Drained for $7.95: How a Solana Phishing Scam Built a Multi-Chain AML Platform

The Drain

Date: 2026-02-09, 14:28 UTC
Loss: 0.093668917 SOL (~$7.95)
Vector: A "First-Come-First-Served" airdrop link, posted in the Orynth Discord, by an account wearing the ORY admin badge.

That last detail is the whole story.

I'd been in that Discord for months. Active member. Followed the project. So when the post landed in #FCFS — admin badge, friendly tone, link to solland.cc redirecting to hibit.app — I did what any conditioned crypto user does: connect wallet, sign, claim.

The "claim" was a System Program Transfer disguised as an airdrop call. My SOL went straight to:

7kMpieh2THdaC5eUvxFJDL3TdsQWVQCwdhsEjLj1eL26                                                                                                                                                    

Solscan TX →

The amount didn't matter. What mattered was the realization sitting in my chest as I watched the TX confirm:

I fell for it because the badge was real.

If the compromise vector I just experienced — authority-based trust — could catch someone who'd been in this space for years, then it could catch literally anyone.

48 Hours Later

I didn't post a warning thread on Twitter and move on. I traced the wallet.

What I found was not an opportunist.

• Funded via FixedFloat (KYC-free instant exchange)

• Laundered via Jupiter (SOL → USDT swap)

• Withdrawn back through FixedFloat to break the chain

• $3,700+ stolen across the previous two weeks — 3,640 USDT + 0.67 SOL

• Dozens of victims matching exactly the same TX shape as mine

This was a pipeline. Industrialized. Repeatable. And nobody in retail crypto had a tool that would have flagged any of it before signing.

That's the moment the real problem clicked into focus:

The problem wasn't "I made a mistake." The problem was that no tool existed that would have caught this before I signed.

ScamDB Entry #1

Before I wrote a single line of UI code, I created a JSON file: scamdb.json.

The first entry was 7kMpieh2TH…j1eL26, with:

• the two phishing domains

• the laundering path

• the asset profile

• the entry vector (compromised admin)

That entry still lives in the production ScamDB today — alongside 100+ curated entries, OFAC SDN, Chainabuse, CryptoScamDB, GoPlus, and community reports. Every scan ChainAnalyzer runs checks against this set first.

The $7.95 was the most valuable $7.95 I've ever spent.

TokenForge → ChainAnalyzer

The first ship — TokenForge, February 2026 — was Solana-only. 14 detection rules. One-click scan of any mint or wallet. No login. Free.

Two weeks in, a friend asked me to scan an Avalanche address. I didn't have EVM support yet. He showed me what he was seeing: fake Cyrillic UЅDT tokens being spammed at legitimate wallets,
looking pixel-identical to real USDT in every wallet UI.

I added Avalanche. Then Ethereum. Then Polygon. Bitcoin later. Then I pointed the scanner at his Avalanche address.

It flagged CRITICAL with 20 detections. I turned on Follow Mode — a graph BFS feature I'd just shipped — and let it crawl the transaction graph.

Fourteen wallets became fifty. Fifty became two hundred and sixty-four.

Together they moved $5.3M across three chains. Every one of them funded by a single upstream wallet I started calling Master Funder.

That was the moment I realized what I was building wasn't a "consumer scam scanner." It was an AML-grade investigation platform for the retail Web3 era.

Two months later, the network is still growing → 854 new operator wallets, $16.8M USDT collected.

What Changed

What didn't change: every feature is still exercised against the kind of attack that cost me $7.95.

Five Lessons I Wish Someone Had Told Me

1. Admin badges mean nothing. Treat any post in your favorite project's server the same way you'd treat a cold DM.

2. "Connect wallet" is not a safe operation. Read what you're signing. If you can't read it, don't sign.

3. Address-first verification. Before sending anything, scan the destination. Three seconds.

4. FCFS airdrops are always scams. Real projects don't panic people into signing instantly.

5. Post-mortem immediately. When you lose money, trace it on-chain before you spiral. The understanding is more valuable than the money you lost.

Where We Are Today

ChainAnalyzer now:

• Scans across five chains: BTC, ETH, POL, AVAX, SOL

• Runs on Azure Japan East, FISC-aligned hosting

• Ships an MCP server on npm and the official MCP
  Registry, callable from Claude Desktop, Claude Code, ChatGPT, Gemini, Cursor

• Supports pay-per-request via x402 USDC on Base or Solana mainnet — $0.003 to $0.05 per call, no API key

• Ships a JPYC-specific compliance suite for Japanese stablecoin operators

• Was accepted into the Japan FSA FinTech Proof-of-Concept Hub (2026-03)

• Earned a AAA score on Glama MCP Directory and is listed on
  awesome-mcp-servers

All from a $7.95 drain two months ago.

What's Next

Two things pull me forward.

1. The \(5.3M network is still growing.
Since our February report, the Master Funder has disbursed another 49,441 AVAX (~\)1.24M) to 854 new destination addresses. The ETH collector has received $16.8M USDT from 1,450 senders in two months. These aren't numbers — they're 1,450 real people whose TX history got polluted hoping they'd copy-paste the wrong address. (Read the follow-up →)

2. AI agents are about to do this at scale.
With MCP + x402, any autonomous agent can screen any address before signing — autonomously, in a single tool call. The exact attack vector I fell for — copy-paste from history,
trust-by-badge, panic-driven UX — becomes structurally impossible if the agent runs check_address_risk first.

ChainAnalyzer is one of the first AML platforms wired into both protocols.

Try It

• Scan an address for free → chain-analyzer.com

• Public ScamDB (no API key) → /scamdb

• MCP server → npx chainanalyzer-mcp

• REST API → /docs/api

• x402 endpoints → /docs/x402

If you've been drained, reach out. Send me the TX. I'll add the drainer to ScamDB. The next person who tries to send to that address will get a CRITICAL flag.

That's the whole point.

One person's $7.95 lesson becomes another person's saved $50,000.

Originally published at chain-analyzer.com/news/origin-drainer-story.
ENS: chainanalyzer.eth · Engineering blog