Note: Updated on 08 April 2026.

Summary

Background

The risk monitoring firm Solidus Labs found that since 2024 over 7 million tokens were launched on Solana’s Pump.fun platform, and an alarming 98.6% of them were flagged as rug pulls or manipulative schemes, with only about 97,000 tokens holding more than $1,000 in liquidity. The report also identified widespread liquidity manipulation on Raydium—around 93% of pools showing "soft rug" behavior—while high‑profile memecoins. [Source]

Key findings

Tactics observed

• Creation of malicious Solana SPL token mints with freeze authorities to lock or control holder balances.
• Social engineering via Telegram channels and contacts to recruit victims and provide instructions.
• Malicious, look‑alike websites that prompt wallet connections and signatures to approve transactions or transfer funds.
• Impersonation of token support (Telegram and websites) to instruct victims to perform "verification" steps that transfer funds to attacker wallets.

Overview of the attack flow

Phase 1 - Establishing trust and initiating trades

Through the Telegram channel @kapitalist_crypto, an individual posts advice on crypto assets (for example, BTC and BNB), often with a focus on futures trading. The channel operator, who uses the handle @Oleg_Kapitalist (hereinafter "the Scammer"), invites followers to join a private channel and begin trading under his supervision. He states that he will receive a percentage of any successful trades.

After a user requests to join the private channel, the Scammer sends instructions to begin trading under his guidance. The Scammer recommends using the Phantom wallet and converting at least $1,000 into a cryptocurrency he claims has strong upside potential. Specifically, he instructs victims to swap into crypto coin SOL and then use the Raydium.io decentralized exchange to buy a particular Solana SPL token.

In case questions raised by the user, the Scammer asks to ignore the following red flags:

• The SPL token has an enabled Freeze authority - the token accounts can be frozen prevented from trading.
• A large amount of Liquidity Pool (LP) tokens are unlocked, allowing the owner to remove liquidity at any point.
• The SPL token is not listed on the Raydium.io official token list.
• The SPL token is flagged as "SPAM" in the Phantom wallet.

Shortly after the swap, the victim’s newly created Solana SPL token account is immediately frozen.

A few days later, the Scammer asks for an update on the position and recommends closing the trade. Once the victim’s token account is unfrozen, the user is able to swap the tokens back to the SOL. The Scammer also advises executing the swaps in smaller batches to avoid large price slippage.

Example:

• (1) On 16 February 2026 the victim named as "Victim_DA" with the wallet address DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV swapped 11.72 SOL for the SPL token TYN.
• (2) Two days later, on 18 February 2026, the victim swapped the TYN back and received 19.06 SOL.
• (3) Then 2.05 SOL was transferred from the victim account Victim_DA to the account ScamProfit. The victim’s net gain from these trades was 5.29 SOL (approximately USD 450).

The Scammer then demands at least 30% of the profits be transferred to the account ScamProfit (HEqPoMJo7CiRDHTcsG95enrHMWmjKkXecudTBsBbbP1W). The Scammer confirms receiving of the his part of the profit.

Phase 2 - Soliciting Additional Investment 

Phase 3 - "Unlocking" Token Restrictions

When the Scammer decides the victim will not increase their investment, they pivot to "helping" recover the frozen funds acting as a classical recovery agent. The Scammer instructs the victim to move funds out of the frozen SPL token account; when that fails, they direct the victim to contact the token’s support channel. For the AZR token this appears as the Telegram account @azura_xyuz_support (hereafter "the Fake Support").

The Fake Support claims the victim’s token account is blocked by an "anti‑bot" policy and directs the victim to a verification site (For SPL Token AZR: https://azr-holders[.]io/). 

The site instructs the user to wrap a specific amount of SOL into WSOL (wrapped SOL). The required WSOL amount is customized per victim and therefore varies.

When the victim approves the transaction on the fake site, the SOL/WSOL is swaped and routed to an external WSOL account controlled by the Scammer. However, the Fake Support reassures the victim that the funds are temporarily held in a pool and will be returned to their wallet once verification completes.

Example: On 25 February 2026 the Victim_DA signed a transaction to wrap 60 SOL into WSOL. The transaction also contains instruction to add the account AZR_Scammer_Transfer as a delegate. Four minutes later the WSOL was transferred by AZR_Scammer_Transfer from the Victim_DA's account to the attacker-controlled account AZR_Scammer_LnkAcc1. The funds were subsequently converted to USDC and forwarded through intermediary accounts, ultimately consolidating in Global_Scam_LnkAcc3 and the primary aggregator account Global_Scam.

Phase 4 - "Unlocking" DEX Restrictions

Fake Support then directs the victim to a Raydium look‑alike site (for example: https://rayplatform[.]io/). The site uses a familiar tactic: the victim is prompted to sign a wallet transaction presented as swapping SOL to WSOL to "unblock" Raydium trading. In reality, the signed transaction transfers the SOL/WSOL to attacker‑controlled addresses.

Example: On 01 March 2026 the Victim_DA signed a transaction to wrap 60 SOL into WSOL. The transaction also contains instruction to add the account AZR_Scammer_LnkAcc2 as a delegate. Right after that the WSOL was transferred by AZR_Scammer_LnkAcc2 from the Victim_DA's account to the attacker-controlled account AZR_Scammer_LnkAcc2. The funds were subsequently converted to USDC and forwarded the account AZR_Scammer.

Phase 5 - Escalation and full wallet compromise

Because the victim’s SPL token account remains frozen and those tokens cannot be swapped, the attacker escalate pressure and deception:

• They arrange an incoming Telegram call and attempt to obtain the victim’s 12‑word seed phrase. With that phrase the attackers can fully compromise the wallet and drain all unfrozen funds. If the victim reveals the seed during the call, all accessible assets are transferred out immediately.
• Later, the attacker impersonate ongoing "support" and request the victim to send additional funds to fund a new, non-compromised token account). They claim these transfers are required to enable internal recovery operations.

Technical analysis

1) Funds flow and transfer behavior for the malicious account ScamProfit

The ScamProfit is an intermediary SOL account used by the Scammer to aggregate and forward proceeds from victims’ trades to other malicious accounts, including:

• ScamProfit_Child - 1 transacation for 15.8 SOL on 17 March 2026
• SNT_Scammer - 1 transaction for 14 SOL on 28 November 2025
• VLS2_Scammer - 1 transaction for 10 SOL on 09 September 2025
• etc.

The account ScamProfit_Child itself functions as another intermediary and forwards funds onward to a further account identified as Global_Scam. Initially Global_Scam was funded by the account with address EBcfPtP3w7VKtYemb8ddCVYjXcsfiu61PPJ9vd89u4AU on 26 January 2023.

During analysis it was oberved the presense of other accounts linked to the malicious actiivty: 

• Global_Scam_LnkAcc1 - the funds are transfered between Global_Scam and Global_Scam_LnkAcc1accounts.

As March 2026 the total value of the top linked accounts are following:

• Global_Scam - USD 3,776,775.45
• Global_Scam_LnkAcc1- USD 345,121.52

2) Malicious website functionality

Technical details are based on observed artifacts of the malicious websites and victim reports:

1. Wallet connection and precondition check (API - /api/wallet)

• The site prompts the user to connect their wallet (Phantom or Binance Web3).
• The site checks the connected wallet’s public address and SOL/WSOL balance to calculate a per‑victim required amount for "verification".

Example: The malicious website azr-holders[.]io returned the following API response confirming that account Victim_DA was verified on 25 February 2026 (as of 26 March 2026):

curl -X POST "https://azr-holders[.]io/api/wallet" -H "Content-Type: application/json" -d "{\"address\": \"DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV\"}"
{"success":true,"wallet":{"address":"DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV","status":"VERIFIED","eligible":true,"verifiedAt":"2026-02-25T18:16:30.985Z"}}

This account is also marked as "VERIFIED" in a separate API response from the malicious site rayplatform[.]io, indicating the verification record appears on multiple fraudulent websites.

curl -4 -X POST "https://rayplatform[.]io/api/wallet" -H "Content-Type: application/json" -d "{\"address\": \"DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV\"}"
{"success":true,"wallet":{"address":"DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV","status":"VERIFIED","isInPreset":true,"restrictions":[{"id":"cmm4zk63l0003die6cne00zk2","tokenSymbol":"AZR","tokenName":"Azura","pairSymbol":"SOL","poolAddress":null,"requiredWsol":60,"isVerified":true}],"requiredWsol":0,"allVerified":true,"verifiedAt":"2026-03-01T17:47:06.575Z"}}

Transaction analysis shows two separate transfers executed by the attacker:

• 25 February 2026 — 60 SOL was transferred from the Victim_DA to an attacker‑controlled account.
• 01 March 2026 — 60 SOL was transferred from the Victim_DA to an attacker‑controlled account.

2. Malicious approval/signature (API - /api/rpc)

• The site displays instructions to "wrap" a specific SOL amount into WSOL. The amount is customized per victim and presented as required for verification. 
• The victim is shown a wallet signature request that appears to perform a standard SPL token approval or a direct token swap.
• The transaction presented for signature contains an SPL token approval-like action. When the victim signs, the transaction grants a program or attacker account an allowance or authority sufficient to move WSOL from the victim’s WSOL token account. In observed cases the approved instruction delegates transfer authority to a scammer-controlled account.

Note: A victim not just sign swap transaction, but also sign the instruction that added an account controlled by Scammer (e.g. for SPL AZR token - AZR_Scammer_Transfer, AZR_Scammer_Transfer2, or  AZR_Scammer_LnkAcc1) as a delegate on the victim’s WSOL token account. This delegated authority permitted the added account to move WSOL from the victim’s WSOL account to attacker‑controlled addresses  (e.g. AZR_Scammer_LnkAcc1, AZR_Scammer_LnkAcc2).

Example: On 01 March 2026 the the Victim_DA signed a transaction with Token Program Instruction to delegate AZR_Scammer_Transfer2 for the SPL Token Account WSOL:

TxHash: 2MUcshP5jr88hfSgCfxuAkAkPZEPYvp2EyCvUHmu9aGDz6h8Y1BofSe5B32g4ncRRCoexTFzSYmN8Y2wj76X8S52

The curl request below shows how the malicious site prepares a transaction for Victim_DA to sign. The API call requests a 60 Wrap SOL (WSOL) wrap operation; the response includes a base64‑encoded serialized Solana transaction plus chain metadata (blockhash and lastValidBlockHeight) ready to be presented to the Victim_DA’s wallet for signing:

curl -4 -X POST "https://rayplatform.io/api/wrap-sol" -H "Content-Type: application/json" -d "{\"action\": \"prepare\", \"address\": \"DAafmK7Fqa4isZoPPDkXnXvBnSXB6khnvpgiMNFKJkVV\", \"amount\": 60}"
{"success":true,"transaction":"AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAIEtMCKEKsH4ujmvsGZ25vyukV7EJnZyYUvNoRMiuunOkhpUlLYsMtsWU1KgHo4sVwEOx8w7Y1TGkX5kI7VfGrpsgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABt324ddloZPZy+FGzut5rBy0he1fWzeROoz1hX7/AKkAJ9OqC61Hcd88h0yiflMa9GsBd6d2Em9/xyp/OmjCDwICAgABDAIAAAAAWEf4DQAAAAMBAQER","blockhash":"1cDwHwedcVmMJXS4oSbkWehBfgycdZ6vJmSeiymG4Wz","lastValidBlockHeight":387254452}

The prepared transaction includes instructions to transfer SOL (instruction #0), create an account (instruction #1), and to assign AZR_Scammer_LnkAcc1 as a delegate (instruction #2).

4. Transfer of WSOL using approved authority

• After approval, the attacker exercises the granted authority to move funds. The site / attacker backend initiates an on‑chain transfer using the SPL Token Program instruction transferChecked, moving WSOL from the victim’s WSOL token account to an attacker‑controlled intermediary account that the attacker created or controlled.

Example: On 01 March 2026  the AZR_Scammer_Transfer2 transfered 60 SOL from SPL Token Account WSOL of the Victim_DA to attacker-controled account.

5. Conversion and onward laundering

• The attacker converts stolen WSOL to USDC via on‑chain markets (observed via HumidiFi WSOL–USDC pool in this campaign).
• Converted funds are routed through one or more intermediary accounts to obscure provenance, then consolidated into a primary aggregator wallet (observed as "the Global_Scam" account) or redistributed to other scam‑related accounts (for example, AZR_Scammer or LYRA_Scammer).

Performed Actions

Website takedown

• Cloudflare and the hosting provider were notified about malicious activity by their customer. The websites were flagged as malicious and added to several threat databases, including Google Safe Browsing, Virustotal, and Cisco Talos.
• As April 2026, the malicious websites azr-holders[.].io and rayplatform[.] were taken down.

IOCs:

Solana SPL Token
AzR7KNPct2mit6jUdXBT3TXkHhrck8BWCo2QmFtKwNBe
The malicious Solana SPL Token Azura (AZR) used by adversaries to freeze funds for a pump-and-dump scheme.

Solana SPL Token
TYNyQwQNAUHvi5ozUaWM39mwjPbUKBxV8yto93UycDm
The malicious Solana SPL Token Tachyon (TYN) used by adversaries to freeze funds for a pump-and-dump scheme.

Solana SPL Token
sntLL7KKTK7EzLv2N2A791d3SE1sMBzrTrvAVGNFHgt
The malicious Solana SPL Token Sentium (SNT) used by adversaries to freeze funds for a pump-and-dump scheme.

Domain
https://rayplatform[.]io/
The malicious domain used by adversaries to steal funds.

Annex 1. The list of SCAM Solana SPL Tokens

a) Solana SPL Token Azura (AZR)

• SPL Token LyraFi (LYRA) (LRtvA42jAy3g4cGSHf87YD7NUwMwF4nPs24cFFeUB1u) - Inactive
• SPL Token Atlas (ATL) (2ZSbbXF3CPT1XMtKYyVKBYpwK4gxz74pEG5kuedFE5Hs) - Inactive
• SPL Token Volt (VOLT) (3qbsLEMjcA4h9y34gJozGeeLGPWkWjLmvMoSrwLkwMDq) - Development / Inactive
• SPL Token Pesto (PST) (J3oS2LjE5B1SHbyKAKkdPijaayuAQs4KhXEmmTgPvFh3) - Inactive
• an other SPL Tokens such as GEVLP, PUYYV, TVEXF

Annex 2. Malicious domain registration data

Annex 3. List of Solana Accounts