A forensic breakdown of the June 2026 Raydium AMM V3 exploit — and where the money went

A forensic breakdown of the June 2026 Raydium AMM V3 exploit — and where the money went

On June 10, 2026, a single attacker quietly drained $1.34 million from a Solana-based decentralized exchange using a smart contract that the protocol had officially retired five years earlier. No alarm was triggered in real time. No user interface exposed the vulnerable pools. The attacker simply knew something most people had forgotten: dead code, if left callable on-chain with real assets still inside it, never truly dies.

This is a forensic reconstruction of the Raydium legacy AMM V3 exploit — how it was executed, how the funds were laundered, and what investigators found when they followed the money on-chain.

The Victim: Raydium and Its Forgotten Pools

Raydium is one of Solana's largest decentralized exchanges, operating more than $777 million in total value locked (TVL) and handling $148 million in daily trading volume at the time of the incident. Its current infrastructure — the Concentrated Liquidity Market Maker (CLMM) and AMM V4 — is actively maintained, audited, and widely regarded as secure.

The vulnerability had nothing to do with any of that.

The attacker instead targeted the legacy AMM V3 program, a smart contract Raydium had phased out in 2021 when it migrated to newer, more capital-efficient architecture. The old program was never formally disabled. It remained on-chain, callable by anyone, with five deprecated liquidity pools — Sollet USDT-RAY, Sollet ETH-RAY, SRM-RAY, USDC-RAY, and RAY-SOL — still holding real assets inside them.

Those five pools collectively held approximately:

The Exploit: Forging a Key to an Unlocked Vault

To understand the attack, you need to understand how liquidity pools track ownership. In any standard automated market maker, when you deposit assets into a pool, you receive LP (Liquidity Provider) tokens in return. These tokens represent your proportional share of the pool. When you withdraw, you burn your LP tokens, and the contract releases your share of the underlying assets — but only after verifying that the LP tokens you're burning are the legitimate ones issued by that specific pool.

That verification step — confirming the LP mint address matches the pool's authorized mint — is a fundamental security check. Raydium's legacy AMM V3 program did not perform it.

The attack sequence was elegant in its simplicity:

1. The attacker created a brand-new SPL token mint — a completely fake LP token with no connection to any real Raydium pool.
2. The attacker minted a single unit of this counterfeit token.
3. The attacker called the legacy withdraw function, passing the fake mint as if it were the pool's legitimate LP token.
4. The old contract accepted it. Without checking the mint address, the contract treated the attacker as a 100% LP shareholder and released the pool's entire reserve.
5. The sequence was repeated across all five deprecated pools.

As pseudonymous Raydium contributor 0xInfra confirmed on X: the exploit was "a self-contained logic flaw" in the deprecated program. There was no key compromise, no oracle manipulation, no authority-level breach. Just missing input validation in code that had been sitting dormant on-chain, with real money inside it, for five years.

The On-Chain Forensic Trail

The following analysis is based on on-chain tracing of 1,058 transactions across 372 addresses emanating from the attacker's wallet within 30 days of the incident.

Attacker's primary Solana address: 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk

By the time on-chain investigators began tracing the wallet, the balance was already $0. The attacker had moved fast.

Phase 1 — Asset Aggregation and Swap (Hour 0)

Immediately after draining the five pools, the attacker consolidated the stolen assets. The 5,603 SOL was routed through a Solana DEX aggregator (5m2LUcmZqA26QxzALdrZqiVoFAkrVKji4FFfzzLKn9pa) and converted to USDC — a deliberate move to unify all proceeds into a single stablecoin before cross-chain transfer. The attacker did not attempt to liquidate through any Solana-native exchange.

Phase 2 — Structuring: The Peel Chain Pattern

Rather than moving funds in a single large transfer — which would be immediately flagged — the attacker deployed a textbook structuring / peel-chain technique. The $893,700 USDC was broken into a series of near-identical outbound transfers:

• $93,690 × 7 transactions → Intermediary cluster A (D5YqVMoSxnqeZAKAUUE1Dm3bmjtdxQ5DCF356ozqN9cM)
• $100,000 × 5 transactions → Intermediary cluster B (FkaLnX17cXZGyeu3kZGdHCNdFMJJzBrPPYVvd18B3MZp)
• $319,996 → Intermediary C (8Dz5HLLQKzXtwm8SxgcYzJqMzotinWgQFTiytjW35nwd)
• $255,261 → Intermediary D (6gxqegc6C9c2TYbNn8fjsVXvcctjdLahUtV45KrMEnpn)
• $191,797 → Intermediary E (997p6CNyaJquJd54ytDnqyr16e5yv4QUnVv2eWCZN62J)
• $191,809 → Intermediary F (AaegV4PEhkrvuayWDr8Yv2DxPWqUwjFBHFoMF6z8nwiW)
• $191,652 → Intermediary G (ByCFj1x3G9UszbTeFqekG1Zx91uG6GYgZKEn9e8ey13N)
• $193,700 → Intermediary H (GJvewfRjqTUPtx6WsBSUnaFbdgXwgXnWfpDyLm65T4YA)
• $127,815 → Intermediary I (Hrvy5r62HFT2BdFEF95jW61crTcortQztGxD5zx3NrQw)

Each of these intermediary addresses received funds, held them briefly, then forwarded them onward. This layering pattern — splitting a large sum into multiple similar-sized transfers across numerous addresses — is a recognized money-laundering typology. The objective is to generate noise, making it harder to reconstruct the total fund flow from any single transaction.

Phase 3 — Reconvergence at the Bridge Preparation Hub

After the peel-chain dispersion, the funds did not stay scattered. All nine intermediary clusters funneled their USDC back into a single bridge preparation hub address (2snHHreXbpJ7UwZxPe37gnUNf7Wx7wv6UKDSR2JckKuS).

This reconvergence is a telling pattern. The dispersion was not intended to permanently split the funds — it was a layering maneuver to create forensic noise. Once the "layering" phase was complete, everything was reunited for the final cross-chain exit. The total time between the exploit and this reconvergence was measured in hours, not days.

Phase 4 — Cross-Chain Bridge: Solana to Ethereum

From the bridge preparation hub, the entire balance was bridged from Solana to Ethereum. The specific bridge protocol has not been confirmed via on-chain corroboration at the time of writing — this hop is reported based on PeckShield's tracking and should be treated as a credible but unverified lead pending direct on-chain confirmation of the Ethereum-side receiving address.

What is confirmed by multiple independent security researchers: the funds arrived on Ethereum shortly after leaving Solana.

Phase 5 — The Final Destination: Tornado Cash

On the Ethereum side, the attacker moved swiftly:

• 810 ETH deposited into Tornado Cash — the primary mixing event, representing approximately $1.26 million of the total stolen amount. Tornado Cash, removed from the U.S. Treasury's sanctions list in March 2025, remains the exit ramp of choice for DeFi exploiters seeking to break the on-chain trail.

• 7 ETH transferred to FixedFloat — a smaller tranche sent to a non-custodial swap service, likely to convert a portion of funds into another asset or chain with reduced traceability.

Once funds enter Tornado Cash in sufficient volume, transaction-level tracing — at least by conventional methods — terminates. No funds have been reported frozen or flagged by any centralized exchange.

The Complete Fund Flow

[5 Deprecated AMM V3 Pools on Solana]
         ↓ Fake LP mint exploit — June 10, 2026
         
[Attacker Wallet: 4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk]
         |
         ├─ SOL 5,603 → DEX Swap Hub → converted to USDC
         |
         ├─ USDC → Structuring / Peel Chain (9 intermediary addresses)
         |         $93,690 ×7 | $100,000 ×5 | $319K | $255K | $191K ×3 | $127K
         |
         └─ All USDC → Bridge Prep Hub (2snHHreXbpJ7UwZxPe37gnUNf7Wx7wv6UKDSR2JckKuS)
                                  |
                         Cross-Chain Bridge (Solana → Ethereum)
                                  |
                   ┌──────────────┴──────────────┐
              810 ETH                           7 ETH
         Tornado Cash                        FixedFloat
         [Trail ends]                   [Swap / convert]

The Investigation Anchor: KuCoin

Here's the detail that matters most for any law enforcement or compliance action: the attacker's wallet was initially funded through KuCoin.

Before the exploit, the attacker received operating funds — likely for gas and test transactions — from an account on KuCoin, a centralized exchange with mandatory KYC registration. This represents the most viable attribution anchor in the entire case. KuCoin holds identity records for the account that funded the attacker's wallet. A formal legal request (court order, MLAT, or voluntary cooperation request from a relevant jurisdiction) to KuCoin could yield the attacker's real-world identity.

This is the single most actionable lead for investigators.

Raydium's Response: Full Reimbursement

Raydium's response was swift and unambiguous. Within hours of the exploit being flagged, the protocol confirmed that:

1. No active users, current pools, or modern infrastructure were affected.
2. The deprecated AMM V3 program had not been accessible via the UI since 2021.
3. All affected liquidity providers would be fully reimbursed from the project treasury.

This is not the first time Raydium has faced this situation. The December 2022 incident — a $4.4 million loss caused by a private key compromise — was similarly handled through a governance-approved reimbursement using buyback fees and vested team tokens. That incident was structurally different (an operational breach, not a code vulnerability), but the compensation commitment reflects an established pattern in how the protocol handles security failures.

At the time of writing, RAY traded near $0.57, down less than 1% on the day of the incident — a remarkably muted market reaction, likely attributable to the credible reimbursement commitment and the fact that no active user positions were touched.

What This Means for DeFi Security

The Raydium June 2026 exploit is not a novel attack. It is, in many ways, a familiar one — a legacy codebase vulnerability, a deprecated program left callable on-chain, real assets left sitting in retired infrastructure. The attack method (fake mint address bypass) belongs to a documented vulnerability class. A March 2026 symbolic-execution study examining 8,714 bytecode-only Solana contracts flagged 467 with potential bugs, citing missing key/mint verification as one of the most common failure modes.

There are three systemic lessons here:

1. Deprecated ≠ Disabled

A contract phased out of the UI is not a contract that has been deactivated. On a permissionless blockchain, if a program is deployed and callable, anyone can call it — regardless of whether the interface still exposes it. Protocol teams must treat deprecated on-chain programs as live attack surfaces until they are formally neutralized (which, on Solana, means migrating or closing the program accounts).

2. Legacy Assets in Legacy Code

The deeper failure here is not just that the old AMM V3 existed on-chain, but that real assets remained inside it. When Raydium migrated to AMM V4 and CLMM in 2021, a full asset migration from the deprecated pools should have been part of the transition. Five years of dormancy, combined with real liquidity, created the exact conditions the attacker exploited.

3. Laundering Playbooks Are Predictable

The attacker followed a pattern that security researchers have documented extensively: structuring → cross-chain bridge → mixer. The predictability cuts both ways. It makes tracing easier for investigators, but it also demonstrates that mixers and bridges remain the laundering infrastructure of choice for DeFi exploiters. The centralized funding point (KuCoin) is the only meaningful deviation from a fully anonymous operation — and it may prove to be the attacker's critical mistake.

Recovery Prospects

Bluntly: the $1.34 million is unlikely to be recovered in full.

810 ETH inside Tornado Cash is, for practical purposes, currently untraceable at the transaction level. FixedFloat, a non-custodial swap service, offers limited recourse. The bridge destination address on Ethereum was not confirmed with on-chain corroboration at time of publication.

What investigators do have:

• The complete Solana-side fund flow reconstructed hop-by-hop
• KuCoin as a KYC-linked funding source — the strongest attribution lead
• The attacker's primary Solana address (4WnPebowR4HHfumvNPaDjG6Pa5Hi1jxLm6xmmBq33QVk) fully mapped
• A documented structuring pattern that constitutes on-chain evidence of deliberate layering

The KuCoin lead is real. Whether it results in an arrest depends on the jurisdiction, the response timeline, and whether KuCoin's cooperation yields actionable identity records before the statute of limitations becomes a concern.

Conclusion

The Raydium June 2026 exploit is a $1.34 million lesson about the hidden risks of deprecated infrastructure. The vulnerability was not exotic. The attack required no zero-days, no insider access, no flash loan engineering. It required only the observation that an old contract with missing input validation still held real money — and the knowledge of how to ask for it.

The attacker executed a professional laundering sequence: structuring, peel chains, cross-chain bridging, and mixing. But they made one mistake that most sophisticated exploiters avoid: funding their operational wallet through a KYC-registered exchange before the attack.

That connection to KuCoin is the thread investigators should pull.

Forensic analysis conducted using on-chain data from the Solana mainnet and OSINT from PeckShield, on-chain investigator Specter, and published security research. All address attributions are based on confirmed on-chain fund flows. The Ethereum-side bridge destination has not been independently confirmed on-chain at time of publication and is reported on the basis of security researcher findings. This post is for informational and investigative purposes only.