Executive Summary

This report investigates a widespread and coordinated pattern of memecoin farming on Solana, where token deployers fund sniper wallets that buy their tokens in the same block the token is launched. We isolate a high-confidence subset of extractive behavior by focusing on clear, provable funding links between deployers and snipers.

Our analysis reveals that this tactic is not rare or fringe — over the past month alone, more than 15,000 SOL in realized profit was extracted through this method, across 15,000+ launches involving 4,600+ sniper wallets and 10,400+ deployers. These wallets demonstrate unusually high success rates (87% of snipes were profitable), clean exits, and structured operational patterns.

Key findings include:

• Deployer-funded sniping is systematic, profitable, and often automated, with sniping activity clustered during U.S. business hours.
• Multi-wallet farming structures are common, often using temporary wallets and coordinated exits to simulate real demand.
• Obfuscation tactics, such as multi-hop funding chains and multi-signer sniping transactions, are increasingly used to evade detection.
• Despite its limitations, our one-hop funding filter surfaces the clearest and most repeatable examples of insider-style activity at scale.

This report also proposes a set of actionable heuristics that can help protocol teams and frontends identify, flag, and respond to this class of activity in real time — including tracking early holder concentration, labeling deployer-linked wallets, and issuing frontend warnings for high-risk launches.

While our analysis only captures a subset of all same-block sniping behavior, the scale, structure, and profitability of these patterns suggest that token launches on Solana are being actively gamed by networks of coordinated actors — and current defenses are insufficient.

Methodology

This analysis began with a focused goal: to identify wallets and behaviors indicative of coordinated memecoin farming on Solana — particularly cases where token deployers fund sniping wallets in the same block the token is launched.

We broke the problem into several stages:

1. Filtering for Same-Block Snipes

We first isolated tokens that were sniped in the same block they were deployed. This behavior is extremely unlikely to be organic due to:

• The lack of a global mempool on Solana
• Required awareness of the token before it appears in a public frontend
• Timing constraints between token deployment and the first DEX interaction

Same-block snipes were used as a high-signal filter to surface potential collusion or privileged activity.

2. Identifying Deployer-Linked Wallets

To distinguish between skilled snipers and coordinated insiders, we tracked SOL transfers between deployers and snipers in the lead-up to each token launch. We flagged wallets that:

• Received SOL directly from the deployer
• Sent SOL to the deployer

Only wallets with direct pre-snipe transfers between sniper and deployer were included in the final dataset.

3. Linking Snipes to Token Profit

We mapped out each sniper wallet’s trading activity for the tokens they sniped. Specifically, we calculated:

• Total amount of SOL spent acquiring the token
• Total amount of SOL received from selling it on DEXs
• Net realized profit, not just notional gains

This allowed us to attribute exact profit extracted from each deployer-linked snipe.

4. Measuring Scale and Wallet Behavior

We analyzed the scope of this activity across several axes:

• Number of unique deployers and sniper wallets
• Total number of confirmed collusive same-block snipes
• Distribution of sniper profits
• Number of tokens launched per deployer
• Reuse of sniper wallets across tokens

5. Bot Activity Footprinting

To understand how these operations were being run, we grouped sniping activity by hour of the day (UTC). This revealed strong time-of-day patterns:

• Activity concentrated in specific time windows
• Drop-offs during late-night UTC hours
• Suggestive of US-aligned cron jobs or manual execution windows, rather than global or continuous automation.

6. Exit Behavior Analysis

Finally, we examined how deployer-linked wallets exited their sniped token positions—both in terms of holding duration and number of trades used to unwind their position.

• We measured the time elapsed between the first buy and final sell (hold duration).
• We counted the number of distinct sell transactions (swaps) per wallet per token.

This helped us identify whether wallets pursued quick liquidation or more gradual sell-off strategies, and to what extent exit speed correlated with profitability.

Targeting the Clearest Threats

As a first step, we measured the scale of same-block sniping across pump.fun launches. What we found was striking: over 50% of tokens are now sniped in the exact block they’re created — before they could reasonably be discovered via public RPCs or frontends. Same-block sniping is no longer a rare edge case; it’s the dominant launch pattern.

This behavior is inherently suspicious. On Solana, same-block participation typically requires:

• Pre-signed transactions
• Off-chain coordination
• Or a shared infrastructure between deployer and buyer

But importantly, we observed that not all same-block sniping is equally malicious. There are at least two categories of actors:

• Spray-and-pray bots, likely testing heuristics or dusting
• Coordinated insiders, including deployers funding their own buyers

To reduce false positives and surface true coordination, we introduced a strict filter in our final activity metrics: We only included snipes where there was a direct SOL transfer between the deployer and the sniping wallet before the token launch.

This approach allows us to confidently surface wallets that are either:

• Directly controlled by the deployer
• Acting under the deployer’s direction
• Privileged with insider access

Case Study 1: Direct Funding (Caught by Our Methodology)

In this case, the deployer wallet 8qUXz3xyx7dtctmjQnXZDWKsWPWSfFnnfwhVtK2jsELE sent 1.2 SOL across three separate wallets. You can view the entity on Arkham here. It then deployed a token called SOL>BNB. All three funded wallets sniped the token in the same block it was created, securing early access before it was visible to the broader market.

These wallets quickly sold their allocations for a profit, executing fast, coordinated exits. This is a textbook example of token farming via pre-funded sniper wallets, and was directly captured by our funding-based detection method. Despite its simplicity, this type of operation is being executed at scale across thousands of launches.

Case Study 2: Multi-Hop Funding (Missed by Our Methodology)

In this instance, the wallet GQZLghNrW9NjmJf8gy8iQ4xTJFW4ugqNpH3rJTdqY5kA has been associated with multiple token snipers. Instead of directly funding sniper wallets, this entity routes SOL through a series of intermediary wallets—often 5 to 7 hops deep—before the final wallet executes the same-block snipe.​

Our current methodology, which focuses on direct funding links, was able to detect some of the initial transfers from the deployer but did not capture the entire chain leading to the final snipers. These intermediary wallets are typically used only once, serving solely to pass through SOL, making them challenging to link through straightforward queries.​

This pattern wasn’t overlooked due to design limitations but was a computational tradeoff. Tracing funding paths across multiple hops with temporal constraints is technically feasible but resource-intensive at scale. As a result, our current implementation prioritizes high-confidence, direct links for clarity and reproducibility.​

To visualize this larger funding chain, we utilized Arkham’s Visualizer tool, which graphically represents the flow of funds from the initial funding wallet through the chain of shell wallets to the final deployer wallet. This visual aid underscores the sophisticated methods employed to obfuscate the origin of funds and highlights areas for future enhancement in our detection methodologies.

Why We Focus on Direct-Funded Same-Block Snipers

For the rest of this paper, we focus exclusively on same-block snipes where the wallet received direct funding from the deployer before launch. These wallets are responsible for substantial profits, use minimal obfuscation, and represent the most actionable subset of malicious activity. Studying them offers a clear window into the heuristics needed to detect and mitigate more advanced extraction strategies.

Findings

Focusing specifically on same-block snipes where the sniping wallet had a direct SOL transfer link to the deployer, our investigation uncovered a widespread, structured, and highly profitable pattern of on-chain coordination. While this filter captures only a subset of all sniping activity, it reveals several key patterns from this high-confidence subset. All data in this section reflects activity observed between March 15th and the present.

1. Same-Block Deployer-Funded Sniping Is Common and Systematic

We identified over 15,000 tokens where the launch was immediately sniped by a wallet that had directly exchanged SOL with the deployer before the launch over the past month. This pattern:

• Involved 4,600+ sniper wallets
• Was executed by 10,400+ unique deployers

These are not isolated incidents — this behavior represents a ~1.75% of launch activity on pump.fun.

2. This Behavior Is Profitable at Scale

Wallets engaged in deployer-funded, same-block sniping extracted over 15,000 SOL in realized net profit over the past month, based on tracked on-chain swap activity. These wallets consistently demonstrated high success rates (87% of snipes token swapping was profitable), clean execution with minimal failed transactions, and profit ranges typically between 1–100 SOL per wallet — with a few outliers exceeding 500 SOL.

3. Repeat Deployers and Snipers Point to Farming Networks

• Many deployers created dozens to hundreds of tokens using fresh wallets
• Certain sniper wallets executed hundreds of snipes, often within a single day
• We observed hub-and-spoke structures, where one wallet funded multiple sniper wallets that all acted on the same token

This suggests the presence of multi-wallet farming operations built to simulate distributed early demand while retaining centralized control and profit.

4. Sniping Follows Human-Centered Time Patterns

A time-of-day breakdown revealed sniping activity is concentrated between 14:00 and 23:00 UTC, with minimal activity from 00:00 to 08:00 UTC.

This pattern:

• Aligns with US working hours
• Suggests the bots are manually launched or cron-timed
• Reinforces that this is a centralized and deliberate operation.

5. One-Shot Wallets and Multi-Signer Transactions Obfuscate Ownership (Example Deployer)

We found numerous cases where:

• Deployers funded multiple wallets that all signed and sniped in the same transaction
• These wallets never signed another transaction again (burner wallets)
• Deployers split initial token buys across 2–4 wallets to simulate real demand

These patterns reveal deliberate ownership obfuscation, not trading.

Exit Behavior

Building on the core findings around deployer-funded, same-block sniping, we sought to better understand how these wallets actually exit their positions once the tokens are acquired. While identifying who snipes and when is critical, understanding how long tokens are held and how aggressively they’re sold adds a richer layer of context to the mechanics of this extractive strategy.

To do this, we broke the data down along two behavioral dimensions:

• Exit Timing: The duration between a wallet’s first token purchase (snipe) and its final sale of that token.
• Swap Count: The number of distinct sell transactions (swaps) a wallet used to exit the position.

Together, these metrics give us insight into both the risk appetite of sniper wallets and the complexity of their execution strategies. Are these wallets dumping everything in a single transaction? Are they staging exits over time? And how does each approach affect profitability?

What the Data Shows

Exit Speed:

More than 55% of snipes are fully exited in under one minute, and nearly 85% are exited within five minutes.

• A significant share — over 11% — are completed in 15 seconds or less.

Sell Event Simplicity:

In over 90% of cases, sniper wallets sell their tokens in just one or two swap events.

Very few wallets use gradual exits or staggered sell strategies.

• Wallets with a higher number of swaps generally see marginally higher profits.

Profitability Trends:

The most profitable group by far is wallets that exit in under one minute, followed by those that exit in under five.

• While longer and more active snipes—those involving extended hold durations or multiple sell events—tend to show higher average profitability per event, they are used far less frequently. As a result, they contribute only a small share of the total extracted profit.

How We Interpret It

These patterns point to a highly automated, extractive strategy. Most deployer-linked wallets are not behaving like traders or even speculative participants. Instead, they behave like execution bots:

• Get in first.
• Sell fast.
• Exit completely.

The fact that most exits happen in a single transaction suggests minimal intent to engage with price action or market dynamics. These wallets aren’t testing highs, averaging out, or adapting to volatility—they’re front-running demand and dumping into it as quickly as possible.

While a handful of wallets show more complex exit behavior—using multiple sells or longer holding periods—their returns are only marginally better, and they make up a very small share of activity. These are the exceptions, not the model.

Ultimately, the data paints a clear picture: deployer-funded sniping is not about trading—it’s about automated, low-risk extraction. The faster the exit, the higher the success rate. This exit behavior reinforces the idea that same-block sniping isn’t just opportunistic; it’s architected for speed, precision, and profit.

Actionable Insights

The following recommendations are designed to help protocol teams, frontend builders, and researchers identify and respond to patterns of extractive or coordinated token launches. By translating observed behaviors into heuristics, filters, and warnings, these insights can reduce risk and improve transparency for end users.

Display Early Bonding Curve Behavior

Most token dashboards focus on current holder concentration—but some of the clearest risk signals emerge in the first 20–50 blocks of trading. When a small number of wallets buy up most of the supply early, exit quickly, and still hold a dominant share, it points to a structurally extractive launch. Rather than flagging tokens outright, frontends should surface early-stage metrics that help traders build intuition: total SOL bought in the first 10 blocks, Jito and priority fees paid to bid, percentage of volume by top x wallets, and the current balance of those early snipers. By highlighting cost basis clustering, compressed order book behavior, and exit patterns—without any need for attribution—In app frontends these heuristics let users spot when something’s off before becoming exit liquidity.

Risk Marking Based on Wallet Behavior and Launch Structure

Frontends should adopt a tiered risk labeling system that reflects both prior wallet behavior and suspicious launch dynamics, helping users avoid becoming exit liquidity.

Hard Risk Flags for Repeat Offenders

Wallets with a history of same-block sniping, especially when linked to deployers via direct or multi-hop funding flows, should carry a persistent, high-risk marker. If these wallets interact with a new token, the frontend should display a strong warning that is difficult to click through (e.g., modal confirmation, disabled by default). These are wallets that have repeatedly extracted value from users across multiple launches and should not be treated as clean participants.

Soft Warnings for Structural Red Flags

Tokens that exhibit first-block sniping, high early-holder concentration, or compressed early order book behavior (e.g., 50% of volume in first 10 blocks, top 3 wallets hold 80% of supply) should receive a light, hoverable caution label. Users can hover to see the specific heuristics triggered (e.g., “sniped in same block,” “top wallet exited in under 30s,” “early buys from repeat-funded wallets”), giving them context before making a decision.

This system doesn’t attempt to prove malicious intent — it flags repeatedly extractive behavior

and launch patterns with poor fairness optics, making it easier for everyday users to spot bad setups without needing to read the contract or trace funding flows themselves.

Beyond Static Clustering

Static wallet labeling is not enough. As soon as heuristics become public, malicious actors adapt—rotating wallets, mimicking retail behavior, and fabricating signs of legitimacy. To stay effective, detection systems must move toward adaptive tagging frameworks that update continuously as attacker patterns shift.

Instead of hard-coded labels, wallets should be assigned behavioral trust scores that reflect patterns over time: wallet age, cross-app activity, prior sell behavior, hold duration, and clustering with known extractors. These scores should favor wallets that incur real costs to appear trustworthy—capital, time, or usage depth—while penalizing wallets that exhibit low-effort, high-frequency extractive behaviors.

By making the path to “clean” participation more expensive and traceable, platforms can reduce the viability of spam farming at scale—even without perfect attribution.

Conclusion

The findings in this report highlight a persistent, structured, and profitable tactic used across Solana token launches: deployer-funded, same-block sniping. By tracing direct SOL transfers from deployers to snipers, we isolate a clear subset of insider-style behaviors that exploit Solana’s high-throughput architecture for coordinated extraction.

While our methodology captures only a portion of total same-block sniping activity, the wallets and patterns it surfaces leave little doubt—these aren’t opportunistic traders; they are operators with privileged positioning, repeatable systems, and clear intent. The scale and frequency of this activity show that coordinated memecoin farming is not a niche tactic — it’s a normalized playbook, executed thousands of times per week.

This matters for three reasons:

• It distorts early market signals, making tokens appear more desirable or competitive than they are.
• It endangers retail participants, who unknowingly serve as exit liquidity for pre-funded actors.
• It undermines trust in open token launches, especially on platforms like pump.fun that are optimized for speed and accessibility.

Mitigating this behavior will require more than reactive defenses. It demands better heuristics, frontend warnings, protocol-level safeguards, and ongoing efforts to map and monitor coordinated actors. The tools for detection exist — the question is whether the ecosystem chooses to apply them.

This report offers a first step: a reliable, reproducible filter that isolates the most overt cases of coordination. But it’s just the beginning. The real challenge lies in detecting obfuscated, evolving strategies — and building an on-chain culture that rewards transparency over extraction.

Disclaimer:

1. This article is reprinted from [Pine Analytics]. All copyrights belong to the original author [Pine Analytics]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. The Gate Learn team does translations of the article into other languages. Copying, distributing, or plagiarizing the translated articles is prohibited unless mentioned.