On the evening of May 13, 2024, the CertiK team detected a suspicious address on the Solana chain: 9ZmcRsXnoqE47NfGxBrWKSXtpy8zzKR847BWz6EswEaU (hereinafter referred to as "Xiaojiu")

From May 12 to 13, Xiaojiu initiated about 64 rug pulls (exit scams) on the chain, one every few minutes. In less than 24 hours, Xiaojiu lost a total of 272 SOL, worth about $45,900.

01. High investment and low return: Uncovering Xiaojiu’s operating methods

So how did Xiaojiu do it? Let’s take the last meme TWS deployed by Xiaojiu as an example. At 4:05 UTC on May 13, Xiaojiu minted 99,999,999 TWS. At 13:18, Xiaojiu deployed a TWS/SOL liquidity pool on Raydium, injected 98,999,999.99 TWS and 1 SOL; then, he immediately used 4 SOLs to pull the market.

At 13:22, that is, 4 minutes later, Xiaojiu exchanged 80,160,319.64 TWS for 0.018 SOL and left the market. Such transactions occurred every few minutes, and Xiaojiu always had "high investment and low return", investing 5 to 10 SOL in each pool, and finally getting back SOL far less than the cost, and the loss rate of nearly half of the transactions was over 90%.

From the transaction records, it is not difficult to see that Xiaojiu did it on purpose, because every operation, even the number of tokens operated, was exactly the same.

02. Funding puzzle: Who is profiting from it?

If Xiaojiu is losing money, then who is making money?

Tracking Xiaojiu's "Transaction Flow"

In order to find the answer, we first counted and analyzed all of Xiaojiu's transfers and obtained a "transaction flow". In this flow, we found the address where Xiaojiu's funds mainly flowed:

6kt6xT6nZGGmPzJPrQtKPqNrdj5CoiVCuD2xuGQvxJ5Q(小六)

A1bQt2v8NUi3DghZRu8cC6LcpdXHPURDKkrV6v9mCtVC(A1)

Operating account: Xiaoliu

Xiaoliu is the main address of Xiaojiu's funds, and has received about 272 SOL from Xiaojiu. However, Xiaoliu is Xiaojiu's sub-account (SOL Token Account). Xiaojiu uses Xiaoliu to add liquidity to the meme pool and speculate on trading volume.

The following figure shows a transaction between Xiaoliu and Xiaojiu. Xiaojiu initiated the transaction (adding liquidity to the pool), paid through Xiaoliu, and minted the LP token to another address (5eHgh9QnFTnRQYnCHoc3fzfW6rztkq5GjsuLYpDvDBSa). According to the chain analysis, this 5eHgh was also created by Xiaojiu and was only used to temporarily hold LP tokens. After the corresponding meme was pulled by rug, 5eHgh was also destroyed.

Successor: A1

A1 is the second largest address for capital inflow and is also quite special. A1 is Xiaojiu's successor, and Xiaojiu's last transaction on the chain was sent to A1. A1 not only inherited Xiaojiu's 6.4 SOL, but also inherited Xiaojiu's career. From May 13 to 15, A1 continued to create rug pulls on the chain (a total of 83).

Similarly, through repeated transaction analysis, we found A1's sub-account, its next successor, and its next successor...the next successor.

03. Relay game: We are all in the same group

According to CertiK’s tracking, the relay order of rug pullers is as follows:

By comparing the counterparties and fund flows of the above addresses, we found more interesting things. There are 70 addresses that have fund transactions with multiple rug puller addresses at the same time. Among them, we have locked two major addresses:

EZBbaxg7YqWo3XMAsTThZJEmTC9Dv78F5aB9srvsCtJg(E)

D3s8Zf1zh8R98JBU9Fw4K8fViv1DDzCmoPbNTmJwXKbD(D3)

Behind the scenes winner: E

E is the second largest address in terms of transaction volume, with 110.88 SOL in funds exchanged with the rug puller mentioned above. According to on-chain data analysis, E has participated in a large number of rug puller meme scams and profited from the transactions. One of the memes E recently participated in was Pepe Trump, which earned him $48 (source: dexscreener). Similarly, E has conducted about 50,000 meme transactions recently. According to its transaction volume, E has made a profit of about $10,000.

How does E ensure its profits? Every time the rug puller deploys new coins, it mints a portion of the initial tokens to E, who then distributes them. Through frequent transactions, these addresses that receive the money and E together increase the transaction volume of the meme in a short period of time, and finally collectively dump the market.

After E made money, he returned the money to the rug puller. According to statistics, as of the time of writing this article, E has transferred a total of 41SOL (about $7,000) to the rug puller address.

There are at least 70 transaction addresses like E. They are still trading the newly launched meme scam and building momentum for it until today and just now.

Fund collection: D3

In addition, the address with the most transactions with rug pullers is D3, and the amount of transfers between it and the rug puller address mentioned above exceeds 140 SOL. According to the on-chain data analysis, we found that D3 is the fund collection address of rug pullers.

After receiving the money, D3 transferred it to the following three addresses in batches:

GGMcDYzUKFDsXGba6K6S2NoKdD8S4a6QDoEY47DSx65X(OKX)

HCR8ZrgDCVFQhoaFXR7PKpn9tPABa4rKscpMwoJTF9be(Bybit)

J97QXy94SfwzgWfi8Y625wkAANVqSwxyD7dzw9bd8X5Z (Pledge + Investment)

Among them, G and H are both exchange addresses, and the money transferred to J is used for on-chain staking and investment.

It turns out that they are all in the same group, so Xiaojiu's address keeps creating liquidity, pulling the price, and then selling. In the end, they just put the money from the left pocket into the right pocket (all earned by their own people). In the end, everyone took the money away through the collection address. The specific flow of funds is shown in the figure below:

Victims: Meme Hunters

I wonder if you have noticed that among the addresses we mentioned earlier, there is one address that is continuously making money, that is E. Whose money is it making? It is the money of new coin investors (especially new coin robots). Take Pepe Trump mentioned above as an example: Pepe Trump’s third largest (DaKf...9A9R) and fourth largest holder (6Md4...AKnW) bought 1.3 SOL and 0.5 SOL tokens at 10:50 on May 29, respectively, but they were rugged before they could sell them. Of course, there are definitely more victims than these two, but their losses are more obvious.

About 10 seconds after they bought in, the address controlled by the rug puller began to sell in large quantities, and the price almost dropped to zero:

Through the analysis of on-chain data, we found that both victims frequently participated in the meme "new" transactions on the Solana chain, that is, buying memes in the early stage of the meme pool creation and then selling them at a high price. Among them, Da has made a profit of about 86 SOL through new listings in the past three months, and Pepe Trump is one of the few traps he has been trapped in. Given that the rug pull of the Xiaojiu Yihang address in this article occurs very quickly, usually within 5 minutes, we reasonably suspect that this is a scam specially customized for new listing robots.

04. Conclusion

With the analysis of the on-chain behavior and fund flows of Xiaojiu and other addresses, we discovered a well-planned and very targeted rug puller system. It has to be said that rug pullers also keep up with the trend and target the increasingly prosperous robot trading in the Solana ecosystem. From Xiaojiu's frequent losses, to the complex operations of related addresses, to fund collection and transfer, these addresses continue to create market illusions through mutual fund transfers to attract more investors to join.

To this day, Xiaojiu is still active. According to CertiK's continuous tracking, we continue to find new addresses associated with Xiaojiu. As of May 31, 2024, the gang has transferred a total of about 863 SOLs, about $146,000, through the D3 address.

In order to more fully expose the operating methods of this type of rug puller and help users avoid risks, CertiK conducted an in-depth analysis of 10,000+ meme rug pulls on the Solana chain. If you want to learn more about how to identify rug pulls and other similar scams, and want to know more practical prevention tips, remember to stay tuned and see you next time!