Solana Funding Vortex: Why Rug Puller Is Losing Money?

Original author: CertiK

On the evening of May 13, 2024, the CertiK team detected a suspicious address on the Solana chain: 9ZmcRsXnoqE47NfGxBrWKSXtpy8zzKR847BWz6EswEaU (hereinafter referred to as “Xiaojiu”)

From May 12 to 13, Xiaojiu initiated about 64 rug pulls (exit scams) on the chain, one every few minutes. In less than 24 hours, Xiaojiu lost a total of 272 SOL, worth about $45,900.

01 High investment and low return: Uncovering Xiaojiu’s operating methods

So how did Xiaojiu do it? Let's take the last meme TWS deployed by Xiaojiu as an example. At 4:05 UTC on May 13, Xiaojiu minted 99,999,999 TWS. At 13:18, Xiaojiu deployed a TWS/SOL liquidity pool on Raydium, injecting 98,999,999.99 TWS and 1 SOL; then, he immediately used 4 SOLs to pull the market.

At 13:22, 4 minutes later, Xiaojiu exchanged 80,160,319.64 TWS for 0.018 SOL and left the market. Such transactions occurred every few minutes, and Xiaojiu had always been "high investment and low return", investing 5 to 10 SOL in each pool, and finally getting back SOL far less than the cost. The loss rate of nearly half of the transactions was over 90%.

From the transaction records, it is not difficult to see that Xiaojiu did it on purpose, because every operation, even the number of tokens operated, was exactly the same.

02 Funding puzzle: Who is profiting from it?

If Xiaojiu is losing money, then who is making money?

Tracking Xiaojiu's "Transaction Flow"

In order to find the answer, we first counted and analyzed all of Xiaojiu's transfers and obtained a "transaction flow". In this flow, we found the address where Xiaojiu's funds mainly flowed:

6kt6xT6nZGGmPzJPrQtKPqNrdj5CoiVCuD2xuGQvxJ5Q（小六）

A1bQt2v8NUi3DghZRu8cC6LcpdXHPURDKkrV6v9mCtVC（A 1）

Operating account: Xiaoliu

Xiaoliu is the main address of Xiaojiu’s funds, and has received about 272 SOL from Xiaojiu. However, Xiaoliu is Xiaojiu’s sub-account (SOL Token Account). Xiaojiu uses Xiaoliu to add liquidity to the meme pool and speculate on trading volume.

The following figure shows a transaction between Xiaoliu and Xiaojiu. Xiaojiu initiated the transaction (adding liquidity to the pool), paid through Xiaoliu, and minted the LP token to another address (5eHgh9QnFTnRQYnCHoc3fzfW6rztkq5GjsuLYpDvDBSa). According to the chain analysis, this 5 eHgh was also created by Xiaojiu and was only used to temporarily hold LP tokens. After the corresponding meme was rug pulled, 5 eHgh was also destroyed.

Successor: A 1

A 1 is the second largest address with inflow of funds, and it is also quite special. A 1 is Xiaojiu's successor, and Xiaojiu's last transaction on the chain was sent to A 1. A 1 not only inherited Xiaojiu's 6.4 SOL, but also inherited Xiaojiu's career. From May 13 to 15, A 1 continued to create rug pulls on the chain (a total of 83).

Similarly, through repeated transaction analysis, we found the sub-account of A 1, its next successor, and its next successor...the next successor.

03 Relay game: We are all in the same group

According to CertiK’s tracking, the relay order of rug pullers is as follows:

By comparing the counterparties and fund flows of the above addresses, we found more interesting things. There are 70 addresses that have fund transactions with multiple rug puller addresses at the same time. Among them, we have locked two major addresses:

EZBbaxg7YqWo3XMAsTThZJEmTC9Dv78F5aB9srvsCtJg（E）

D3s8Zf1zh8R98JBU9Fw4K8fViv1DDzCmoPbNTmJwXKbD（D 3）

Behind the scenes winner: E

E is the second largest address in terms of transaction volume, with 110.88 SOL in funds transferred to the rug puller mentioned above. According to on-chain data analysis, E has participated in the meme scam of rug pullers on a large scale and profited from the transactions. One of the memes E recently participated in was Pepe Trump, which earned him $48 (source: dexscreener). Similarly, E has conducted about 50,000 meme transactions recently. According to its transaction volume, E has made a profit of about $10,000.

How does E ensure its profits? Every time the rug puller deploys new coins, it mints a portion of the initial tokens to E, who then distributes them. Through frequent transactions, these addresses that receive the money and E together increase the transaction volume of the meme in a short period of time, and then collectively dump the market.

After E made money, he returned the money to the rug puller. According to statistics, as of the time of writing this article, E transferred a total of 41 SOL (about $7000) to the rug puller address.

There are at least 70 more transaction addresses like E. They are still trading the newly launched meme scam and building momentum for it until today and just now.

Funds collection: D 3

In addition, the address with the most transactions with rug pullers is D 3, and the amount of transfers between it and the rug puller address mentioned above exceeds 140 SOL. According to the on-chain data analysis, we found that D 3 is the fund collection address of rug pullers.

After receiving the money, D 3 transferred it to the following three addresses in batches:

GGMcDYzUKFDsXGba6K6S2NoKdD8S4a6QDoEY47DSx65X（OKX）

HCR8ZrgDCVFQhoaFXR7PKpn9tPABa4rKscpMwoJTF9be（Bybit）

J97QXy94SfwzgWfi8Y625wkAANVqSwxyD7dzw9bd8X5Z (Pledge + Invest)

Among them, G and H are both exchange addresses, and the money transferred to J is used for on-chain staking and investment.

It turns out that they are all in the same group, so Xiaojiu's address keeps creating liquidity, pulling the price, and then selling. In the end, they just put the money from the left pocket into the right pocket (all earned by their own people). In the end, everyone took the money away through the collection address. The specific flow of funds is shown in the figure below:

Victims: Meme Hunters

I wonder if you have noticed that among the addresses we mentioned earlier, there is one address that is continuously making money, that is E. Whose money is it making? It is the money of new IPO investors (especially new IPO robots). Take Pepe Trump mentioned above as an example: Pepe Trump’s third largest (DaKf...9 A 9 R) and fourth largest holder (6 Md 4...AKnW) bought 1.3 SOL and 0.5 SOL tokens at 10:50 on May 29, respectively, but they were rugged before they could sell them. Of course, there are definitely more victims than these two, but their losses are more obvious.

About 10 seconds after they bought in, the address controlled by the rug puller began to sell in large quantities, and the price almost dropped to zero:

Through the analysis of on-chain data, we found that both victims frequently participated in the meme "new" transactions on the Solana chain, that is, buying memes in the early stage of the meme pool creation and then selling them at a high price. Among them, Da has made a profit of about 86 SOL through new listings in the past three months, and Pepe Trump is one of the few traps that he has been trapped in. Given that the rug pull of the address of Xiaojiu Yihang in this article occurs very quickly, usually within 5 minutes, we reasonably suspect that this is a scam specially customized for new listing robots.

04 Conclusion

With the analysis of the on-chain behavior and fund flows of Xiaojiu and other addresses, we discovered a well-planned and very targeted rug puller system. It has to be said that rug pullers also keep up with the trend and target the increasingly prosperous robot trading in the Solana ecosystem. From Xiaojiu's frequent losses, to the complex operations of related addresses, to the collection and transfer of funds, these addresses continue to create market illusions through mutual fund transfers to attract more investors to join.

To this day, Xiaojiu is still active. According to CertiK's continuous tracking, we continue to find new addresses associated with Xiaojiu. As of May 31, 2024, the gang has transferred a total of about 863 SOLs, about $146,000, through the D 3 address.