On the evening of May 13, 2024, the CertiK team detected a suspicious address on the Solana blockchain: 9ZmcRsXnoqE47NfGxBrWKSXtpy8zzKR847BWz6EswEaU (hereinafter referred to as “Little Nine”).
From May 12 to 13, Little Nine initiated a total of around 64 rug pull transactions on the blockchain, with one occurring every few minutes. Within less than 24 hours, Little Nine incurred a total loss of 272 SOL, valued at approximately $45,900.
Delving into the modus operandi of Little Nine, let’s take the last meme TWS deployment as an example. At 4:05 UTC on May 13, Little Nine minted 99,999,999 TWS tokens. At 13:18, Little Nine deployed a TWS/SOL liquidity pool on Raydium, injecting 98,999,999.99 TWS and 1 SOL; subsequently, they immediately conducted a wash trading with 4 SOL.
Just 4 minutes later, at 13:22, Little Nine exchanged 80,160,319.64 TWS for 0.018 SOL before exiting. These transactions occurred at regular intervals, with Little Nine consistently engaging in high investment and low returns, investing 5 to 10 SOL in each pool but ultimately retrieving an amount significantly lower than their initial investment, with nearly half of the transactions incurring a loss rate of over 90%.
Analyzing the transaction records, it is evident that Little Nine’s actions were intentional, as each operation, including the token amounts, were identical.
As for who profits if Little Nine incurs losses, tracking the “transaction flow” of Little Nine provides some answers. The primary recipient of funds from Little Nine was identified as 6kt6xT6nZGGmPzJPrQtKPqNrdj5CoiVCuD2xuGQvxJ5Q (Little Six). Little Six, a sub-account of Little Nine, received approximately 272 SOL from Little Nine. Little Nine utilized Little Six to add liquidity to meme pools and boost trading volume.
Moreover, a successor to Little Nine, A1, inherited both 6.4 SOL and Little Nine’s operations. Between May 13 and 15, A1 continued to execute rug pull transactions on the blockchain. Through further analysis of the transaction flows, sub-accounts of A1 and subsequent successors were identified.
The relay game among rug pullers, as tracked by CertiK, revealed a specific sequence of operations. By comparing the transactions and funds between the mentioned addresses, it was discovered that 70 addresses had interactions with multiple rug puller addresses. Notably, two main addresses, EZBbaxg7YqWo3XMAsTThZJEmTC9Dv78F5aB9srvsCtJg (E) and D3s8Zf1zh8R98JBU9Fw4K8fViv1DDzCmoPbNTmJwXKbD (D3), were identified as key players.
E, the second-largest address in terms of trading volume, engaged in meme scams orchestrated by rug pullers, profiting from these transactions. Through frequent trading, E collaborated with addresses that received funds to artificially boost meme trading volume before collectively dumping assets.
Address D3, which transacted the most with rug pullers, served as the fund collection point for rug pull operations.
The victims of these schemes, known as Meme Hunters, unknowingly fell prey to rug pullers like E. These Meme Hunters were targeted by rug pullers, especially bots, in meme pool trading, resulting in significant losses for the victims.
In conclusion, the elaborate and targeted rug puller system discovered through the analysis of Little Nine and related addresses showcases a sophisticated operation within the Solana ecosystem. By manipulating markets through intricate transactions and fund transfers, these addresses create illusions to attract more investors.
As of May 31, 2024, the group associated with Little Nine had transferred approximately 863 SOL, equivalent to $146,000, through the D3 address. To aid users in identifying and avoiding such rug pull scams, CertiK conducted an in-depth analysis of over 10,000 meme rug pull transactions on Solana. Stay tuned for more insights and prevention strategies in the future!