Analysis of Collaborative Sniping Behavior in Solana Token Issuance

Abstract

This report investigates a common and highly coordinated meme Token farming model on Solana: Token deployers transfer SOL to "sniper wallets," enabling these wallets to purchase the Token within the same block when it is launched. By focusing on the clear and provable financial chain between deployers and snipers, we identify a set of high-confidence extraction behaviors.

Analysis shows that this strategy is neither an偶然 phenomenon nor a marginal behavior. In just the past month, more than 15,000 SOL of realized profits have been extracted through this method from over 15,000 token issuances, involving more than 4,600 sniper wallets and over 10,400 deployers. These wallets exhibit an unusually high success rate of (87% in sniper profits ), clean exit methods, and structured operational patterns.

Key findings:

• The sniper funded by the deployer is systematic, profitable, and usually automated, with sniper activities being most concentrated during US working hours.
• Multi-wallet brushing structures are very common, often using temporary wallets and collaborative withdrawals to simulate real demand.
• Obfuscation methods are constantly evolving, such as multi-hop funding chains and multi-signature attacks on transactions, to evade detection.
• Although limited, a jump fund filter can still capture the clearest and most repeatable large-scale "insider" behavior cases.
• This report presents a set of actionable heuristic methods to assist protocol teams and front-end developers in real-time identification, tagging, and response to such activities.

Although the analysis only covers a subset of block sniping behavior within the same block, its scale, structure, and profitability indicate that Solana token issuance is actively manipulated by a collaborative network, and existing defenses are far from sufficient.

Methodology

This analysis aims to identify behaviors indicating the collaborative farming of meme tokens on Solana, especially situations where deployers provide funds to sniper wallets at the time of token issuance in the same block. We divide the issue into the following stages:

1. Filter the same block sniping
2. Identify wallets associated with the deployer
3. Associate sniping with Token profits
4. Measuring Scale and Wallet Behavior
5. Machine activity traces
6. Exit Behavior Analysis

Focus on the clearest threats

We first measured the scale of block sniping in the issuance of pump.fun, and the results were shocking: over 50% of the tokens were sniped at block creation - block sniping has shifted from an edge case to the dominant issuance model.

To reduce false positives and highlight genuine collaborative behavior, we have incorporated strict filtering in the final metrics: only counting the direct SOL transfers between the deployer before the launch and the sniper wallet. This allows us to confidently identify wallets directly controlled by the deployer, wallets acting under the deployer's direction, and wallets with internal channels.

Case Study 1: Direct Funding

The deployer's wallet sends a total of 1.2 SOL to 3 different wallets, and then deploys a token named SOL > BNB. The 3 funding wallets complete their purchase in the same block where the token is created, before it is visible to the broader market. Subsequently, they quickly sell for profit, executing a coordinated flash exit. This is a textbook example of pre-funding sniper wallets brushing farming tokens, directly captured by the funding chain method. Despite the simplicity of the technique, it has been staged on a large scale across thousands of issuances.

Case Study 2: Multi-hop Funding

A certain wallet is related to multiple token sniping events. This entity did not directly inject funds into the sniper wallet, but rather transferred SOL through 5-7 intermediary wallets to the final sniper wallet, thereby completing the sniping within the same block.

Existing methods only detect some preliminary transfers from the deployer, but fail to capture the entire chain towards the final target wallet. These relay wallets are typically "one-time use," only used to transmit SOL, making it difficult to associate them through simple queries. This gap is not a design flaw, but rather a trade-off of computational resources.

Discover

Focusing on the subset of "same block sniping + direct capital chain", we reveal a broad, structured, and highly profitable on-chain collaborative behavior. The following data covers the period from March 15 to the present:

1. Sniping that is in the same block and funded by the deployer is very common and systematic.
   • In the past month, over 15,000 tokens have been directly targeted by funding wallets upon listing on the blockchain.
   • Involving over 4,600 sniper wallets and more than 10,400 deployers
   • The issuance of pump.fun accounts for approximately 1.75%

2. This behavior leads to large-scale profits.
   • Direct funding sniper wallet has achieved a net profit > 15,000 SOL
   • Sniping success rate 87%, very few failed trades
   • Typical single wallet yield 1-100 SOL, a few exceed 500 SOL

3. Repeat deployment and sniper targeting to brush farming networks
   • Many deployers use new wallets to batch create dozens to hundreds of Tokens.
   • Some sniper wallets execute hundreds of snipes in a single day.
   • Observed a "center-radiation" structure: one wallet funds multiple sniper wallets, all sniping the same Token.

4. Sniping presents a human-centered time pattern
   • The active peak is from UTC 14:00 to 23:00; it is almost at a standstill from UTC 00:00 to 08:00.
   • Aligns with US working hours, indicating it is triggered manually/cron schedule, rather than fully automated 24 hours globally.

5. Confusion of ownership between single-use wallets and multi-signature transactions
   • The deployer funds several wallets simultaneously and signs the sniper in the same transaction.
   • These burn wallets will no longer sign any transactions.
   • The deployer splits the initial purchase into 2-4 wallets to disguise real demand.

Exit Behavior

To gain a deeper understanding of how these wallets exit, we have analyzed the data along two major behavioral dimensions:

1. Exit Speed ( Exit Timing ) - The time from the first purchase to the final sale
2. Sell Transaction Count ( Swap Count ) - Number of independent sell transactions used for exit

Data conclusion:

1. Exit Speed

   • 55% of the sniping was sold out in 1 minute
   • 85% liquidated within 5 minutes
   • 11% completed in 15 seconds

2. Number of sales

   • Over 90% of sniper wallets only exit with 1-2 sell orders.
   • Rarely adopt progressive sell-offs

3. Profit Trend

   • The most profitable is the wallet that exits in less than 1 minute, followed by less than 5 minutes.
   • Holding for a longer time or selling multiple times may result in slightly higher average profit per transaction, but the quantity is very small, contributing limitedly to the total profit.

These patterns indicate that the sniper funded by the deployer is not a trading activity, but an automated, low-risk extraction strategy.

Conclusion

This report reveals a continuous, structured, and high-profit Solana token issuance extraction strategy: deployer-funded block sniping. By tracking direct SOL transfers from deployers to sniping wallets, we have identified a batch of insider-style behaviors that leverage Solana's high throughput architecture for coordinated extraction.

Although this method only captures a part of the block sniping, its scale and pattern indicate that this is not random speculation, but rather operators with privileged positions, repeatable systems, and clear intentions. The significance of this strategy is reflected in:

1. Distort early market signals to make the Token appear more attractive or competitive.
2. Endanger retail investors - they become exit liquidity without knowing it.
3. Weaken the trust in open token issuance, especially on platforms that pursue speed and ease of use.

To alleviate this issue, what is needed is not just passive defense, but also better heuristics, front-end early warning, protocol-level safeguards, as well as ongoing efforts to map and monitor collaborative behaviors. Detection tools already exist - the problem is whether the ecosystem is willing to truly apply them.

This report takes the first step: it provides a reliable and reproducible filter to identify the most obvious collaborative behaviors. But this is just the beginning. The real challenge lies in detecting highly obfuscated and constantly evolving strategies, and in building an on-chain culture that rewards transparency rather than extraction.