Drained for $7.95 — How a Solana Phishing Attack Became a Multi-Chain AML Platform
Every product has an origin story. Ours starts with the founder getting drained for $7.95 on a Sunday afternoon in a Discord server he thought he could trust.
Two months later, that $7.95 lesson turned into the first entry of a crypto scam database. Four months later, it turned into a multi-chain AML platform. Today it powers ChainAnalyzer, covers five blockchains with 76+ detection rules, an MCP server on the official registry, and is being used in enterprise-grade transaction monitoring for Japanese stablecoin operators.
The Drain — 2026-02-09, 14:28 UTC
I was in the Orynth Discord. Regular member, followed the project for months.
A post appeared in the #FCFS channel from an account with the ORY admin badge. First-come-first-served airdrop. Link to solland.cc. That redirected to hibit.app. Big "Claim" button. Connect wallet → sign → done.
Except "done" meant "your SOL just went to the drainer."
| Detail | Value |
|---|---|
| Loss | 0.093668917 SOL (~$7.95) |
| Attack method | System Program Transfer disguised as a Claim |
| Drainer address | 7kMpieh2THdaC5eUvxFJDL3TdsQWVQCwdhsEjLj1eL26 |
| Domains | solland.cc, hibit.app |
| Entry point | Compromised ORY admin account on Discord |
| Transaction | Solscan |
The punchline isn't the loss — it's that I fell for it because the account had the admin badge. Authority-based trust, weaponized. If I could fall for it after years in crypto, anyone could.
What I Did the Next 48 Hours
Instead of posting a warning on Twitter and moving on, I dug in. I traced the drainer wallet. It had been funded via FixedFloat (KYC-free exchange) and was laundering via Jupiter swap (SOL → USDT) before moving everything back out through FixedFloat. Within hours of my drain, the same wallet hit multiple other victims. It had stolen $3,700+ total across 3,640 USDT and 0.67 SOL across dozens of victims over the prior two weeks.
This wasn't an opportunist. It was a pipeline:
Same pattern, industrialized. That's when I realized: the problem wasn't "I made a mistake." The problem was that no tool existed that would have caught this before I signed.
ScamDB Entry #1
Before I wrote a single line of UI code, I started a JSON file called scamdb.json. The first entry identified 7kMpieh2TH…j1eL26 with its associated domains, laundering method, and stolen asset profile. That entry still lives in the production ScamDB today. Every scan that ChainAnalyzer does checks against this and 100+ other curated entries, plus OFAC SDN, Chainabuse, CryptoScamDB, GoPlus, and community reports.
The $7.95 is the most valuable $7.95 I've ever spent.
From TokenForge to ChainAnalyzer
The consumer product we shipped in February 2026 was called TokenForge. Solana-only, 14 detection rules, one-click scan of any mint address or wallet. No login required. Free.
Two weeks in, a friend was investigating an Avalanche address and asked if I could scan it. I didn't have EVM support yet. He showed me what he was seeing — fake Cyrillic UЅDT tokens being spammed at legitimate wallets, looking pixel-identical to real USDT in every wallet UI.
I added Avalanche support. Then Ethereum. Then Polygon. Bitcoin later. Then I pointed the scanner at that Avalanche address. It flagged CRITICAL with 20 detections. I turned on Follow Mode — a graph exploration feature I'd just shipped — and let it crawl the transaction graph.
Fourteen wallets became fifty. Fifty became two hundred and sixty-four. Together they moved $5.3M across three chains. Every one of them funded by a single upstream wallet I nicknamed "Master Funder." (Full follow-up investigation →)
That's when I realized what I was actually building. Not "a consumer scam scanner." An AML-grade investigation platform for the retail Web3 era.
In March 2026, we rebranded to ChainAnalyzer and pivoted toward enterprise AML: Japanese FSA's FinTech Proof-of-Concept Hub acceptance, multi-chain 76+ detector coverage, ML anomaly scoring (Isolation Forest + Autoencoder + GraphSAGE), Neo4j graph analysis, PDF compliance reports, REST API, MCP server, and x402 pay-per-request micropayments.
What Changed Between TokenForge and ChainAnalyzer
| TokenForge (2026-02) | ChainAnalyzer (2026-04) | |
|---|---|---|
| Chains | Solana only | BTC, ETH, POL, AVAX, SOL |
| Detection rules | 14 | 76+ |
| OSINT | Our ScamDB | ScamDB + OFAC + Chainabuse + GoPlus + Reddit |
| ML | — | 3-model ensemble |
| Audience | Retail Solana traders | Exchanges, compliance, law enforcement |
| Interfaces | Web UI | Web UI + REST API + MCP + x402 + PDF reports |
What stayed the same: every feature is still exercised against the kind of attack that cost me $7.95.
Lessons I Wish Someone Had Told Me
- Admin badges mean nothing. Treat any post in your favorite project's server the same way you'd treat a cold DM from a stranger.
- "Connect wallet" is not a safe operation. Read what you're signing. If you can't read it, don't sign.
- Address-first verification. Before sending anything, scan the destination in a tool like ChainAnalyzer. Three seconds.
- FCFS airdrops are always scams. Real projects don't panic people into signing instantly.
- Post-mortem immediately. When you lose money, trace it on-chain before you spiral. The understanding is more valuable than the money you lost.
Where We Are Today
ChainAnalyzer now:
- Processes scans across five chains
- Runs on Azure Japan East, FISC-aligned hosting
- Ships an MCP server on npm and the official MCP registry, callable from Claude Desktop / Claude Code / ChatGPT / Gemini / Cursor
- Supports pay-per-request via x402 USDC on Base or Solana — $0.003 to $0.05 per call, no API key, no subscription
- Ships a JPYC-specific compliance suite for Japanese stablecoin issuers and handlers
- Was accepted into the Japan FSA FinTech Proof-of-Concept Hub (2026-03)
All from a $7.95 drain two months ago.
What's Next
Two things pulling me forward:
1. The $5.3M network is still growing. Since our February report, the Master Funder has disbursed another 49,441 AVAX (~$1.24M) to 854 new destination addresses. The ETH collector has received $16.8M USDT from 1,450 senders in two months. These aren't numbers — they're 1,450 real people whose TX history got polluted hoping they'd copy the wrong address. Read the follow-up investigation.
2. AI agents are about to do this at scale. With MCP + x402, any autonomous agent can screen addresses before signing. The attack vector I fell for — copy-paste from history — becomes impossible if the agent runs check_address_risk first. ChainAnalyzer is one of the first AML tools wired up to it.
Try It
- Scan an address for free: chain-analyzer.com
- Look up the ScamDB (public, no API key): /scamdb
- MCP server:
npx chainanalyzer-mcp - REST API: /docs/api
- x402 endpoints: /docs/x402
If you've been drained, reach out. Send me the TX. I'll add the drainer to ScamDB. The next person who tries to send to that address will get a CRITICAL flag. That's the whole point.
One person's $7.95 lesson becomes another person's saved $50,000.