Unmasking a Sophisticated Solana Scam Network: A $SUBY Forensic Investigation

How automated bots and shared infrastructure revealed a 10-month-old organized crime syndicate.

The blockchain never forgets, but it can be incredibly complex to navigate. Recently, ChainBounty conducted a deep-dive forensic investigation into a significant asset theft involving $SUBY and other Solana-based tokens. What began as a single incident report evolved into the discovery of a professional, long-standing scam infrastructure that has now led to an active criminal investigation by the Cyber Crime Investigation Division in Seoul, South Korea.

1. The Incident: Precision and Automation

On May 30, 2025, a victim’s wallet was drained of approximately 8.2 million $SUBY tokens, along with $SSE and $DAW. The speed of the transfer was alarming.

Our forensic analysis revealed that this wasn’t a manual operation. The assets were moved to an intermediary wallet (46S5bgHq...) and immediately processed through automated scripts. These bots executed swaps into stablecoins and distributed funds across multiple "hop" wallets with 0-second latency, ensuring the trail became as fragmented as possible within minutes.

2. Identifying the “Cash Out” Infrastructure

By tracing the flow of stolen assets, we identified two primary exit points: Bitget Exchange and FixedFloat (a mixing service). While some deposits to these platforms occurred shortly before or after the specific $SUBY theft, our “Infrastructure Analysis” proved a definitive link. We discovered a massive, interconnected network:

• 27 Common Fee Payers: A cluster of wallets consistently funded the gas fees for the attack wallets.
• 63 Shared Addresses: These wallets acted as a central hub for multiple thefts over a 10-month period.

The Forensic Anomaly: Why tracking the criminal organization is more effective than tracking the tokens alone

This confirms that the attackers are not “lone wolves” but an organized syndicate operating a “Scam-as-a-Service” model on the Solana network.

3. The Evidence: The Smoking Gun

The most compelling evidence of organized crime was the Machine-like Transfer Patterns. Our timeline analysis showed batch processing intervals of exactly 15 to 28 seconds. This level of synchronization is only possible through a dedicated command-and-control (C2) botnet designed for money laundering.

Through our investigation, we identified over $142,430 USDT funneled through the Bitget deposit addresses associated with this specific group.

Press enter or click to view image in full size

Inhuman execution: Batch processing and mechanical intervals confirm the use of laundering bots.

4. Active Investigation and Next Steps

ChainBounty has officially submitted this forensic package to the Seoul Metropolitan Police Agency. The investigation is currently focused on:

• KYC De-anonymization: Working with Bitget to identify the account holders behind the identified deposit addresses.
• Cross-Chain Tracking: Tracing funds that exited via FixedFloat into Ethereum and Bitcoin.
• Asset Freezing: Coordinating with exchanges to blacklist and freeze the identified criminal infrastructure.

Conclusion: Vigilance in the Web3 Era

This case is a stark reminder that in the world of DeFi, your digital footprint — and that of the hackers — is permanent. At ChainBounty, we are committed to turning the tide against these scam networks.

We urge the community to stay vigilant. Do not click on suspicious partnership links or authorize “blind signings” in your wallet. The scammers are professional, but so is our pursuit of justice.

Join the Fight. Follow our investigation and report suspicious activities at our community: 🔗 https://community.chainbounty.io 📧 For inquiries: [email protected]