# Drained for $7.95: How a Solana Phishing Scam Built a Multi-Chain AML Platform

*Every product has an origin story. Mine starts with getting drained for $7.95 on a Sunday afternoon, in a Discord I trusted.*

By [Building ChainAnalyzer](https://paragraph.com/@chainanalyzer) · 2026-04-25

web3, security, aml, defi, solana

---

The Drain
---------

**Date:** 2026-02-09, 14:28 UTC  
**Loss:** 0.093668917 SOL (~$7.95)  
**Vector:** A "First-Come-First-Served" airdrop link, posted in the Orynth Discord, by an account wearing the **ORY admin badge**.

That last detail is the whole story.

I'd been in that Discord for months. Active member. Followed the project. So when the post landed in `#FCFS` — admin badge, friendly tone, link to `solland.cc` redirecting to `hibit.app` — I did what any conditioned crypto user does: connect wallet, sign, claim.

The "claim" was a `System Program Transfer` disguised as an airdrop call. My SOL went straight to:

[Solscan TX →](https://solscan.io/tx/3jnHUZ5TucK5uVFNKJJzaPSf1LfEJhPG9sWomw6he3dj9s46F7ZAj1EAFwRpe4YFSp1yrwujoZA8MdRb4tcDQaJE)

The amount didn't matter. What mattered was the realization sitting in my chest as I watched the TX confirm:

**I fell for it because the badge was real.**

If the compromise vector I just experienced — _authority-based trust_ — could catch someone who'd been in this space for years, then it could catch literally anyone.

* * *

48 Hours Later
--------------

I didn't post a warning thread on Twitter and move on. I traced the wallet.

What I found was not an opportunist.

*   **Funded via** [**FixedFloat**](https://fixedfloat.com) (KYC-free instant exchange)
    
*   **Laundered via Jupiter** (SOL → USDT swap)
    
*   **Withdrawn back through FixedFloat** to break the chain
    
*   **$3,700+ stolen across the previous two weeks** — 3,640 USDT + 0.67 SOL
    
*   **Dozens of victims** matching exactly the same TX shape as mine
    

This was a pipeline. Industrialized. Repeatable. And nobody in retail crypto had a tool that would have flagged any of it before signing.

That's the moment the real problem clicked into focus:

> The problem wasn't "I made a mistake." The problem was that **no tool existed that would have caught this before I signed.**

* * *

ScamDB Entry #1
---------------

Before I wrote a single line of UI code, I created a JSON file: `scamdb.json`.

The first entry was `7kMpieh2TH…j1eL26`, with:

*   the two phishing domains
    
*   the laundering path
    
*   the asset profile
    
*   the entry vector (compromised admin)
    

That entry still lives in the production [ScamDB](https://chain-analyzer.com/scamdb) today — alongside 100+ curated entries, OFAC SDN, Chainabuse, CryptoScamDB, GoPlus, and community reports. Every scan ChainAnalyzer runs checks against this set first.

The $7.95 was the most valuable $7.95 I've ever spent.

* * *

TokenForge → ChainAnalyzer
--------------------------

The first ship — **TokenForge**, February 2026 — was Solana-only. 14 detection rules. One-click scan of any mint or wallet. No login. Free.

Two weeks in, a friend asked me to scan an Avalanche address. I didn't have EVM support yet. He showed me what he was seeing: fake Cyrillic `UЅDT` tokens being spammed at legitimate wallets,  
looking pixel-identical to real USDT in every wallet UI.

I added Avalanche. Then Ethereum. Then Polygon. Bitcoin later. Then I pointed the scanner at his Avalanche address.

It flagged **CRITICAL** with 20 detections. I turned on **Follow Mode** — a graph BFS feature I'd just shipped — and let it crawl the transaction graph.

Fourteen wallets became fifty. Fifty became two hundred and sixty-four.

**Together they moved $5.3M across three chains.** Every one of them funded by a single upstream wallet I started calling **Master Funder**.

That was the moment I realized what I was building wasn't a "consumer scam scanner." It was an **AML-grade investigation platform for the retail Web3 era**.

> [Two months later, the network is still growing → 854 new operator wallets, $16.8M USDT collected.](https://chain-analyzer.com/news/address-poisoning-network-followup)

* * *

What Changed
------------

TokenForge (2026-02)

ChainAnalyzer (2026-04)

Chains

Solana only

BTC, ETH, POL, AVAX, SOL

Detection rules

14

76+

OSINT

ScamDB

ScamDB + OFAC + Chainabuse + GoPlus + Reddit

ML

—

3-model ensemble (Isolation Forest + AutoEncoder + GraphSAGE)

Audience

Retail Solana traders

Exchanges, compliance, law enforcement

Interfaces

Web UI

Web UI + REST API + MCP + x402 + PDF reports

What didn't change: **every feature is still exercised against the kind of attack that cost me $7.95.**

* * *

Five Lessons I Wish Someone Had Told Me
---------------------------------------

1.  **Admin badges mean nothing.** Treat any post in your favorite project's server the same way you'd treat a cold DM.
    
2.  **"Connect wallet" is not a safe operation.** Read what you're signing. If you can't read it, don't sign.
    
3.  **Address-first verification.** Before sending anything, scan the destination. Three seconds.
    
4.  **FCFS airdrops are always scams.** Real projects don't panic people into signing instantly.
    
5.  **Post-mortem immediately.** When you lose money, trace it on-chain before you spiral. The understanding is more valuable than the money you lost.
    

* * *

Where We Are Today
------------------

ChainAnalyzer now:

*   Scans across **five chains**: BTC, ETH, POL, AVAX, SOL
    
*   Runs on Azure Japan East, FISC-aligned hosting
    
*   Ships an [MCP server](https://chain-analyzer.com/news/mcp-server-launched) on [npm](https://www.npmjs.com/package/chainanalyzer-mcp) and the [official MCP  
    Registry](https://registry.modelcontextprotocol.io), callable from Claude Desktop, Claude Code, ChatGPT, Gemini, Cursor
    
*   Supports pay-per-request via [x402 USDC on Base or Solana mainnet](https://chain-analyzer.com/docs/x402) — $0.003 to $0.05 per call, no API key
    
*   Ships a [JPYC-specific compliance suite](https://chain-analyzer.com/news/jpyc-aml-support) for Japanese stablecoin operators
    
*   Was accepted into the Japan FSA FinTech Proof-of-Concept Hub (2026-03)
    
*   Earned a **AAA score** on [Glama MCP Directory](https://glama.ai/mcp/servers/rascal-3/chainanalyzer-mcp) and is listed on  
    [awesome-mcp-servers](https://github.com/punkpeye/awesome-mcp-servers)
    

All from a $7.95 drain two months ago.

* * *

What's Next
-----------

Two things pull me forward.

**1\. The $5.3M network is still growing.**  
Since our February report, the Master Funder has disbursed another 49,441 AVAX (~$1.24M) to 854 new destination addresses. The ETH collector has received $16.8M USDT from 1,450 senders in two months. These aren't numbers — they're 1,450 real people whose TX history got polluted hoping they'd copy-paste the wrong address. ([Read the follow-up →](https://chain-analyzer.com/news/address-poisoning-network-followup))

**2\. AI agents are about to do this at scale.**  
With MCP + x402, any autonomous agent can screen any address before signing — _autonomously_, in a single tool call. The exact attack vector I fell for — copy-paste from history,  
trust-by-badge, panic-driven UX — becomes structurally impossible if the agent runs `check_address_risk` first.

ChainAnalyzer is one of the first AML platforms wired into both protocols.

* * *

Try It
------

*   Scan an address for free → [chain-analyzer.com](https://chain-analyzer.com)
    
*   Public ScamDB (no API key) → [/scamdb](https://chain-analyzer.com/scamdb)
    
*   MCP server → `npx chainanalyzer-mcp`
    
*   REST API → [/docs/api](https://chain-analyzer.com/docs/api)
    
*   x402 endpoints → [/docs/x402](https://chain-analyzer.com/docs/x402)
    

If you've been drained, [reach out](https://chain-analyzer.com/contact_us). Send me the TX. I'll add the drainer to ScamDB. The next person who tries to send to that address will get a **CRITICAL** flag.

That's the whole point.

> _One person's $7.95 lesson becomes another person's saved $50,000._

* * *

_Originally published at_ [_chain-analyzer.com/news/origin-drainer-story_](https://chain-analyzer.com/news/origin-drainer-story)_._  
_ENS:_ [_chainanalyzer.eth_](https://app.ens.domains/chainanalyzer.eth) _·_ [_Engineering blog_](https://blog.chain-analyzer.com)

---

*Originally published on [Building ChainAnalyzer](https://paragraph.com/@chainanalyzer/drained-for-795-origin-story)*
