Solana Funding Vortex: Why Are Rug Pullers Struggling to Lose Money?

Author: CertiK

On the evening of May 13, 2024, the CertiK team detected a suspicious address on the Solana chain: 9ZmcRsXnoqE47NfGxBrWKSXtpy8zzKR847BWz6EswEaU (hereinafter referred to as "Xiao Jiu").

From May 12 to 13, Xiao Jiu initiated approximately 64 rug pulls on the chain, with one occurring every few minutes. In this short span of less than 24 hours, Xiao Jiu incurred a total loss of 272 SOL, worth about $45,900.

01 High Investment, Low Return: Unveiling Xiao Jiu's Tactics

So how did Xiao Jiu operate? Let's take the last meme TWS deployed by Xiao Jiu as an example. At 4:05 AM UTC on May 13, Xiao Jiu minted 99,999,999 TWS. At 1:18 PM, Xiao Jiu deployed a TWS/SOL liquidity pool on Raydium, injecting 98,999,999.99 TWS and 1 SOL; shortly after, he pulled the price up with 4 SOL.

At 1:22 PM, just 4 minutes later, Xiao Jiu exchanged 80,160,319.64 TWS for 0.018 SOL and exited. Such transactions occurred every few minutes, and Xiao Jiu consistently maintained a "high investment, low return" strategy, investing 5 to 10 SOL in each pool, ultimately recovering far less SOL than the cost, with nearly half of the trades suffering losses exceeding 90%.

From the transaction records, it is clear that Xiao Jiu was deliberate in his actions, as each operation, even the number of tokens involved, was identical.

02 The Funding Puzzle: Who is Profiting?

If Xiao Jiu is losing money, then who is making money?

Tracking Xiao Jiu's "Transaction Flow"

To find the answer, we first compiled and analyzed all of Xiao Jiu's transfers, resulting in a "transaction flow." In this flow, we identified the main addresses where Xiao Jiu's funds were directed:

6kt6xT6nZGGmPzJPrQtKPqNrdj5CoiVCuD2xuGQvxJ5Q (Xiao Liu)

A1bQt2v8NUi3DghZRu8cC6LcpdXHPURDKkrV6v9mCtVC (A1)

Operating Account: Xiao Liu

Xiao Liu is the main address receiving funds from Xiao Jiu, having accumulated approximately 272 SOL from him. However, Xiao Liu is a sub-account of Xiao Jiu (SOL Token Account). Xiao Jiu used Xiao Liu to add liquidity to meme pools and inflate trading volume.

The following image shows a related transaction between Xiao Liu and Xiao Jiu, where Xiao Jiu initiated a transaction (adding liquidity to the pool) and paid through Xiao Liu, minting LP tokens to another address (5eHgh9QnFTnRQYnCHoc3fzfW6rztkq5GjsuLYpDvDBSa). This 5eHgh, according to on-chain analysis, was also created by Xiao Jiu, solely for temporarily holding LP tokens. After the corresponding meme was rug pulled, 5eHgh was also destroyed.

Successor: A1

A1 is the second-largest address for fund inflow and is quite special. A1 is the successor to Xiao Jiu; Xiao Jiu's last transaction on the chain was sent to A1. A1 not only inherited 6.4 SOL from Xiao Jiu but also took over his operations. Between May 13 and 15, A1 continuously executed rug pulls on the chain (a total of 83).

Similarly, through repeated flow analysis, we identified A1's sub-accounts and its subsequent successors.

03 The Relay Game: All in It Together‍

According to CertiK's tracking, the relay sequence of the rug pullers is as follows:

By horizontally comparing the transaction counterparts and fund flows of the above addresses, we discovered more interesting details. There are 70 addresses that simultaneously have financial interactions with multiple rug puller addresses. Among them, we identified two major addresses:

EZBbaxg7YqWo3XMAsTThZJEmTC9Dv78F5aB9srvsCtJg (E)

D3s8Zf1zh8R98JBU9Fw4K8fViv1DDzCmoPbNTmJwXKbD (D3)

Behind the Scenes Winner: E

E is the second-largest address by trading volume, with a financial interaction of 110.88 SOL with the aforementioned rug pullers. According to on-chain data analysis, E has heavily participated in the rug pullers' meme scams and profited from the trades. One of the recent memes E participated in was Pepe Trump, yielding a profit of $48 (source: dexscreener). Similarly, E has conducted about 50,000 meme trades recently. Based on its trading volume, E has made approximately $10,000 from these activities.

How does E ensure profits? Each time a rug puller deploys a new token, a portion of the initial tokens is minted to E, which E then distributes. Through frequent trading, these addresses that receive funds, along with E, inflate the trading volume of memes in a short time, and then collectively dump the tokens.

After E made money, it returned the funds to the rug pullers. According to statistics, as of the writing of this article, E has transferred a total of 41 SOL (about $7,000) to the aforementioned rug puller addresses.

There are at least 70 trading addresses like E. They are still actively trading newly initiated meme scams, creating hype for them.

Fund Consolidation: D3

Additionally, the address with the most transactions with rug pullers is D3, which has transferred over 140 SOL to the rug puller addresses mentioned above. Based on on-chain data analysis, we found that D3 is the fund consolidation address for the rug pullers.

After receiving funds, D3 transferred them in batches to the following three addresses:

GGMcDYzUKFDsXGba6K6S2NoKdD8S4a6QDoEY47DSx65X (OKX)

HCR8ZrgDCVFQhoaFXR7PKpn9tPABa4rKscpMwoJTF9be (Bybit)

J97QXy94SfwzgWfi8Y625wkAANVqSwxyD7dzw9bd8X5Z (Staking + Investment)

Among these, G and H are exchange addresses, while the funds transferred to J are used for staking and investment on-chain.

It turns out they are all in it together, as Xiao Jiu and the other addresses continuously create liquidity, pump prices, and then sell off. In the end, it was just moving money from one pocket to another (all profits going to their own people). Ultimately, everyone took the money away through the consolidation address. The specific flow of funds is shown in the diagram below:

Victims: New Investors (Meme Hunters)

I wonder if anyone has noticed that among the several addresses we mentioned earlier, one address has been continuously making money, which is E. Who is E making money from? It is from the new investors (especially new investment bots). Taking the previously mentioned Pepe Trump as an example: the third-largest (DaKf…9A9R) and fourth-largest holders (6Md4…AKnW) purchased 1.3 SOL and 0.5 SOL of tokens at 10:50 AM on May 29, but before they could sell, they were rug pulled. Of course, there are definitely more victims than just these two; they just lost more obviously.

About 10 seconds after they bought in, the addresses controlled by the rug pullers began to sell off massively, causing the price to plummet to nearly zero:

Through on-chain data analysis, we found that both victims frequently participated in meme "new investment" trades on the Solana chain, buying memes early in the creation of meme pools and then selling them at high prices. Among them, Da has profited approximately 86 SOL from new investments in the past three months, with Pepe Trump being one of the few traps he fell into. Given that the rug pulls by Xiao Jiu and the associated addresses occurred very rapidly, usually within 5 minutes, we reasonably suspect that this is a scam specifically tailored for new investment bots.

04 Conclusion

With the analysis of the on-chain behavior and fund flows of addresses like Xiao Jiu, we have uncovered a meticulously planned and highly targeted rug puller system. It must be said that rug pullers are also keeping up with trends, targeting the increasingly thriving bot trading in the Solana ecosystem. From Xiao Jiu's frequent losses to the complex operations of associated addresses, and then to the consolidation and outflow of funds, these addresses create a false market appearance through mutual fund transfers, attracting more investors to join.

As of today, Xiao Jiu and others are still active. According to CertiK's ongoing tracking, we continuously discover new addresses associated with Xiao Jiu. As of May 31, 2024, this gang has transferred approximately 863 SOL (about $146,000) through the D3 address.