Author: Pine Analytics
Translated by: GaryMa Wu Blockchain
Abstract
This report investigates a prevalent and highly coordinated meme token farming mode on Solana: token deployers transfer SOL to "sniper wallets", enabling these wallets to buy the token within the same block as the token's launch. By focusing on a clear, provable fund chain between deployers and snipers, we have identified a set of high-confidence extraction behaviors.
Our analysis shows that this strategy is neither a sporadic occurrence nor a marginal behavior — in just the past month, over 15,000 SOL of realized profits were extracted through this method across more than 15,000 token launches, involving over 4,600 sniper wallets and 10,400 deployers. These wallets exhibit an abnormally high success rate (87% of snipers profiting), clean exit strategies, and structured operational patterns.
Key Findings:
- Deployer-funded sniping is systematic, profitable, and often automated, with sniper activities most concentrated during US working hours.
- Multi-wallet farming structures are very common, frequently using temporary wallets and coordinated exits to simulate genuine demand.
- Obfuscation methods are continuously evolving, such as multi-hop fund chains and multi-signature sniper transactions, to evade detection.
- Despite limitations, our single-hop fund filter can still capture the clearest, most replicable large-scale "insider" behavior cases.
- The report proposes an actionable heuristic approach to help protocol teams and frontends identify, tag, and respond to such activities in real-time — including tracking early position concentration, tagging deployer-associated wallets, and issuing frontend warnings to users in high-risk launches.
Although our analysis only covers a subset of same-block sniping behaviors, its scale, structure, and profitability indicate that Solana token launches are actively manipulated by coordinated networks, with existing defenses far from sufficient.
In the remainder of this article, we will only study sniper wallets that directly obtain funding from deployers before launch and snipe in the same block. The reasons are as follows: they contribute significant profits; have the least obfuscation methods; represent the most operationally viable malicious subset; studying them can provide the clearest heuristic framework for detecting and mitigating more advanced extraction strategies.
Findings
Focusing on the subset of "same-block sniping + direct funding chain", we reveal a widespread, structured, and highly profitable on-chain collaborative behavior. All data below covers from March 15th to date:
1. Same-block Sniping Funded by Deployers is Highly Common and Systematic
a. Confirmed 15,000+ tokens were sniped by directly funded wallets in the launch block over the past month;
b. Involving 4,600+ sniper wallets and 10,400+ deployers;
c. Accounting for approximately 1.75% of pump.fun issuance.
2. This Behavior is Highly Profitable
a. Directly funded sniper wallets have realized net profits > 15,000 SOL;
b. Sniper success rate of 87%, with very few failed transactions;
c. Typical wallet earnings of 1–100 SOL, with some exceeding 500 SOL.
3. Repeated Deployment and Sniping Point to Farming Networks
a. Many deployers use new wallets to batch create dozens to hundreds of tokens;
b. Some sniper wallets execute hundreds of snipers in a single day;
c. Observed a "center-radiation" structure: one wallet funds multiple sniper wallets, all sniping the same token.
4. Sniping Presents a Human-Centric Time Pattern
a. Active peak from UTC 14:00–23:00; almost stagnant from UTC 00:00–08:00;
b. Aligns with US working hours, indicating manual/cron-triggered timing, rather than fully automated 24/7.
5. One-time Wallets and Multi-signature Transactions Obscure Ownership
a. Deployers simultaneously fund multiple wallets and sign sniping in the same transaction;
b. These burn wallets never sign any transactions afterward;
c. Deployers split initial purchases across 2–4 wallets to disguise genuine demand.
Exit Behavior
To deeply understand how these wallets exit, we break down the data across two behavioral dimensions:
1. Exit Timing — from first purchase to final sell-out;
2. Swap Count — number of independent sell transactions used for exit.
Data Conclusions
1. Exit Speed
a. 55% of snipers completely sold within 1 minute;
b. 85% liquidated within 5 minutes;
c. 11% completed in 15 seconds.
2. Sell Transaction Count
a. Over 90% of sniper wallets exit using only 1–2 sell orders;
b. Rarely use progressive selling.
3. Profit Trends
a. Most profitable are wallets exiting < 1 minute, followed by < 5 minutes;
b. Longer holding or multiple sells have slightly higher average profit per transaction, but are extremely few and contribute little to total profit.
Explanation
These patterns indicate that deployer-funded sniping is not a trading behavior, but an automated, low-risk extraction strategy:
·Front-run buying → Quick selling → Complete exit.
·Single sell order shows no concern for price fluctuations, only exploiting initial advantage to dump.
·Few more complex exit strategies are exceptions, not mainstream.
Actionable Insights
The following suggestions aim to help protocol teams, frontend developers, and researchers identify and address extraction or collaborative token issuance patterns by converting observed behaviors into heuristics, filters, and warnings to increase user transparency and reduce risks.
Conclusion
This report reveals a continuous, structured, and highly profitable Solana token issuance extraction strategy: deployer-funded same-block sniping. By tracking direct SOL transfers from deployers to sniper wallets, we identified an insider-style behavior leveraging Solana's high-throughput architecture for collaborative extraction.
Although this method only captures part of same-block sniping, its scale and patterns indicate this is not sporadic speculation, but an operation with privileged positioning, a repeatable system, and clear intent. The significance of this strategy is reflected in:
1. Distorting early market signals, making tokens appear more attractive or competitive;
2. Endangering retail investors — who unknowingly become exit liquidity;
3. Undermining trust in open token issuance, especially on platforms like pump.fun that prioritize speed and ease of use.
Mitigating this issue requires more than passive defense, including better heuristics, frontend warnings, protocol-level guardrails, and continuous efforts to map and monitor collaborative behaviors. Detection tools exist — the question is whether the ecosystem is willing to truly apply them.
This report takes the first step: providing a reliable, reproducible filter to lock onto the most obvious collaborative behaviors. But this is just the beginning. The real challenge lies in detecting highly obfuscated, continuously evolving strategies and building a chain culture that rewards transparency rather than extraction.
