header-langage
简体中文
繁體中文
English
Tiếng Việt
한국어
日本語
ภาษาไทย
Türkçe
Scan to Download the APP

Liquidity Sniping Bot: Unveiling the Inside Job behind Pump.fun Token Launch

2025-06-09 11:22
Read this article in 21 Minutes
总结 AI summary
View the summary 收起
Original Article Title: Exit Liquidity Machines
Original Author: Pine Analytics
Original Translator: GaryMa Blockchain Talk


Abstract


This report examines a prevalent and highly coordinated meme token farming pattern on Solana: token deployers transferring SOL to "sniper wallets" to enable these wallets to buy the token in the same block as the token launch. By focusing on a clear, verifiable fund flow between deployers and snipers, we identify a set of high-confidence extraction behaviors.


Our analysis shows that this strategy is neither a one-off phenomenon nor a fringe activity—just in the past month, over 15,000 SOL in realized profits has been extracted from over 15,000 token launches through this method, involving 4,600 sniper wallets and 10,400 deployers. These wallets exhibit abnormally high success rates (87% sniper profitability), clean exit strategies, and structured operational patterns.


Key Findings:


· Deployer-funded sniper activity is systematic, profitable, and often automated, with sniper activity most concentrated during U.S. working hours.

· Multi-wallet farming structures are highly common, often utilizing temporary wallets and coordinated exits to mimic genuine demand.

· Evasion techniques continue to evolve, such as multi-hop fund flows and multi-signature sniper transactions, to evade detection.

· Despite limitations, our one-hop fund filter can still capture the clearest, most repeatable large-scale "insider" behavior cases.

· This report proposes an actionable set of heuristic methods to help protocol teams and front-ends proactively identify, flag, and address such activity—including tracking early holder concentration, tagging deployer-associated wallets, and issuing front-end warnings on high-risk launches.


While our analysis only covers a subset of same-block sniper behaviors, its scale, structure, and profitability indicate that Solana token launches are being actively manipulated by coordinated networks, with existing defenses falling far short.


Methodology


This analysis starts with a specific goal: to identify behavior on Solana indicative of coordinated meme token farming, particularly cases where deployers provide funding to sniper wallets for the token launch in the same block. We break down the problem into the following stages:


1. Same Block Snipe Detection


We first filter wallets that were sniped in the same block after deployment. This is due to: Solana not having a global mempool; needing to know the address before the token appears on a public frontend; and the extremely short time between deployment and the first DEX interaction. This behavior is almost certainly not natural, making "same block sniping" a high-confidence filter for identifying potential collusion or insider activity.


2. Identifying Deployment-Associated Wallets


To differentiate between skilled technical snipers and coordinated "insiders," we track SOL transfers between pre-launch deployers and snipers, only flagging wallets that meet the following criteria: receiving SOL directly from a deployer; sending SOL directly to a deployer. Only wallets with direct transfers pre-launch are included in the final dataset.


3. Associating Sniping with Token Profits


For each sniping wallet, we map their transaction activity on the sniped token, calculating: total SOL spent buying the token; total SOL received selling on the DEX; realized net profit (not just nominal gains). This allows for precise attribution of the profit extracted from deployers in each snipe.


4. Measuring Scale and Wallet Behavior


We analyze this activity from multiple dimensions: number of unique deployers and sniping wallets; confirmed instances of coordinated same block snipes; distribution of snipe profits; amount of tokens issued per deployer; cross-token reuse of sniping wallets.


5. Machine Activity Traces


To understand how these operations are conducted, we group sniping activity by UTC hour. The results show: activity is concentrated within specific time windows; a significant drop-off during late-night UTC hours; indicating that rather than being globalized, continuous automation, it aligns more with cron tasks or manually executed windows aligned with U.S. time.


6. Exit Behavior Analysis


Finally, we examine the behavior of deployment-associated wallets when selling the sniped token: measuring the time from first buy to final sell (holding duration); counting the number of individual sell transactions each wallet uses to exit. This helps distinguish whether wallets opt for rapid clearance or gradual sell-offs and examines the association between exit speed and profitability.



Focus on the Clearest Threat


We start by measuring the scale of same block snipes in pump.fun issuance, with results that are staggering: over 50% of tokens are sniped in the genesis block — same block sniping has shifted from a fringe case to a dominant issuance pattern.


In Solana, same-block participation often requires: pre-signed transactions; off-chain coordination; or shared infrastructure between deployer and buyer. Not all same-block sniping is equally malicious, as there are at least two types of roles: "Cast a Wide Net" bots — testing heuristics or speculating with small amounts; Insider Coordination — including deployers front-running for their own buyers.


To reduce false positives and highlight true coordination, we have incorporated strict filtering in our final metric: only counting same-block snipes where there is a direct SOL transfer from the pre-deployer to the sniping wallet. This allows us to confidently identify: wallets controlled directly by the deployer; wallets acting at the deployer's behest; wallets with insider channels.



Case Study 1: Direct Funding


The deployer wallet 8qUXz3xyx7dtctmjQnXZDWKsWPWSfFnnfwhVtK2jsELE sent a total of 1.2 SOL to 3 different wallets, then deployed a token named SOL > BNB. The 3 funded wallets completed the snipe in the same block as the token creation, before it became widely visible. Subsequently, they quickly sold for profit, executing a coordinated lightning exit. This was a textbook example of front-running the sniping wallet to farm the token, directly captured by our fund chain approach. Despite its simplicity, this maneuver has played out on a large scale across thousands of launches.



Case Study 2: Multi-Hop Funding


Wallet GQZLghNrW9NjmJf8gy8iQ4xTJFW4ugqNpH3rJTdqY5kA was involved in multi-token snipes. This entity did not fund the sniping wallet directly but instead routed SOL through 5–7 intermediate wallets before reaching the final sniping wallet, enabling a same-block snipe.


Our existing method only detected some initial transfers by the deployer and did not capture the entire chain leading to the final sniping wallet. These relay wallets are usually "single-use," only used for passing SOL along, making them difficult to trace through simple queries. This gap is not a design flaw but a computational resource trade-off — while tracking multi-hop funding paths in large-scale data is feasible, it is costly. Therefore, the current implementation prioritizes high confidence, direct-link pathways for clarity and reproducibility.


We utilize Arkham's visualization tool to display this longer fund chain, graphically showing how funds flow from the initial wallet through shell wallets to the final deployer wallet. This highlights the complexity of fund obfuscation and points the way toward improving detection methods in the future.


Why Focus on "Directly Funded and Same-Block Sniper Wallets"


In the remainder of this article, we only investigate sniper wallets that directly received funding pre-launch and sniped in the same block. The reasons are as follows: they contribute significant profits; have minimal obfuscation tactics; represent the most actionable malicious subset; studying them can provide the clearest heuristic framework for detecting and mitigating more advanced front-running strategies.


Findings


By focusing on the subset of "Same-Block Sniper + Direct Funding Chain," we uncovered a widespread, structured, and highly profitable on-chain coordinated behavior. All data below cover from March 15th to present:



1. Same-Block Deployer-Funded Sniper Attacks Are Highly Common and Systematic


a. In the past month, over 15,000 tokens were sniped by directly funded wallets in the launch block;

b. Involving 4,600+ sniper wallets, 10,400+ deployers;

c. Accounting for approximately 1.75% of the pump.fun supply.



2. This Behavior Is Highly Profitable at Scale


a. Directly funded sniper wallets have seen net profits> 15,000 SOL;

b. Sniper success rate of 87%, very few failed transactions;

c. Typical per-wallet gains range from 1–100 SOL, with a few over 500 SOL.



3. Repetitive Deployments and Sniping Point to a Front-Running Network


a. Many deployers use new wallets to mass-create tens to hundreds of tokens;

b. Some sniper wallets execute hundreds of snipes in a single day;

c. A "hub-and-spoke" structure is observed: one wallet funds multiple sniper wallets, all sniping the same token.



4. Sniping Displays a Human-Centric Time Pattern


a. Activity peaks between UTC 14:00–23:00; almost dormant from UTC 00:00–08:00;

b. Aligns with U.S. working hours, indicating human-triggered/cron-scheduled actions rather than 24/7 global automation.



5. Single-Use Wallets and Multi-Signature Transaction Ownership Confusion


a. The deployer funds several wallets simultaneously and signs in the same transaction to sniper;

b. These burner wallets then do not sign any further transactions;

c. The deployer splits the initial buy-in into 2–4 wallets, disguising genuine demand.



Exit Behavior


To further understand how these wallets exit, we break down the data along two major behavioral dimensions:


1. Exit Timing — The time from the initial buy to the final sell;

2. Swap Count — The number of independent sell transactions used to exit.


Data Findings


1. Exit Timing


a. 55% of snipes sold out within 1 minute;

b. 85% cleared out within 5 minutes;

c. 11% completed within 15 seconds.


2. Swap Count


a. Over 90% of sniping wallets used only 1–2 sell orders to exit;

b. Very few adopted a staggered sell-off approach.


3. Profit Trend


a. The most profitable wallets are those exiting in <1 minute, followed by those exiting in <5 minutes;

b. Longer holds or multiple sells, while averaging slightly higher per sell profits, are very few in number and contribute minimally to total profits.


Interpretation


These patterns indicate that deployer-funded sniping is not trading behavior but an automated, low-risk extraction strategy:


· Buy in early → Sell quickly → Exit completely.

· Each sell represents a total disregard for price movement, merely leveraging early entry to dump.

· The few more complex exit strategies are merely exceptions, not mainstream patterns.


Actionable Insights


The following recommendations aim to help protocol teams, front-end developers, and researchers identify and address extraction or coordinated token issuance patterns by transforming observed behaviors into heuristics, filters, and alerts to enhance user transparency and mitigate risk.



Conclusion


This report uncovers a continuous, structured, and highly profitable Solana token launch extraction strategy: Deployer-funded same-block sniper. By tracking direct SOL transfers from deployers to sniper wallets, we identified a cohort of insider-style behavior, leveraging Solana's high-throughput architecture for coordinated extraction. While this method only captures a portion of same-block sniping, its scale and pattern suggest: this is not scattered speculation, but rather operators with privileged positions, replicable systems, and clear intent. The significance of this strategy is reflected in:


1. Distorting early market signals, making tokens appear more attractive or competitive;

2. Endangering retail participants — they unwittingly become liquidity exits;

3. Eroding trust in open token launches, especially on platforms like pump.fun that prioritize speed and ease of use.


To mitigate this issue, passive defense is not enough; it requires improved heuristics, frontend alerts, protocol-level guardrails, and ongoing efforts to map and monitor coordinated behavior. Detection tools already exist — the question is whether the ecosystem is truly willing to apply them.


This report takes the first step: providing a reliable, reproducible filter to identify the most blatant coordinated behavior. But this is just the beginning. The real challenge lies in detecting highly obfuscated, constantly evolving strategies and building an on-chain culture that rewards transparency over extraction.


Original Article Link


Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia

举报 Correction/Report
This platform has fully integrated the Farcaster protocol. If you have a Farcaster account, you canLogin to comment
Choose Library
Add Library
Cancel
Finish
Add Library
Visible to myself only
Public
Save
Correction/Report
Submit