Introduction: The Solana ecosystem, renowned for its deep liquidity, lightning-fast throughput, and maturing DeFi infrastructure, has emerged as both a high-value target for exploits and a strategic venue for laundering stolen funds. The recent $1.5 billion Bybit exploit exemplifies bad actors' advanced techniques to obfuscate their laundering trails, leveraging over 20,000 wallets, diverse asset types, and multiple bridges, including deBridge, to move funds into and through Solana before freezing measures could be implemented.

This report is a strategic blueprint for identifying and classifying potential laundering vectors within the Solana ecosystem — we examine how attackers move and cash out assets while evading detection or asset freeze mechanisms.

2. Methodology

2.1 Tools and Platforms Used

• Range: For checking existing labels, tracing cross-chain flows, and identifying laundering behavior.

• Arkham Intelligence: For wallet clustering, behavioral tagging, and cross-chain wallet attribution.

• SolanaFM / Solscan / XRay: Solana-native explorers for transaction and contract analysis.

• StepFinance & DeFiLlama: For on-chain liquidity metrics.

• Jito & MarginFi dashboards: For identifying MEV or leveraged routes.

2.2 Asset Screening

• Filtered for assets that lack freeze authority.

• Prioritized assets with high daily volume on Solana DEXs and low volatility.

• Examples include: SOL, BONK, RAY, JUP, stSOL, mSOL, and CCTP-USDC.

2.3 Wallet Labeling and Clustering Approach

• Identified laundering patterns using swap signatures, bridge call data, and wallet linkages.

• Labeled entities across categories: CEX deposit wallets, OTC desks, P2P clusters, and off-ramp wallets.

• Verified that each address was not already labeled on Range.

2.4 Bridge and Off-Ramp Analysis

• Tracked cross-chain routes via LayerZero, Wormhole, deBridge, CCTP, and LiFi.

• Mapped touchpoints with off-ramps like MoonPay and Sphere.

3. Exfiltration Route Analysis Each laundering method is categorized by:

• Route Type: CEX, Bridge, OTC, Retail, P2P

• Liquidity Range: <$100K, <$1M, <$5M, <$25M

• Freeze Risk: High / Medium / Low

• Key Wallets & Contracts: Referenced in Deliverable 3

• Evade Tactics: Speed, obfuscation, smart routing

Example:

• Route Type: CEX (e.g., eXch, Kraken, Bitget)

• Liquidity: <$25M

• Freeze Risk: Medium

• Key Tactics: KYC spoofing, proxy VPNs, fresh browser fingerprints

4. Novel Techniques & Insights

• Laundering via LayerZero USDC (non-canonical bridges)

• Swapping via JUP aggregator in randomized patterns

• Temporary liquidity loop strategies using MarginFi + Kamino

• Liquidity abstraction via OTC brokers integrated into Telegram bots

5. Conclusion & Recommendations

• We highlight the increasing sophistication of laundering strategies on Solana and the need for faster, protocol-level monitoring solutions.

• Recommend implementing bridge-level freeze mechanisms, faster asset tracking APIs, and ecosystem-wide alert systems.

The findings presented herein aim to assist defenders and researchers in staying ahead of adversaries by mapping every conceivable exit route from the Solana ecosystem.

This section compiles a detailed list of Solana-native assets that lack freeze authority and are thus optimal tools for laundering operations. These assets are favored by attackers because they cannot be halted or reclaimed once transferred, unlike stablecoins such as USDC or USDT that can be frozen by issuers.

We analyzed each token’s freeze status, liquidity depth, and top venues (including DEXs, aggregators, and cross-chain bridges) to assess how easily they could be used to convert stolen funds and obscure money trails. The tokens were ranked by circulating market cap, daily volume, and availability across liquidity venues on Solana.

The report highlights SOL, BONK, WIF, JUP, and RAY as key non-freezable assets with high liquidity and decentralized distribution, making them especially useful for laundering mid to large sums (up to $10M+ in certain cases). We also flagged niche tokens with active DEX pairs that could support smaller scale operations or serve as intermediary hops in obfuscation chains.

This includes:

• Freeze authority status

• Circulating market cap

• 💧 Liquidity depth across venues

• 🔄 Supported swap and bridge platforms

• ⚠️ Risk rating for laundering utility

This deliverable empowers threat intel teams to track funds flowing into high-risk tokens and venues, enhancing their ability to detect laundering attempts early.

A list of non-freezable SOL and non-SOL assets on Solana that could be used for laundering, along with their liquidity and common trading venues:

This section presents a curated and labeled dataset of wallet addresses and exfiltration routes that could be leveraged by malicious actors to launder stolen funds off the Solana blockchain. Each entry includes the associated platform or service, the laundering method, estimated liquidity capacity, and a suggested label for use in blockchain monitoring platforms such as Range or Arkham.

The addresses listed here were discovered through onchain analysis and verified for association with known P2P exchanges, cross-chain bridges, OTC desks, and custodial or non-custodial swappers. We prioritize assets and methods that lack freeze authority and maintain high liquidity, thus presenting viable pathways for laundering.

This dataset is intended to aid defenders in proactively monitoring suspicious flows, increasing traceability of illicit funds, and reducing the effectiveness of known laundering routes. All listed methods are onchain, verifiable, and publicly accessible.

To compile a comprehensive dataset of Solana addresses associated with illicit exfiltration routes, facilitating the identification and monitoring of potential money laundering activities within the ecosystem.

1. Data Collection:

   • Solana Blockchain Explorers: Utilize platforms like Solscan and SolanaFM to track transactions and identify addresses involved in suspicious activities.

   • Cross-Chain Analysis: Leverage tools such as Range's Cross-Chain Explorer to trace assets moving across different blockchains, identifying potential laundering routes.

   • Public Incident Reports: Analyze publicly available reports and data from incidents like the Slope Finance hack to identify compromised addresses.

2. Address Classification:

   • Entity/Platform Association: Determine the platform or entity associated with each address (e.g., centralized exchanges, OTC desks, bridges).

   • Exfiltration Method: Classify the method used for fund exfiltration (e.g., P2P exchange, non-custodial swapper, bridge).

   • Liquidity Potential: Estimate the potential liquidity that could be laundered through each route based on historical data and current market conditions.

3. Data Verification:

   • Cross-Referencing: Ensure that addresses are not pre-labeled on platforms like Range to maintain the integrity of the dataset.

   • Transaction Pattern Analysis: Examine transaction patterns to confirm the illicit nature of the activities associated with each address.

4. Documentation:

   • Suggested Labels: Assign appropriate labels to each address for easy identification and tracking (e.g., binance_p2p_route, changelly_swapper).

   • Source References: Include references to transactions or clusters that led to the identification of each address.

This dataset serves as a critical tool for identifying and monitoring potential money laundering activities within the Solana ecosystem. By systematically collecting, classifying, and verifying addresses associated with illicit exfiltration routes, we can enhance the ability to detect and prevent such activities in real-time. The inclusion of suggested labels and source references further aids in the efficient tracking and analysis of these addresses.

• Overview: Briefly summarize the goal of the project, which is to identify and map illicit fund exfiltration methods within the Solana ecosystem.

• Findings: Highlight key discoveries such as common exfiltration routes, liquidity concentrations, and methods used by bad actors (e.g., centralized exchanges, P2P networks, bridges, etc.).

• Recommendations: Provide strategic steps for enhancing blockchain security and improving surveillance mechanisms.

• P2P Exchanges: These platforms (e.g., Binance P2P, LocalBitcoins) remain a preferred method for bad actors to launder funds, as they provide pseudonymity and flexibility.

• Cross-Chain Bridges: Tools like Wormhole, deBridge, and LayerZero facilitate the transfer of funds between different ecosystems, making it easier to obfuscate the origin of funds.

• Non-Custodial Swappers: Platforms like Changelly and Shapeshift offer the ability to exchange tokens without requiring user identification, making them a key component of money laundering operations.

• Off-Ramps: Services such as MoonPay, Sphere, and Revolut provide liquidity for converting crypto to fiat or stablecoins, which can then be cashed out anonymously.

• A list of 30+ addresses that were identified as being involved in illicit activities has been compiled. These wallets are likely part of larger laundering operations.

• Assets with High Liquidity: SOL, USDT, and other popular tokens on Solana's ecosystem are often used in laundering operations due to their high liquidity and minimal freezeability.

1. Enhanced Monitoring of Bridges:

   • As bridges play a key role in cross-chain exfiltration, Solana could benefit from tighter surveillance on bridge transactions, especially those involving high-risk tokens or frequently used addresses.

2. Integration of KYC/AML at Cross-Chain Exchangers:

   • Encourage platforms like Changelly, Shapeshift, and OTC desks to implement more robust KYC/AML practices to identify suspicious transactions before they occur.

3. Enhanced Address Labeling Systems:

   • Work with organizations like Range to improve blockchain forensics by labeling more high-risk wallets and enhancing the transparency of transactions. Also, using machine learning algorithms to predict new illicit addresses could be a game-changer.

1. P2P Exchange Monitoring:

   • Tighten monitoring of P2P exchange activities, especially with addresses previously identified in laundering operations. Incorporating transaction limits or enhanced vetting could reduce illicit usage.

2. OTC Desk Transparency:

   • Strengthen the transparency of OTC desk transactions by implementing stricter KYC and real-time monitoring of transactions to ensure compliance with anti-money laundering regulations.

1. Collaborative Data Sharing:

   • Foster collaboration between different blockchain ecosystems and law enforcement agencies to share insights and datasets related to illicit activity, making it harder for bad actors to exploit jurisdictions with less stringent regulations.

2. Establish Cross-Platform Freezing Mechanisms:

   • Develop cross-platform solutions for freezing assets, especially for non-freezable tokens. This would ensure stolen funds can be halted as they flow between ecosystems.

The report has identified key routes and methods for laundering funds within the Solana ecosystem. By addressing these issues proactively, the Solana community and stakeholders can mitigate the risk of illicit activity, improving the ecosystem's overall security. Implementing tighter surveillance, stronger regulations for OTC and P2P platforms, and collaborative data sharing between law enforcement and blockchain platforms will help in curbing money laundering activities effectively.