Scroll #5: Money Laundering Systems On Solana

A Research on how Wallet/Protocol Hackers Launder Money on Solana

Table of Contents

1. Abstract

2. Introduction

3. Exfiltration Routes on Solana: Types and Their Processes

4. Hacks on Solana: Analyzing Case Studies of Successful Solana Exfiltration

5. Exfiltration Liquidity: Analysis of Assets Used During Exfiltration on Solana

6. Recommendations and Mitigations

7. Conclusions

8. References

Abstract

Blockchain is an industry built on decentralizing data, finance, resources, and community governance. This absence of central control is achieved through core principles of anonymity, open-source technology, public verifiability, and accessibility, creating a system anyone can access from home.

Blockchains resist direct attacks through consensus mechanisms—game theory processes ensuring validators (who secure and operate the network) are incentivized to follow protocol rules and identify malicious activity. These systems include Proof-of-Work (PoW), Proof-of-Stake (PoS), and Federated Byzantine Fault Tolerance mechanisms.

While consensus systems secure transaction processing, the interface layer, where users interact with protocols, remains vulnerable to security exploits. These vulnerabilities exist because account data is publicly verifiable (allowing malicious actors to track wallets) and because applications storing private keys and user interfaces can be compromised. The decentralized nature of blockchain means successful attacks typically result in irreversible fund transfers.

Introduction

Security measures like multisignature wallets, cold storage, transaction flagging, token freezes, clawbacks, security audits, and various cybersecurity protocols have emerged to protect users and platforms. However, as security methods evolve, so do attackers' infiltration and exfiltration tactics, creating a coevolutionary arms race.

Decentralized protocols, including DEXs, lending platforms, and wallet applications, have suffered exploits, while centralized exchanges have experienced coordinated attacks. Users routinely face wallet drains, phishing attempts, and address poisoning schemes. Collectively, these attacks have resulted in billions of dollars in losses, with minimal recovery during exfiltration attempts.

Solana has experienced its share of exploits, with notable attacks targeting Wormhole, Mango Markets, Mango Farm, Metawin, and others. The blockchain has been both a target of exploitation and a route for laundering stolen funds.

A prime example is the Bybit Exchange hack by the Lazarus Group, who created the memecoin QinShihuang on Pump.Fun attempting to launder stolen funds through the Solana ecosystem—an effort ultimately flagged and prevented by the Pump.Fun team.

Many smaller hacks and infiltrations totaling millions of dollars collectively go unnoticed, allowing attackers to evade detection and asset seizure.

This report details the hack and exfiltration methods employed within the Solana ecosystem, covering both established and novel laundering techniques. We outline our methodology for tracking, tracing, and flagging these exfiltration events on Solana and provide a comprehensive list of addresses associated with these exploits, from initial attack wallets to exfiltration deposit addresses.

Additionally, we analyze non-freezable assets with sufficient liquidity that can be used for fund conversion or exfiltration, detailing our identification methodology and presenting an extensive list covering both SOL and non-SOL assets.

Exfiltration Routes on Solana: Types and Their Processes

This section examines various techniques hackers and scammers use to launder stolen cryptocurrency funds. We also explore modern processes these entities employ to successfully exfiltrate assets.

Money laundering on blockchain is a methodical process that typically spans multiple centralized and decentralized platforms. Due to blockchain's borderless and rapid transaction capabilities, millions of dollars can be stolen and moved within minutes.

It's important to note that many intermediary platforms, whether centralized or decentralized, may be unaware they're processing stolen funds. Hackers employ sophisticated routing techniques that transfer assets through numerous wallets before reaching the final exfiltration wallet or platform. Below are the primary methods used to launder stolen cryptocurrency on blockchain today:

DEX Swapping

This process involves depositing stolen funds in Decentralized Exchanges like Meteora, Raydium, Phoenix, or Orca, and converting them to other assets, typically stablecoins, when preserving value is the goal, or to high-liquidity, non-freezable assets like SOL and SOL derivatives (jitoSOL, JupSOL, mSOL, etc.). Hackers perform continuous swaps across multiple Solana DEXes to fragment the transaction trail. Approximately $500,000-$1,000,000 can be laundered daily, depending on the DEX's liquidity depth. While these transactions cannot be stopped, they can be tracked.

Address Mixing

This technique involves sending SOL and other assets to mixer services (specialized Solana programs or wallet clusters) that pool funds from multiple users. After mixing, the funds are transferred to fresh addresses. Higher user volume increases anonymity in these systems. Notable mixer wallets like those associated with Tornado Cash are often flagged by authorities.

Alternatively, Solana's Light Protocol enables mixing by sending funds to shielded pools that generate Zero-Knowledge proofs redeemable by intended recipients. The protocol allows batching numerous receipts using CSV files and employs ZK SNARKs and nullifiers to conceal recipient wallets and prevent double-spending. This method can process approximately $300,000 daily.

NFT Wash-Trading

In this method, stolen funds are used to mint or purchase NFTs, which are then traded between controlled wallets to mimic legitimate transactions. Afterward, proceeds are converted back to SOL or other tokens.

During Solana's 2023 NFT boom, scammers frequently hacked NFT community Discord servers and distributed phishing links that led to wallet draining. Stolen NFTs were typically traded for SOL through the Metaplex Auction House Program or other marketplaces. Valuable NFTs might be wash-traded—setting orders immediately filled by controlled wallets, either for future resale or value appreciation. Approximately $100,000 can be laundered daily through this method, depending on NFT market liquidity.

Cross-Chain Bridging

This process involves converting stolen assets to a bridgeable format (e.g., SOL to Wrapped SOL) and using cross-chain bridges to transfer funds to different blockchains, where they continue the laundering process. Popular decentralized bridging protocols on Solana include Wormhole, deBridge, Mayan Finance, and Apollo.

Though bridging transactions typically publish the destination chain's transaction hash for transparency, this creates a traceability path that skilled investigators can follow. Approximately $400,000 can be laundered daily through this method, allowing criminals to temporarily evade detection by trackers and AML authorities.

Centralized Exchange with OTC Layering

This method involves creating accounts with spoofed KYC (Know Your Customer) verification on centralized exchanges, depositing SOL or other SPL assets via on-chain transfer, and swapping them internally for stablecoins like USDT or USDC. The funds are then distributed across sub-accounts before being routed through over-the-counter (OTC) desks like Wintermute for conversion to fiat currency.

Approximately $200,000 can be laundered daily without triggering exchange or OTC desk flags that might lead to asset seizure or requests for proof-of-wealth documentation. This limit is determined by exchange withdrawal limits and OTC desk credit lines.

Custodial/Non-Custodial Swapping

This technique involves swapping stolen assets to SOL and sending it to swapping services (e.g., Changelly, ShapeShift) where they're exchanged for other cryptocurrencies (BTC, ETH, XMR) and received in new wallets. Higher swap volumes facilitate better fund blending. Approximately $250,000 can be laundered daily, depending on the swap service capacity. Notably, custodial swapping services report to Transaction Risk Management Labs (TRM), while non-custodial options offer greater stealth.

OTC Desk Trading

This approach involves converting stolen funds to SOL or other accepted assets and engaging with OTC desks like Wintermute. The criminal connects with buyers to trade funds for fiat or other cryptocurrencies off-chain, with proceeds received in bank accounts or wallets.

OTC desks offer substantial liquidity and private trades that avoid on-chain scrutiny, though large transactions may trigger reporting requirements. KYC verification is typically circumvented through spoofing techniques. These transactions often require hours to complete due to necessary negotiations. Approximately $1,000,000 can be laundered daily through this method.

Retail Fintech Platform Trading

This method involves opening accounts on retail crypto platforms (e.g., Robinhood, Revolut), depositing stolen SOL or other assets, trading them for different assets, and withdrawing to fiat bank accounts or crypto wallets. KYC requirements are bypassed through spoofing. These platforms offer moderate liquidity, but rapid transaction activity typically triggers security flags. The process takes hours to execute, with approximately $100,000 launderable daily.

P2P Marketplace Trading

This method involves sending stolen funds to P2P marketplace accounts created by malicious entities. These assets are then traded with other users for fiat or cryptocurrency and transferred to deposit addresses or fiat accounts. These platforms conduct AML monitoring via TRM Labs, with moderate but spoofable KYC requirements.

Large trades trigger suspicion flags, potentially leading to fund seizure and other enforcement actions. Approximately $150,000 can be laundered daily without raising suspicion, though fiat conversions are restricted in certain regions. Examples of these P2P platforms include Binance P2P and Paxful.

Off-Ramping via Crypto/Fiat Payment Gateways

This technique involves depositing stolen funds into payment gateways like MoonPay or Transak, converting them to fiat currency, and withdrawing to fiat accounts. Hackers typically split funds across multiple off-ramping platforms and create numerous accounts to avoid detection.

While these platforms employ strict KYC/AML compliance and tracking policies, these can be circumvented through spoofing. Suspicious large transactions typically trigger account monitoring and potential closure. The conversion process usually takes hours due to moderate liquidity constraints, with approximately $200,000 launderable daily.

Novel Laundering Techniques

In recent times, hackers and scammers have developed new techniques to exfiltrate stolen funds. The following sections detail these emerging methods:

Flash Loan Laundering

This sophisticated technique involves borrowing SOL via flash loan systems on the Solana blockchain and executing multiple DEX swaps/trades that exploit price discrepancies or contract vulnerabilities. After attacking the protocol, perpetrators use a portion of the stolen funds plus the original loan amount to repay the flash loan within the same transaction. This method enables hackers to purchase multiple tokens, making it difficult for trackers to distinguish between flash loan capital and stolen funds.

The technique works because temporary liquidity obscures the origin of funds and relies on complex smart contract interactions. Although Transaction Risk Management (TRM) systems can potentially detect these transactions, approximately $1,000,000 can be laundered daily without detection. Platforms offering flash loans on Solana include Loopscale and Flash.Trade.

Nested Bridge Hopping

This exfiltration system involves bridging assets across multiple blockchains to fragment the transaction trail and complicate tracing efforts. For example, an exploiter might bridge stolen funds from Solana to Ethereum, then from Ethereum to Binance Smart Chain, before finally transferring to Near Protocol or continuing the bridging sequence.

While bridge operations are increasingly monitored, if trackers and security teams respond quickly enough, they can freeze funds while still in the bridge vaults. Approximately $300,000 can be laundered through this method, with constraints primarily due to multi-bridge liquidity limitations.

Token Obfuscation Botting

This laundering system involves deploying trading bots to mint and trade low-value tokens (particularly memecoins) on platforms like Raydium or Pump.fun. Stolen funds are intermingled with bot transactions, making it difficult to trace transaction origins. The technique works on the principle that high transaction volume overwhelms conventional fund tracing capabilities. While these bot activity patterns can be detected by advanced analysis tools like Elliptic, malicious entities can launder up to $500,000 daily using this method.

Wallet Ringing

This exfiltration process involves creating a ring or cluster of wallets and distributing stolen funds in small transactions across this network to obscure ownership and complicate tracing efforts. Although these ring patterns can eventually be identified and flagged by monitoring systems, this method enables malicious actors to exfiltrate approximately $200,000 daily before detection.

Trade Front-Running with MEV Bots

In this laundering method, Maximum Extractable Value (MEV) bots are deployed to monitor large trades and front-run them, executing trades ahead of pending transactions to capture value from price movements. The profits generated from front-running activities are then mixed with stolen funds, obscuring their origin. While front-running is generally considered market manipulation and is detectable by TRM tracking systems, this method can launder approximately $300,000 daily.

NFT Fractionalization

This process involves using stolen funds to purchase high-value NFTs (such as CryptoPunks, BAYC, or MAYC) and locking them in smart contracts that issue tokens backed by the value of the locked NFTs. These fractional tokens are then traded on various platforms to obscure the ownership trail of the stolen funds.

The complexity introduced by fractionalization significantly complicates fund tracking. Approximately $150,000 can be laundered daily through this method without triggering tracking systems on NFT and fractionalization marketplaces like fractional.art, LIQNFT, and Unicly.

DeFi Yield Farming

In this method, funds obtained through malicious activities are deposited into DeFi yield platforms such as Sanctum or Marinade.Finance. The yield earned, along with the original stolen funds, is subsequently withdrawn to new wallets. The technique leverages complex DeFi transaction structures to conceal the actual flow of stolen funds. Approximately $400,000 can be laundered daily through this method, with capacity dependent on protocol Total Value Locked (TVL).

Combined Laundering Strategies

Sophisticated criminals often combine multiple laundering techniques to create layered obfuscation that is significantly more difficult to trace:

Address Mix + Bridge + OTC Desk

This strategy combines SOL mixing across multiple addresses, followed by bridging to another blockchain, where funds are ultimately cashed out to fiat or other cryptocurrencies via OTC desks. This approach compounds the tracking challenges of on-chain mixing, cross-chain transfers, and off-chain private trades. The total launderable amount is determined by the combined limitations of the three component systems.

DEX Swap + Nested Bridge + P2P Marketplace

This method involves swapping stolen funds across multiple DEXs to convert to desired assets, followed by bridging through multiple chains (e.g., Solana → BSC → Polygon → Polkadot). On the final chain, assets are converted to fiat via P2P marketplaces. The technique layers the complexity of DEX interactions with the tracing fragmentation of bridge hopping. However, high trading volumes on DEXs may trigger AML flags, bridges can be monitored when suspicious activity is detected, and P2P platforms may flag suspicious transactions.

Flash Loan + Token Obfuscation + Off-Ramp Gateway

This sophisticated strategy begins with flash loan laundering, followed by using laundered funds to acquire and trade low-value tokens via bots. The resulting assets are then reconverted to SOL or stablecoins before being off-ramped to fiat bank accounts through payment gateways.

The combined complexity of flash loans and automated bot trading creates significant obstacles for fund tracing. However, the technical complexity of executing this multi-stage process is considerable, and payment gateways may still seize funds if they detect suspicious transaction patterns.

Hacks on Solana: Analyzing Case Studies of Successful Solana Exfiltration

In this section, we analyze case studies of infiltration and exfiltration incidents, highlighting the patterns, assets, processes, and laundering points (DEXs, CEXs, payment gateways, bridges, and other platforms) used to move stolen funds. These real-world examples demonstrate how the theoretical techniques described in previous sections are applied in practice.

Methodology

Our investigation focused on less publicized security incidents for several reasons:

• Lower-profile attacks are less likely to have their associated addresses flagged by monitoring systems

• Attackers in these cases typically employ their standard operational procedures without additional obfuscation

• These incidents provide clearer insights into coordinated laundering schemes

We employed the following tools and platforms in our analysis:

1. Twitter: Primary source for initial incident information and real-time alerts

2. Solscan: Transaction and wallet analysis to map behavioral patterns and cross-wallet interactions

3. Arkham Intelligence: Visualization of infiltration events and comprehensive tracing of fund movements

4. Arkham Tracers: Coordinated visualization of laundering pathways from initial compromise to final exfiltration points

5. Range Security: Cross-reference verification to identify previously undetected malicious wallets

After this section, we provide a comprehensive spreadsheet allowing readers to access all relevant data regarding our tracking methodology and findings.

The case studies that follow demonstrate recurring patterns in how infiltration and exfiltration events typically unfold:

MangoFarm Rugpull Disguised as Hack

Date: January 6th, 2024

In early 2024, the MangoFarm team publicly announced they had been compromised through a frontend vulnerability, claiming their liquidity had been stolen. However, forensic blockchain analysis revealed a different story. The upgrade authority of the MangoFarm liquidity program (FL2q2G) had deliberately signed authority over to wallet 8ggviFe, exposing the incident as a premeditated rug pull rather than a security breach.

Following the fraudulent transfer, wallet 8ggviFe immediately converted the stolen SOL to USDC using Jupiter DEX and bridged the assets to Ethereum (address 0x9e3) via Wormhole. In a parallel transaction, 9.45K SOL was transferred to wallet 4nBEt, which similarly converted the funds to USDC before bridging to Ethereum (address 0x6898).

Remitardio Multi-Wallet Hack

Date: November 12, 2024 - January 8, 2025

Remitardio was attacked on November 12, 2024, losing 59 SOL to wallet GmmDm, which subsequently transferred the stolen funds to A9X4r. Further investigation revealed that A9X4r had consolidated funds from multiple compromised sources, including 213.7 SOL from wallet EkZwq and 250.29 SOL from wallet FNbb3.

By January 8, 2025, the attacker moved 522 SOL from AgX4r to 4sqMC, then executed a sophisticated layered exfiltration:

• 5 SOL bridged to Ethereum (address 0xCaf) via Wormhole

• 100 WSOL transferred to wallet 96tKv

• Remaining funds were laundered through various token swaps and ultimately exfiltrated via Mayan Finance

Discord Phishing Attack (71 SOL)

Date: April 16-17, 2025

On April 16, 2025, Twitter user @ifullclipp reported being victimized by Discord user "filipweiner1997," losing 71 SOL. Blockchain analysis identified the attacker's wallet as 7epX3, which contained approximately 375.5 SOL from multiple victims, including @ifullclipp.

The following day, the stolen assets were transferred through an intermediary wallet (CDiXf) to BTVzy, from which the funds were ultimately laundered through Fixed Deposit services.

Solana Web3.js Supply Chain Attack

Date: December 3, 2024

On December 3, 2024, Twitter user @trentdotsol alerted the community to a critical vulnerability in the Solana supply chain being actively exploited by wallet FnvLG. Within hours, the attacker had extracted approximately 676 SOL along with various other assets from affected wallets.

The attacker distributed the stolen funds across multiple wallets:

• $74,000 USDC sent to wallet 5vDuf

• 242 SOL transferred to wallet 4ztSA

• Assorted tokens valued at approximately $28,000 sent to wallet DAnUT

In total, assets worth $50,300 were bridged to Ethereum via deBridge after being routed through various Solana DEXs, including Raydium, Meteora, and Phoenix. Some funds remain in the attacker's control across the original wallets.

Grumpy Bears Presale Phishing Attack

Date: June 10, 2022

The Grumpybears presale wallet was compromised on June 10, 2022, with 588 SOL drained by wallet F3mXu. Over the following two months, the attacker methodically laundered the stolen funds by:

1. Transferring funds to wallet 96Mun

2. Splitting assets across five separate wallets in fragments of approximately 40 SOL each

3. Converting all funds to WSOL

4. Bridging the entirety of stolen assets to BNB Smart Chain (address 0x947) via Wormhole

Wallet Poisoning Engine (Fake_Phishing2791)

Date: Ongoing (2024-2025)

During routine transaction monitoring, a suspicious wallet (Fake_Phishing2791) appeared across multiple trace investigations. Further analysis identified it as a sophisticated wallet-poisoning operation that had successfully stolen over 524 SOL from various victims.

The stolen funds were consolidated and transferred to wallet EGKHh, which then distributed them across dozens of smaller wallets before exfiltrating through multiple centralized exchanges, including ChangeNOW, KuCoin, FixedFloat, and HTX.

Fracture NFT Discord Compromise

Date: May 23-24, 2022

On May 23, 2022, PeckShieldAlert notified the community about a compromise of the Fracture NFT Discord server. The attacker (wallet 7NVtp) extracted 653.6 SOL from victims before transferring the funds to wallet DddPp on May 24.

From there, the assets were bridged to Ethereum (address 0x849, identified as "owe" on OpenSea). The investigation extended into the Ethereum ecosystem, revealing a complex laundering operation involving:

• Multiple NFT transactions

• Tornado Cash mixing service

• Various exchanges (KuCoin, Coinbase, Binance)

• Conversion services (FixedFloat, SimpleSwap)

• Gambling platforms (Stake.com)

PYTH Token Wallet Poisoning Attack

Date: November 23, 2024

On November 23, 2024, a Solana user (wallet 5Lbwci) fell victim to a sophisticated wallet poisoning attack, losing 7 million PYTH tokens to wallet 4yfuQC. The victim had intended to send tokens to a legitimate address (4yfu48qwim7hGzD3Nphzd2A6ThydzysfKi4wBPFSgnhY) but was tricked by the similarity of the attacker's address.

Minutes after the theft, wallet FQzMK sent 1 SOL to the attacker's wallet, likely to cover transaction fees. The attacker then executed a complex distribution strategy:

• 30,000 PYTH exfiltrated directly to KuCoin

• Remaining tokens transferred to wallet FjHzQ, which was further distributed:

• 630,000 PYTH + 1,000 SOL to wallet FP6Xv

• 3.74 million PYTH to wallet 564rve

• 1.93 million PYTH to wallet FM4sJ

• 10,000 PYTH to wallet BtS1P

Wallet FP6Xv exfiltrated 150,000 PYTH to KuCoin and converted the remainder to SOL via Jupiter DEX before transferring to wallet 9pAPF. This wallet consolidated approximately 11,000 SOL from four different wallets (FP6Xv, EUZMj, 5hG96, and CKVEe) before sending all assets to wallet 3eFh8. The original attacker wallet (4yFuQ) also moved 0.5 SOL through wallet EGKHh to the SideShift exchange.

In total, approximately $150,000 was lost in fees and successfully exfiltrated through KuCoin and SideShift. However, 11,000 SOL (valued at $2.8 million at the time) and 10,000 PYTH tokens remain in wallets 3eFh8 and BtS1P, respectively.

Airdrop Drainer Cabal (11111)

Date: February 3, 2024

On February 3, 2024, security firm Scam Sniffer (@realScamSniffer on X) published an alert identifying eight suspicious wallet addresses all ending in "11111." These wallets were actively participating in airdrop phishing campaigns targeting Solana users. The significance of the "11111" suffix lies in its similarity to Solana's ComputeBudgetProgram address (ComputeBudget111111111111111111111111111111), creating the illusion that victims were interacting with an official system program rather than malicious actors.

Our investigation revealed that these eight wallets were merely the visible surface of a much larger criminal operation. Through comprehensive transaction tracing, we uncovered an extensive network of over 60 interconnected wallets operating in a coordinated manner. This network moves stolen funds in small transactions ($1,000-$10,000) between wallets, converts assets primarily between USDC, SOL, and WSOL using Jupiter and Raydium, and ultimately exfiltrates through FixedFloat exchange.

Several wallets serve specialized functions within the network: wallet 3oko6W appears to be the main consolidation point for funds initially stolen by the "11111" wallets; 7hFkB operates as a principal trader/swapper while also being a major FixedFloat depositor and central distributor to other network wallets; 4oAULT serves as a significant FixedFloat depositor; and eWxJCP functions as a primary distribution wallet within the network.

Key Observations

• Attack vector: Wallet address spoofing mimicking Solana system program

• Sophisticated network: 60+ coordinated wallets with specialized roles

• Transaction pattern: Small amounts ($1,000-$10,000) to avoid detection

• Asset conversion: Primarily through Jupiter and Raydium DEXs

• Exfiltration method: FixedFloat exchange with minimal KYC requirements

• Hierarchical structure: Clear specialization among key wallets (consolidators, swappers, distributors)

Exfiltration Routes and the Wallets involved in the process are listed in the Google Sheet below —> https://docs.google.com/spreadsheets/d/1daru0vMvDdWN1ghs9SV5rEDT_Cr4Za2FRJM34iX-vdU/edit?usp=drivesdk

Exfiltration Liquidity: Analysis of Assets used during exfiltration on Solana

This section examines our methodology, process, and findings regarding how non-freezable assets create liquidity routes for scammers and hackers seeking to exfiltrate funds from or to the Solana blockchain.

First, we analyze the key qualities that malicious actors seek in assets for exfiltration purposes. These entities prioritize four essential characteristics: liquidity, tradability, freezeability status, and bridgeability.

Liquidity

Liquidity represents how easily an asset can be exchanged for another asset. Highly liquid assets can be readily sold without significant slippage or price impact on decentralized exchanges (DEXes). Less liquid assets typically cause rapid price declines during large trades, creating substantial differences between initial and final trade values.

Malicious actors typically convert less liquid assets to more liquid ones during exfiltration. Examples of highly liquid assets on Solana include SOL and SOL derivatives, JTO, ORCA, PYTH, RAY, JUP, WBTC, and WETH. While USDC and USDT are extremely liquid, they are freezeable and therefore generally avoided by criminal entities.

Tradability

Tradability reflects an asset's market activity—specifically, the number of buyers, sellers, trades, and trading volume over specific periods (24 hours, 1 week, 1 month, 1 year). Assets with low tradability experience rapid liquidity and price declines because market makers are not actively trading, allowing single trades to significantly impact token prices.

Highly tradable assets maintain substantial liquidity across Solana's automated market maker (AMM) DEXes, are traded on orderbook exchanges like Openbook or Phoenix, and are listed on multiple centralized exchanges (CEXs). For example, despite being a memecoin, BONK is one of Solana's most tradable assets, with numerous listings across both DEXes and CEXes.

Freezeability

Freezability indicates whether token movements can be restricted. Typically, a blockchain's native token (like SOL) is non-freezable, allowing unrestricted use. Major cryptocurrencies like BTC, ETH, BNB, SOL, and SUI share this non-freezable characteristic.

However, some cryptocurrencies incorporate freezeability for compliance purposes. Examples include PYUSD, USDC, and USDT, which maintain the ability to freeze tokens to address sanctioned transactions, money laundering, ransomware payments, and other illicit activities flagged by authorities or partners.

Many tokens on Solana can be frozen, though blockchain experts often argue that tokens should only be freezeable when their use case specifically requires it. Freezable assets are generally avoided by both legitimate users and malicious entities, as the latter will immediately swap freezable assets for non-freezable alternatives to prevent potential asset seizure.

Bridgeability

Bridgeability represents an asset's demand on other blockchains, indicating how its liquidity extends beyond its native ecosystem. Not all tokens can be bridged; many Solana tokens lack this capability due to limited liquidity and use cases.

Bridgeable assets on Solana include SOL, WETH, WBTC, zBTC, W, BONK, USDC, and USDT, among others. Our research indicates that criminal entities typically prefer bridging stolen assets to Ethereum using protocols like Wormhole or deBridge. This pattern makes tokens such as SOL, WETH, WBTC, and USDC particularly attractive during cross-chain exfiltration attempts.

Tracking Methodology for Exfiltrable Assets

Having established that optimal exfiltration assets are non-freezable, liquid, tradeable, and/or bridgeable, we developed a systematic tracking methodology that prioritizes these qualities when identifying potential exfiltration vectors.

Assessment Criteria

Our methodology recognizes that an exfiltrable asset requires consistent trading volume to maintain price stability or market capitalization within a specific range over time. This steady trading activity attracts liquidity providers, further stabilizing the asset's price.

We've determined that an asset's age significantly impacts its exfiltrability. This characteristic is primarily dictated by exploit victims rather than attackers, as assets with relatively stable value (stablecoins or established tokens) are commonly targeted. During attacks, these assets are either directly exfiltrated or swapped to exfiltrable alternatives due to their robust trading volume and liquidity.

Based on our research, we classify assets as exfiltrable when they meet the following criteria:

1. Maturity: Minimum trading history of 5 months, as assets surviving this timeframe typically establish legitimate use cases and strong relationships with market makers

2. Market Capitalization: Minimum market cap of $5,000,000, ensuring the token maintains tradability after the maturity period (subject to trading platform—CEXes & DEXes)

3. Liquidity Depth: Minimum liquidity of $100,000 locked in AMM pools, ensuring high-value trades don't significantly impact the asset's overall price

Data Sources

Our tracking methodology leverages multiple data sources:

• Birdeye: For tracking assets on-chain trading lifecycle, overall liquidity, and market capitalization

• SolScan: For technical information, including freezeability status, mint addresses, and token supply

• CoinMarketCap & Coingecko: For information about asset markets (CEX & DEX) and cross-chain utilization (for bridgeable assets)

Asset Classification

We distinguish between SOL and non-SOL assets. SOL assets are derivatives of SOL, primarily Liquid Stake Tokens (LSTs) and Restaked Tokens. These assets typically maintain higher liquidity compared to other tokens because they are redeemable for SOL at predetermined rates.

Price Impact Analysis of Exfiltrable Assets

To quantify the relationship between trade size and price impact for exfiltrable assets, we developed the following model using standard AMM formulas. This demonstrates why our minimum criteria of $5 million market cap and $100,000 liquidity are critical thresholds for assets to be considered viable for exfiltration.

For a Constant Product Market Maker (x * y = k) with $100,000 in liquidity:

Initial state:

- Token price: $1.00

- Liquidity pool: 100,000 tokens and 100,000 USDC

- Constant product (k): 10,000,000,000

For a $1,000 swap (small trade):

- New token balance: 100,000 - 990 = 99,010 tokens

- New USDC balance: 100,000 + 1,000 = 101,000 USDC

- New token price: $1.02

- Price impact: ~2.0%

For a $10,000 swap (moderate trade):

- New token balance: 100,000 - 9,091 = 90,909 tokens

- New USDC balance: 100,000 + 10,000 = 110,000 USDC

- New token price: $1.21

- Price impact: ~21.0%

This analysis shows that even with our minimum liquidity threshold of $100,000, a $10,000 trade creates a significant price impact of approximately 21%. However, for tokens with $5 million market capitalization, this impact represents only 0.2% of the total market value, making such price movements easily absorbable through normal market activity and preventing permanent devaluation of the asset.

For sophisticated attackers laundering larger amounts (e.g., $100,000+), this model demonstrates why they must distribute trades across multiple pools, exchanges, and time periods to avoid triggering significant price impacts that would alert monitoring systems.

Below is our compiled list of assets considered exfiltrable as of April 20th, 2025, based on age, market capitalization, trading volume, listings, and liquidity. Non-freezability remains the primary qualifier—even if an asset meets all other criteria but is freezable, we do not classify it as exfiltrable.

Exfiltratable Token Sheet → https://docs.google.com/spreadsheets/d/1G2BP9FeX-6GD7tdFjSIyTAMyAKeYiaPGbcU6xU3HNIw/edit?usp=drivesdk

Recommendations and Mitigations

In this section, we recommend possible steps for ecosystem players on Solana to prevent and contain exfiltration activities. We also highlight notable mitigation techniques that can be used to combat both old and new exfiltration methods. However, we note that some of these recommendations and mitigations are already being implemented by ecosystem stakeholders, and they are highlighted here for informational and educational purposes for the entire Solana audience.

Multi-Layer Monitoring Framework

Implement a comprehensive monitoring system that operates at multiple levels:

• Transaction Pattern Recognition: Deploy AI-driven analytics to identify suspicious transaction patterns across DEXs, bridges, and CEXs in real-time.

• Liquidity Pool Surveillance: Monitor sudden spikes in trading activity in specific liquidity pools, particularly those involving known exfiltrable assets.

• Cross-Chain Tracking: Establish collaborative tracking systems across multiple blockchains to follow assets as they move through bridges.

• Wallet Cluster Analysis: Develop advanced graph analysis tools to identify and flag ring formations and wallet clusters exhibiting suspicious transfer patterns.

Smart Contract Security Enhancements

• Flash Loan Circuit Breakers: Implement protocol-level circuit breakers that pause transactions when flash loan-related anomalies are detected.

• MEV Protection: Deploy transaction ordering protection mechanisms to minimize the effectiveness of front-running attacks.

• Rate-Limiting Mechanisms: Implement graduated rate limits on high-value transactions to prevent rapid asset movement during exfiltration attempts.

• Cross-Contract Transaction Analysis: Develop systems that can analyze complex multi-contract interactions for potentially malicious patterns.

Inter-Platform Cooperation Framework

• Real-Time Alert System: Create a shared alert system between DEXs, bridges, CEXs, and P2P platforms for immediate notification of suspicious activities.

• Standardized Suspicious Transaction Reporting: Develop a common format for reporting suspicious transactions across the Solana ecosystem.

• Coordinated Response Protocols: Establish protocols for synchronous responses to major exploits across multiple platforms.

• Bridge Monitoring Coalition: Form a dedicated multi-chain coalition focused specifically on monitoring bridge transactions for illicit activity.

Technique-Specific Mitigations

DEX Swapping

• Implement volume-based algorithmic monitoring that flags unusual trading patterns across multiple DEXs

• Deploy transaction graphing to identify fragmented transaction trails

• Introduce time-delay mechanisms for high-value swaps involving exfiltrable assets

• Develop liquidity pool health metrics that can identify manipulation attempts

Address Mixing

• Deploy advanced heuristic analysis to identify common patterns in mixer services

• Implement blockchain-wide tagging of addresses interacting with known mixers

• Encourage platforms to implement graduated risk scoring for addresses with mixer interaction history

• Support privacy-preserving auditing techniques that allow legitimate transactions while flagging suspicious patterns

NFT Wash-Trading & Fractionalization

• Develop metrics to identify artificial trading patterns in NFT markets

• Implement cooling periods for high-value NFT trades involving recently acquired assets

• Create provenance tracking for fractionalized NFTs to maintain an audit trail through tokenization

• Deploy wash-trade detection algorithms specifically calibrated for NFT market dynamics

Cross-Chain Bridging & Nested Bridge Hopping

• Implement mandatory time delays for high-value bridge transactions

• Develop cross-chain transaction monitoring with standardized risk scoring

• Require additional verification steps for transactions following known nested bridging patterns

• Create bridge transaction correlation systems to link transactions across multiple chains

Token Obfuscation Botting

• Deploy pattern recognition to identify bot-driven trading of low-value tokens

• Implement volume anomaly detection specifically for memecoin markets

• Create monitoring systems for newly deployed tokens with suspicious trading patterns

• Develop velocity analysis for token creation and the trading lifecycle

Flash Loan Laundering

• Implement advanced transaction simulation to identify potential exploits before execution

• Require additional verification for flash loans above certain thresholds

• Deploy real-time monitoring of flash loan source and destination funds

• Create ecosystem-wide circuit breakers for unusual flash loan activity patterns

Wallet Ringing

• Develop graph analysis tools to identify ring structures in transaction networks

• Implement velocity and volume monitoring for newly created wallet clusters

• Deploy entity clustering to link related wallets through behavioral patterns

• Create transaction pattern libraries of known wallet ring techniques

P2P Marketplace Trading

• Implement enhanced KYC verification systems that are resistant to common spoofing techniques

• Deploy cross-platform monitoring to identify coordinated P2P marketplace activities

• Develop behavior-based risk scoring for P2P marketplace accounts

• Create regional transaction analysis for detecting jurisdiction-based evasion techniques

Off-Ramping via Payment Gateways

• Implement advanced identity verification techniques resistant to spoofing

• Deploy transaction pattern analysis to detect split transactions across multiple platforms

• Create account relationship mapping to identify linked accounts across different payment gateways

• Establish cross-platform monitoring for coordinated off-ramping attempts

DeFi Yield Farming

• Develop monitoring systems for large deposits from addresses with suspicious transaction histories

• Implement withdrawal pattern analysis to detect suspicious yield farming activities

• Create ecosystem-wide alerting for unusual yield farming interactions

• Deploy TVL change monitoring to identify potential laundering activity

Industry-Wide Recommendations

1. Regulatory Collaboration: Engage with regulatory bodies to develop standards that address emerging exfiltration techniques without stifling innovation.

2. Education & Awareness: Create comprehensive educational resources for users and developers regarding security best practices and common exploitation vectors.

3. Incentive Alignment: Develop incentive structures that reward security-enhancing behaviors and early reporting of vulnerabilities.

4. Privacy-Preserving Security: Invest in research and development of techniques that enhance security without compromising the privacy benefits of decentralized systems.

5. Open-Source Security Tools: Encourage the development and maintenance of open-source tools for transaction monitoring and security analysis.

By implementing these recommendations and mitigations, the Solana ecosystem can substantially reduce the effectiveness of the documented exfiltration techniques while maintaining the openness and innovation that characterizes blockchain technology.

Conclusion

Our analysis reveals that blockchain-based money laundering has evolved into a sophisticated ecosystem with clearly defined patterns and methodologies. Malicious actors systematically target non-freezable, liquid assets with high tradability and cross-chain bridgeability, employing multilayered exfiltration strategies that combine DEX swapping, address mixing, cross-chain bridging, and centralized exchange off-ramping.

The Solana ecosystem, with its high-speed transactions and diverse DeFi landscape, presents unique vulnerabilities that attackers leverage through techniques ranging from wallet poisoning to flash loan exploitation. Case studies demonstrate that successful exfiltration typically involves 3-5 intermediary wallets, strategic asset conversion through Jupiter or Raydium, and final movement via Wormhole bridges or exchanges with minimal KYC requirements, such as KuCoin.

Effective countermeasures must therefore operate at multiple levels simultaneously—implementing real-time transaction monitoring with advanced pattern recognition, deploying cross-chain tracking mechanisms, establishing inter-platform alert systems, and enforcing transaction velocity controls for high-risk activities. Furthermore, the emergence of novel combined techniques like "Flash Loan + Token Obfuscation + Off-Ramp Gateway" indicates the need for more sophisticated detection methodologies that can identify complex transaction sequences across multiple protocols.

As the exfiltration landscape continues to evolve, security measures must adapt with equal sophistication, focusing on the critical vulnerability points identified in our research: initial asset conversion, bridge transactions, and final CEX deposits. Only through coordinated ecosystem-wide vigilance can the effectiveness of these laundering techniques be significantly diminished while preserving the openness and innovation that characterize blockchain technology.

References

1. 7xNick. (2025, April 16). New Method of Discord Call Draining . X (Formerly Twitter). https://x.com/7xNickk/status/1912329246305054936?t=VI9rkOdjafaomITUopJwAQ&s=19

2. Aleksandra Yudina. (2023, February). 2022 Solana Hacks Explained. Ackee Blockchain. https://ackee.xyz/blog/2022-solana-hacks-explained/

3. Arkham Intelligence . (2025). Arkham: Blockchain Analysis And Tracking tool. Arkm.com. https://intel.arkm.com/

4. Arkose Labs. (2025, March 22). What is Token Cracking? Arkose Labs. https://www.arkoselabs.com/explained/what-is-token-cracking/

5. Birdeye. (2025). Crypto Trading Data Aggregator Tool for Traders. Birdeye.so. https://birdeye.so/

6. BitPinas. (2025, February 22). Bybit Hack Update Timeline: North Korea’s Lazarus Group Responsible for Largest Crypto Hack in History. BitPinas.com. https://bitpinas.com/cryptocurrency/bybit-hack-update-timeline/

7. Blowfish. (2024, February 9). Changing Transaction Logic Hack . X (Formerly Twitter). https://x.com/blowfishxyz/status/1756079297344020927?t=9H1LKuB7jitJnx7QqToNeg&s=19

8. Chainalysis Team. (2023a, February 1). 2022 Biggest Year Ever For Crypto Hacking. Chainalysis. https://www.chainalysis.com/blog/2022-biggest-year-ever-for-crypto-hacking/

9. Chainalysis Team. (2023b, March 15). Euler Finance Flash Loan Attack Explained. Chainalysis. https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/

10. Chainalysis Team. (2024, January 24). Stolen Crypto Falls in 2023, but Hacking Remains a Threat. Chainalysis. https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2024/

11. CoinGecko. (2024). Cryptocurrency Prices, Charts, and Crypto Market Cap. CoinGecko. https://www.coingecko.com/

12. CoinMarketCap. (2021, August 21). Rug Pull Definition. CoinMarketCap Academy; CoinMarketCap. https://coinmarketcap.com/academy/glossary/rug-pull

13. Coinmarketcap. (2024). Cryptocurrency Market Capitalizations. CoinMarketCap. https://coinmarketcap.com/

14. Elliptic. (2015a). A Brief Guide to Blockchain Analysis. Elliptic.co. https://www.elliptic.co/blog/a-brief-guide-to-analytics-on-blockchain

15. Elliptic. (2015b). Elliptic 10-year anniversary: the biggest crypto hacks of the last decade. Elliptic.co. https://www.elliptic.co/blog/analysis/elliptic-10-year-anniversary-the-biggest-crypto-hacks-of-the-last-decade

16. Elliptic. (2015c). Next-generation blockchain analytics for efficient cross-chain compliance. Elliptic.co. https://www.elliptic.co/blog/next-generation-blockchain-analytics-for-efficient-cross-chain-compliance

17. ExemptDev. (2022, August 6). Malicious NFT Community Discord Hacks . X (Formerly Twitter). https://x.com/exemptdev/status/1555967889357824001?t=Iu5qDI2W4-N5m2imcDoWdA&s=19

18. Frankenfield, J. (2023, February 17). Consensus Mechanism (Cryptocurrency). Investopedia. https://www.investopedia.com/terms/c/consensus-mechanism-cryptocurrency.asp

19. Goob. (2025, April 16). 71 SOL Wallet Hack . X (Formerly Twitter). https://x.com/ifullclipp/status/1912524030881526126

20. Hayward, A. (2022, August 3). Solana Wallet Hack: Here’s What We Know So Far. Decrypt. https://decrypt.co/106649/solana-wallet-hack-what-we-know-so-far

21. Hayward, A. (2025, February 21). North Korea’s Lazarus Group Behind Bybit’s $1.4 Billion Ethereum Hack: Arkham. Decrypt. https://decrypt.co/307304/north-korea-lazarus-group-bybit-hack-arkham

22. Lighthouse Protocol. (2025). ZK Compression on Solana. Zkcompression.com. https://www.zkcompression.com/

23. Loopscale. (2025). Loopscale Documentation. Loopscale.com; Loopscale Docs. https://docs.loopscale.com/

24. McGlone, D. (2025, April 17). Dark Pools on Solana: Investigating Mixer Platforms and the Fight for Transparency. Paragraph.com. https://paragraph.com/@mantuametrics/dark-pools-on-solana-investigating-mixer-platforms-and-the-fight-for-transparency

25. MintDice. (2022, February 9). The Solana Network Hack: What Happened and What’s Next. Medium; Bitcoin News Today & Gambling News. https://medium.com/bitcoin-news-today-gambling-news/the-solana-network-hack-what-happened-and-whats-next-42be611005da

26. Peck Shield. (2022, April 23). Fracture NFT Discord Hack. X.com. https://x.com/PeckShieldAlert/status/1528563167441584129

27. Peck Shield . (2022, July 27). Grumpybear-sol Presales Wallet Phishing . X (Formerly Twitter). https://x.com/PeckShieldAlert/status/1552130589834510336

28. Range Security . (2025). Range | The blockchain security and intelligence platform. Range.org. https://app.range.org/overview

29. Scam Sniffer. (2024, November 24). PYTH Token Hack. X (Formerly Twitter). https://x.com/realScamSniffer/status/1860885948126609613

30. Scam Sniffer . (2024a, February 3). Airdrop “11111” Wallet Draining. X.com. https://x.com/realScamSniffer/status/1753733429613752594?t=KkympgEeAUooomDxUItQLw&s=19

31. Scam Sniffer . (2024b, December 14). 512 SOL Address Poisoning . X (Formerly Twitter). https://x.com/realScamSniffer/status/1867938072647897582?t=0iCZu9H85m2KEburyEcbhQ&s=19

32. Scam Sniffer . (2025). 488 SOL Address Poisoning. X (Formerly Twitter). https://x.com/realScamSniffer/status/1860734049842856380?t=RhfFexjam0W-tiSefWoWZA&s=19

33. Scam Sniffer Researcher. (2024, January 13). Over $4 Million Stolen By Multiple Solana Wallet Drainers. Scam Sniffer. https://drops.scamsniffer.io/over-4-million-stolen-by-multiple-solana-wallet-drainers/

34. Sigalos, M. (2022, February 3). More than $320 million stolen in latest apparent crypto hack. CNBC. https://www.cnbc.com/2022/02/02/320-million-stolen-from-wormhole-bridge-linking-solana-and-ethereum.html

35. Skelton, O. (2025, February 20). How to Fractionalize High-Value NFTs. NFT News Today | NFT Gaming, Metaverse, CryptoArt & Collectibles; NFT News Today. https://nftnewstoday.com/2025/02/20/how-to-fractionalize-high-value-nfts

36. Solscan.io. (2025). Solscan - The most intuitive Solana explorer. Solscan.io. https://solscan.io/

37. Tayvano. (2024, January 7). Mango Farm Rugpull. X (Formerly Twitter). https://x.com/tayvano_/status/1743786209627996403?t=JkKArjWJLtJZ1mhbmYBHBQ&s=19

38. Shardeum Content Team (2022, October 31). What is a Flash Loan Attack and How to Prevent Them?. Shardeum. https://shardeum.org/blog/what-is-a-flash-loan-attack/

39. Tornado Cash. (2025, April 7). Introduction of Tornado.Cash . Tornado.cash. https://docs.tornado.cash/

40. Trent.sol. (2024, December 3). Solana Web3.js Exploitation (Fake_phishing2794). X (Formerly Twitter). https://x.com/trentdotsol/status/1864053347461771321

41. TRM Labs. (2025). 2025 Crypto Crime Report. Trmlabs.com. https://www.trmlabs.com/resources/reports/2025-crypto-crime-report

42. Webisoft. (2025, February 22). Fractionalized: A Deep Dive Into The World of Fractionalized NFTs. Webisoft. https://webisoft.com/articles/fractionalized/