This isn't human behavior. This is a hardcoded value in a script. The bot was automatically executing liquidity removal or token sales at a fixed amount.
Step 4: Mapping the Network
I spent the next few hours tracing every wallet connected to the hub. The pattern became clear:
- Hub wallet funds a new creator wallet (113-142 SOL)
- Creator wallet launches a token on Pump.fun
- Victims buy in
- Creator extracts liquidity and sends it back to hub
- Hub sends 20.996123 SOL to bot (automated cut)
- Hub funds next creator wallet
- Repeat
I identified 9 creator wallets in the network, each launching 1-2 tokens before being abandoned:
| Creator Wallet | Known Token | Funding Received |
|---|---|---|
3n7XYTpdCu8KUbN574VRrAeteS7DG5zrBFpPtMycFhLK |
CatchCat #1 | 114.33 SOL |
4xTBVCzBapp83aRuBszkc42PVmV672zM4nNCETztvLkK |
CatchCat #2 | 121.73 SOL |
CKCwDNmbktewUwS1XTszQiFWBJNZD2og5xwyb8zQbkt |
Unknown | 142.85 SOL |
7qqtdEf5VSvNWSYyyXFiRiLMoZWQN1XqcYGLxuDuT1hU |
Unknown | 116.16 SOL |
cfM7zFfCWADmrwDvRtziFNnswk8g2f7TVTB2U93Lz3f |
Unknown | 119.65 SOL |
CnHnEPpY4nQ6mzkDT1if36UhhBD71aU3G63845UhSDU5 |
FIDGET | 101.00 SOL |
8pQWvpxZkdJa5sjcSMK6Q5pGaApQ5Zb3eGU6BfSZiVmv |
Unknown | 113.34 SOL |
A2w34GbXFSTMKTTT9mV8gibXiPhZQYKAWrhTymFZTGUv |
Unknown | 116.07 SOL |
3gHDCqCnEQ5CiXNTJDnsHYr2NwAm926ZNvX4WAJvuqUC |
Unknown | 114.46 SOL |
Step 5: The Name-Squatting Trap
Here's where it gets clever. The operator launched multiple tokens with the same name but different mint addresses.
Example: "CatchCat"
- Mint #1:
6jiiHkfD3zAd9XWHz1UDFfxtZu76cER6xYjifznyY8HP(RUGGED) - Mint #2:
9N4GQAukGxAsMZtaE7scE5McjUHYN7wsiL6aj6FCA5rN(RUGGED)
Why? Victim confusion. You search DexScreener for "CatchCat." You see one pumping. You buy the wrong mint. By the time you realize, the liquidity is gone.
This is deliberate, calculated deception.
Step 6: Financial Analysis
I ran the numbers:
- Per token extraction: 100-142 SOL
- Tokens per day: 10-20 (based on transaction frequency)
- Daily revenue: 1,000-2,800 SOL
- At $70/SOL: $70,000 - $200,000 per day
- Operational cost: Negligible (fees are ~0.0001 SOL per transaction)
This is a $100K/day solo operation run by one person with a script.
Step 7: Why It's One Person (Not a Team)
The evidence points to a single operator:
| Evidence | Interpretation |
|---|---|
| All activity in 2-hour window (13:00-15:00 local) | Single timezone, single operator |
| Exact same hardcoded amount everywhere | One script, one author |
| All creator wallets have ~10 transactions | Identical script template |
| No 24/7 activity | No shift rotation |
| Hub → Creator flow (not bidirectional) | Centralized control |
| Same naming patterns (CatchCat, FIDGET) | One person's taste |
| Bulk creation at same slot (20+ tokens) | One machine running a loop |
A team would have variation. Different amounts. Different timing. Different styles. This is one person, one script, one machine.
Step 8: Building the Monitoring Tool
After mapping the network, I built a tool to monitor the hub in real-time. It's called hub_watcher.py — a Python-based blockchain forensics tool that:
- Monitors the hub wallet for suspicious transactions
- Detects hardcoded bot payments (the 20.996123 SOL signature)
- Alerts on creator funding and hub-to-creator flows
- NEW: Checks creator wallets for new token mints via Pump.fun and Token program analysis
- Exports all alerts to JSON for reporting
GitHub Repo: github.com/Umer-Aziz/solana-scam-tracker
How the Token Mint Detection Works
When the hub funds a new creator wallet, the tool automatically:
- Polls the creator's transaction history
- Scans for interactions with the Pump.fun program (
pAMMBay...) - Checks for Token program
initializeMintinstructions - Extracts the new token mint address from transaction metadata
- Alerts with the mint address for further investigation
This links the entire chain: Hub → Creator → Token Mint — all automated.
Key Wallets (For Transparency)
| Role | Address |
|---|---|
| Master Hub | DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX |
| Sell Bot | 8cxba3FWd27P1fezJAujggnUd9rGc8hFXSR9EJK2WfeA |
| Original Scammer | 6GuAKzmZeiF9JckodyDCPXLUWPfFB9ehy35unCh7Swh4 |
| AGRACING Token | DpNr3hZuoCjFubaPePLzKtwoJBR4ZNw6mUkdvPHErd9Y |
All data is from public blockchain records. No private information was accessed.
What I Learned
Blockchain forensics is pattern recognition. Hardcoded amounts, predictable timing, and reused wallets are operational security failures.
On-chain data is permanent. Every transaction, every wallet, every token is recorded forever. Scammers can't hide.
Solo operators are vulnerable. One person with one script leaves one fingerprint. Teams have variation.
The $20 was tuition. I paid $20 to learn skills that are worth thousands in the cybersecurity industry.
The Tool
If you want to monitor this network yourself or adapt the tool for other investigations:
git clone https://github.com/Umer-Aziz/solana-scam-tracker.git
cd solana-scam-tracker
pip install -r requirements.txt
python hub_watcher.py --hub DyaESzDfBLtbvKz7iM5Th6nsbsGSpjt5NLXuieigRcZX
The tool is open-source, MIT licensed, and actively maintained.
What's Next
I'm currently working on:
- Discord/Telegram webhook alerts for real-time notifications
- DexScreener API integration for liquidity monitoring
- Machine learning anomaly detection for identifying new scam patterns
- Multi-hub clustering to track multiple operations simultaneously
About Me
I'm Umer Aziz — MSc Cybersecurity, BSc Software Engineering. I build security tools, investigate blockchain fraud, and research AI security. Currently open to opportunities in cybersecurity.
- LinkedIn: linkedin.com/in/umer-aziz-b13b841b2
- GitHub: github.com/Umer-Aziz
- Repo: github.com/Umer-Aziz/solana-scam-tracker
If you found this useful, share it. If you know someone who got scammed, show them how to trace it. Knowledge is the only weapon against these operations.
Top comments (0)