Metamask

Consensys-funded research call preceded a fully automated multi-chain drain. The same operator is hitting victims today.


How a $54 user-research interview became the most expensive Zoom call of one crypto founder's life — and exposed an active drainer ring.

47 minutes after the Despark research call ended, the participant's Solana wallet was emptied by an 8-tx automated sweep. 47 minutes after the call ended, the drainer fired. Same operator's wallets received $27K+ more SOL this week.Rex Intel Services · Investigations Desk

A multi-chain crypto founder, anonymous for his protection, accepted a paid user-research interview booked through a Consensys-funded recruitment platform on 2025-05-12. The mission was titled "Web3 Identity." The fee was $54 USDC. The interviewer was introduced as a Consensys/MetaMask employee.

Forty-seven minutes after the call ended, his Solana wallet executed eight transactions in eighty seconds. By the time the bot finished, every liquid asset in the wallet was gone, swept to a one-time burner address controlled by an operator that, as of 2026-05-18, is still receiving substantial inflows in real time across associated infrastructure.

He had told the researcher, on camera, what was in that wallet.

At a glance:

  • Consensys-Mesh-funded user-research platform. Despark.io, the firm that booked the paid interview, is a Boston-based research recruiter whose publicly disclosed investors include Consensys Mesh — the venture arm of the company that makes MetaMask.
  • Researcher confirmed as a Consensys/MetaMask employee by multiple independent sources. Despark's co-founder confirmed via email that the researcher was a verified Consensys employee with Slack and corporate-email accounts on file. Separately, multiple Consensys employees encountered by the participant at crypto industry conferences in the months following the drain independently confirmed, in unprompted conversation, that the researcher was a known MetaMask employee.
  • Wallet contents disclosed on camera. Over a recorded ~46-minute Zoom call, the participant voluntarily catalogued his multi-chain wallet providers, his approved DeFi positions, and the rough scale of his holdings to the researcher.
  • Fully automated, multi-chain drain — beginning 47 minutes after the call ended. On Solana, eight transactions in 80 seconds emptied the participant's Phantom wallet to a one-time burner sink, every transaction signed by his own keypair as fee payer. On Polygon, the same wallet had been pre-liquidated the night before (DeFi Treasury Bill batch redemption + Paraswap multiSwap) and cashed out 1,380 POL to a one-time burner sink six minutes before the Solana drain began. The Polygon burner exhibits the identical operational fingerprint as the Solana burner: one drain, one forward to a consolidator, then permanently dormant.
  • Drain enabled by prior key theft, not a session compromise. Solana has no ERC-20-style approvals; the operator already held the participant's private key when the call began. The call's role was either confirmation or trigger.
  • Two of the participant's wallets, on two chains, tagged by the same EIP-7702 phishing contract. The primary screener-disclosed wallet was authorized on Ethereum, in September 2025, to two delegate contracts whose creators are labeled "Fake_Phishing" by Etherscan. A second wallet of the participant's is currently authorized on Polygon to the same 0x63245b9f… delegate as the primary. The most recent delegation on Ethereum and the active delegation on Polygon are both live as of publication.
  • Despark released only one side of the recording. After a California two-party-consent request, the company provided only the participant's own audio and a transcript of his own speech, withholding the researcher's video, audio, and questions, and attributing the partial release to lawyer review.
  • The operator's infrastructure is running at SaaS-drainer throughput right now. The custom drainer router and persistent fee wallet that processed the participant's May-2025 drain each emit more than 1,000 signed transactions per hour as of publication — ~20 per minute, sustained, on both addresses. Two other wallets in the same May-2025 Solana Address Lookup Table batch as the participant's burner have received more than $27,000 in SOL inflows in the last 96 hours.
  • Four other addresses in the same batch share the participant's drainer-sink fingerprint. Single-day activity envelopes, low signature counts, zero ending balances — a cohort of likely co-victims who may not yet know they were hit.
  • Pre-drain dusting recon hit twenty wallets, including the participant's. Eighteen hours before the drain, a single Solana transaction from 5Hr7wZg7oBpV…Jak7fr distributed 1 lamport to twenty distinct destination wallets — a textbook on-chain operational tell for verifying that a list of target accounts is live and rent-exempt before the operator commits the next batch. The participant's address appears at index 19. The other nineteen are listed in the body of this article.
  • At least four of the other nineteen dusted wallets were drained through the same operator's router + fee wallet. A direct on-chain cross-check confirms five out of twenty wallets in the dust batch — including the participant's — were routed through the same SaaS drainer infrastructure. Three of those four co-victims were drained before the participant: within 2-4 hours of the dust, while the participant was still asleep. The dust list was not behavioral context. It was the operator's working target manifest, and the participant's drain was the fifth-or-later move in a campaign already underway.

The mission

Despark.io is a paid user-research firm that recruits crypto-active participants for product interviews. Its participants are vetted by demographics and on-chain wallet activity — a differentiator the company markets explicitly versus generic research-recruiter platforms like User Interviews or Respondent.io. Despark currently lists ~7,000 verified web3 users, and claims clients including CoW Protocol, Runtime Verification, and API3, with internal-network exposure to Consensys-funded products including MetaMask.

The founder — referred to here as the participant, for source-protection reasons — had completed two prior Despark missions before May 12, 2025, including one on 2025-02-11 titled "Looking to speak to MetaMask users!" — the same MetaMask-research recruitment pattern. The May 12 "Web3 Identity" mission was his third Despark session, and it was conducted over Zoom on the morning of May 12, recorded per Despark's standard process.

Over the course of a ~46-minute interview, the participant — comfortable, professional, treating it as a real research conversation — voluntarily catalogued the categories of his crypto operational footprint to the researcher: the wallet providers he used across multiple chains, the categories of DeFi venues where he held approved trading positions, the rough scale of his holdings, and the personal-opsec practices he relied on. Specific project names and exact wallet identifiers are withheld here for source protection; the disclosure pattern, not its contents, is what matters for what followed.

According to Despark's later metadata review, no chat messages were exchanged during the call and no screen was shared.

The call ended somewhere between 10:55 and 11:00 AM Pacific Time. Despark's automated "Mission Complete" email — which fires after the participant is credited — landed in the participant's inbox at 11:15 AM PT.


What happened in the wallet before the call

The wallet activity in the 48 hours leading up to the call follows a pattern that is, in retrospect, legible.

2025-05-10, 16:30 PT — T-43 hours from drain. The participant's Phantom wallet receives 15.78 SOL (≈$2,805 at the May 2025 spot price) from a Robinhood-attributed wallet (AeBwztwXScyNNuQCEdhS54wttRQrw3Nj1UtqddzB4C7b). This is the funding event that established most of the wallet's eventual drained value. From the operator's perspective — assuming the wallet's keys had been previously exfiltrated and were being watched — this is the inflow signal that says now there is something here to take.

2025-05-11, 17:14 PT — T-18 hours from drain. A Solana wallet at 5Hr7wZg7oBpVhH5nngRqzr5W7ZFUfCsfEhbziZJak7fr emits a single signed transaction (22 instructions, total fee 5,825 lamports — about $0.001) transferring one lamport (0.000000001 SOL) to each of twenty distinct recipient wallets in one batch. The participant's Phantom address appears as the nineteenth recipient. The other nineteen, in batch order:

281DH5J1fmoGusSyryBgMBovF77E4aFgSCYzSbRzuiG4
3k4244UDyqs6L2zoTNrPquRrWK6VkebHYBFqHvpB5oYL
4CRkYKSG6jWG2swKRMbQ5KziVWDcpnnmRxFT8EzDXH2g
55GVfiNkTg9bHZ1BZg2VHedtM1vQ1G4EmcMX7E8QNZxf
65a6EiHpArePug31EPDjcxLVa5KgQcz9cj6UXzgES7hv
672XessRAdvCcGTJCzBKtxd93UemQ2rnLtGAu7kpANiG
6DN8gJHUkXT6yUpuLjViPbDRQScM8MRzmTqRYrv9Dsou
8j3D5HzUXbAxXKGDzF4iDNuv7hBHpUvtDV9eKnaxLAFy
9h8D1cvgtc2YHdUsjr5uModAwAcdNbEYZC55D2jhmCMt
9YQVt8mPmHvwnn4J1fmvA9tyhGKvibPR8HKGSCGV6FxN
AJj2RHsz6sLKAbtsvKZU6Xcz6gcHE8QSQVnHPxAa3TWA
B1JSkgsNjDhp141nP7JjeZva1LtvRt1kFMGfN4kN4NKz
BayewF3p8aXjxSUcMhoV4GwYUnBrudrx9PY92AtnpBQn
Dsa5FBjVZ1ejqKoPgBw7qvv9xQtfc9CbfdJnyxMQAZY2
DSDpQAq26PsL1Ldijp5YSAKUKbggvX58AF7dZgapvT6X
EWFSQcfANfUwgbhqCMXhjfM7CCtZtsxcvRNprCaYyBCj
F1bNfRK7r3xwWJYr8MP4vzvHf5sEamTppjDgyM15v49m
HAr3D8hc19UfLy4pZydrf5vR8eWri1jqrsyykLzWhUWQ
HvhAwaNxdDjK6b1uPJdGQvnAJoZyxzkrFN8kvQabXsFL

A 1-lamport dust to twenty wallets in a single batched signature, paid for by a single source wallet, costing under a penny in fees, has one common operational function: verifying that each recipient address is a previously-funded, rent-exempt account that the next batch transaction can address cheaply. On Solana, transferring to an uninitialized account is more expensive (the sender pays rent-exempt minimum). Dusting confirms target liveness and pays the rent for the receiving wallet's account structure. It is reconnaissance.

The other nineteen wallets in that batch are a snapshot of the operator's target list as of T-18 hours before the participant's drain. If you recognize any of those nineteen addresses as yours — or as belonging to anyone you know — and that wallet had unexplained transactions between May 11, 2025 and the present, you may be looking at the same operator that hit the participant. We confirmed four of those nineteen wallets were drained through the same SaaS infrastructure as the participant's wallet — three of them before the participant's drain, within hours of the dust. Methodology and the full address list of confirmed co-victims appear later in this article in the section "We checked the dust list." We want to hear from any of the others.

2025-05-12, 01:09 to 01:11 PT — T-10 hours from drain. The participant's Polygon wallet executes the bond batchRedeem + Paraswap multiSwap sequence (described in detail in the Polygon section below). DeFi vesting positions liquidate to liquid POL. Whether by the participant himself or by an actor already holding his keys, the wallet ends up liquid by 01:11 PT.

2025-05-12, ~10:00 AM PT — T-2 hours from drain. The participant joins the Despark "Web3 Identity" Zoom call and spends ~46 minutes verbally describing his multi-chain DeFi footprint to the researcher.

2025-05-12, 11:15 AM PT — T-30 min from drain. Despark's automated "Mission Complete" email arrives.

2025-05-12, 11:39 AM PT — T-6 min from drain. The participant's Polygon wallet emits 1,380 POL to a one-time burner sink.

2025-05-12, 11:45 AM PT — T-0. The Solana drain begins.


The 47 minutes

At 11:45:43 AM PT — 30 minutes 43 seconds after the Mission Complete email, and (per the participant's recollection) approximately 47 minutes after the researcher hung up — the participant's Phantom wallet on Solana (HeJkAGASQu8esawJyrEW4WFkdoqTpsZSGatkoFb4XqVa) began signing transactions. Every claim in this section is independently verifiable by loading that address on any Solana block explorer and reading the May 12, 2025 transaction list.

The participant did not sign them. He was not at his computer. His Phantom wallet's private key was. Whoever held that key had decided, at that moment, to start.

Over the next 1 minute and 53 seconds, the wallet emitted eight transactions in unbroken sequence — roughly one signed swap every fourteen seconds, a cadence no human is hitting on a wallet they haven't preloaded the inputs for. Each one was signed using the participant's own Phantom keypair as fee payer — meaning whoever was executing them had full custody of the private key, not merely an approved swap signature (a mechanism that does not exist on Solana the way it does on Ethereum). Each transaction routed through a custom drainer router (6m2CDdhRgxpH4WjvdzxAYbGxwdGUz5MziiL5jek2kBma) that liquidated one of the wallet's token positions to native SOL, with a small fee skimmed to a persistent operator wallet (9yj3zvLS3fDMqi1F8zhkaWfq8TZpZWHe6cz1Sgt7djXf) on each swap.

The drain sequence, reconstructed from Solana RPC:

Time (PT) Action Wallet SOL balance 11:45:43 Swap 7reSG61f… → OFFICIAL TRUMP (TRUMP) via Raydium CLMM 4.92 11:46:04 Sell 4.4M Purple Pepe (PURPE) → SOL 7.27 11:46:15 Sell 242K Pepe (Pepe) → SOL 9.13 11:46:26 Sell 22.9 OFFICIAL TRUMP (TRUMP) → SOL 10.78 11:46:37 Sell 7,548 Hosico cat (Hosico) → SOL 12.61 11:46:55 Sell 2,400 Just a chill guy (CHILLGUY) → SOL 13.88 11:47:05 Sell 1,124 Goatseus Maximus (GOAT) → SOL 15.15 11:47:36 15.110 SOL swept to GmgHSpuXYejyfZ9E63YPR9XFdfHj4pyuu7cVu8jTrN9f 0.036

The seven distinct token positions liquidated in those eighty seconds read like a Greatest Hits playlist of every meme that owned Solana CT in the prior six months:

  • OFFICIAL TRUMP (TRUMP) — the inauguration-week political coin that minted a generation of bag-holding former Hill staffers.
  • Pepe and Purple Pepe (PURPE) — one classic frog, one purple variant; the participant was diversified across froggy color theory.
  • Hosico cat (Hosico) — a Bonk-ecosystem cat coin. Note the Ebonk suffix on its mint address, which is the kind of detail you only clock when you're being paid in dust to read every drain transaction in someone else's wallet.
  • Just a chill guy (CHILLGUY) — the viral late-2024 mascot of doing absolutely nothing while the bag does whatever it's going to do.
  • Goatseus Maximus (GOAT) — the AI-agent / Eliza-narrative bellwether and the largest of the autonomous-AI-token-cycle entrants.

It is, broadly, exactly the multi-bag SOL-memecoin portfolio the participant had described, on camera, to the researcher, earlier that same morning. The operator did not have to guess what was in there. The participant had read out the menu.

The final sweep address, GmgHSpuXYejyfZ9E63YPR9XFdfHj4pyuu7cVu8jTrN9f, has exactly seven signatures in its entire history. All seven are on May 12, 2025. Its current balance is zero. This is a textbook one-time burner sink — created for one victim, used for one drain, then dormant forever after.

Two minutes after the drain landed there, at 11:49:38 AM PT, the 15.110 SOL was relayed forward to a consolidation wallet (G2YxRa6wt1qePMwfJzdXZG62ej4qaTC7YURzuh2Lwd3t), prepared by a separate operator relayer (6vMuna31vRDs9u9RAEF8UeCSs9CNu6j4LkXpe4Ko1gBQ) that constructed a Solana Address Lookup Table — a transaction-compression technique used when a batch of related operations is being prepared simultaneously.

That Lookup Table contained ten sink addresses.

The participant's was one of them.


The Polygon side: the drain was multi-chain

The participant's Solana wallet was not the only one being emptied on May 12, 2025.

Between 01:09 AM and 01:11 AM Pacific Time — approximately ten hours before the Despark call — the Polygon wallet the participant had disclosed via Despark's screener (0x118EDd03335D07B498A511213cDb9FDfB448EcA3) executed three signed transactions, each verifiable on Polygonscan:

Time (PT) Action Contract Tx hash 01:09:54 batchRedeem(uint256[] _billIds) 0x3E53F156fBe6a17ca74F4E0EeC638cD8AeD3a4Bb (DeFi Treasury Bill vesting contract) 0x8da01d14… 01:09:58 batchRedeem(uint256[] _billIds) 0xc36a21D46c901bC6d9CF3eD0b1f31eDaB7d36e90 (Treasury Bill v2 contract) 0xb4fa4e4a… 01:11:38 multiSwap(tuple data) 0xDEF171Fe48CF0115B1d80b88dc8eAB59176FEe57 (Paraswap Augustus v5 router) 0x6689024a…

The two batchRedeem operations liquidated DeFi vesting positions — the on-chain mechanism by which a previously locked position becomes liquid POL. The bond settlement contract at 0xc19e284c8f5ccef721a761d0ca18dc8e9a612afd returned 107.74 POL to the wallet at 01:10:38, between the two redemptions; the Paraswap multiSwap at 01:11:38 returned a further 24.08 POL to the wallet from token-side conversions. Whether those overnight operations were performed by the participant himself or by an attacker already holding his key is not knowable from on-chain evidence alone; what is knowable is that they left the wallet in a fully-liquid state ten hours before the cash-out that followed.

The cash-out happened at 11:39:39 AM PT — six minutes before the Solana drain began at 11:45:43 PT. A single outbound transfer:

1,380 POL → 0xd78d9d8e566ecd4d1696eda3f08605bbd5c85554

That recipient address has exactly two transactions in its entire history. Both are on May 12, 2025.

  • 11:39:39 PT: received 1,380 POL from the participant's wallet.
  • 11:41:43 PT (2 minutes 4 seconds later): forwarded 1,379.97 POL onward to 0x3a0d24d59af3a3444dc6ef12cdb0c6e38c985288 — a high-volume consolidator wallet with thousands of unique inbound counterparties across multiple years of activity.

Its current balance is 0.022 POL. After May 12, 2025, it has emitted no further transactions.

This is the same operational fingerprint as the participant's Solana drain destination GmgHSpuX…jTrN9f: one-time creation, one drain, one forward to a consolidator, then permanently dormant. Same architecture, different chain.

The choreography across chains was:

01:09 PT — Polygon: bond batchRedeem ×2  ┐
01:11 PT — Polygon: multiSwap Augustus   ┘ wallet liquidated to POL
…
11:39 PT — Polygon: 1,380 POL → one-time burner sink
11:41 PT — Polygon: burner → consolidator (1,379.97 POL forwarded)
11:45 PT — Solana: drain sequence begins (8 tx in 80 sec)
11:47 PT — Solana: 15.110 SOL → one-time burner sink
11:49 PT — Solana: burner → consolidator (Address Lookup Table batch)

The two chains were not separate incidents. They were two surfaces of the same operation, run by an actor who held the participant's keys on both. Polygon was unwound first, overnight, slowly. Solana was unwound last, in eighty seconds, after the participant had spent forty-six minutes on a recorded call describing what was in it.


Despark.io is a Consensys-funded research network

To understand what kind of vendor relationship that interview represented, you have to look at who funds Despark.

Despark.io was co-founded in Boston by Greg Eusden (formerly Director of Product at SimpliSafe) and Amar Kher (formerly Global Head of Advertising Business Operations at Uber). The company has 2-10 employees per its LinkedIn. Its publicly disclosed investors include Consensys Mesh — the venture arm of Consensys, the company that makes MetaMask — and Qubic Labs. Consensys Mesh's own announcement of the Despark investment is on the public record, alongside the company's PitchBook and Crunchbase profiles.

This means: when a Despark mission is staffed by a "Consensys employee," that researcher and that platform and the eventual product the research feeds are not in an arms-length vendor relationship. They are all in the same network, funded by the same parent. A Consensys-affiliated researcher conducting a Consensys-themed mission via a Consensys-Mesh-portfolio platform is the structurally expected flow — not a red flag in itself.

What it does mean is that the controls around participant-facing data, researcher vetting, and call-content handling are internal-Consensys-network controls, not third-party-vendor controls. The threat model when a Consensys-Mesh-funded research firm with ~7 employees handles wallet-KYC'd participants and post-call disclosure data necessarily includes a single insider with access to both.


What Despark said when the participant asked

After the drain, the participant emailed Despark's published support address. The thread was answered by Greg Eusden, co-founder of Despark, who confirmed via reply that the researcher was a verified Consensys employee with Slack and email accounts on file.

Asked how a drain could have followed from the call when no screen had been shared and no links had been clicked, Eusden wrote: "I glanced at the metadata, and I don't think you shared screen or interacted with anything on her behalf, so it's hard to know it's related to the interview." He noted that the researcher had interviewed "folks who I know for a fact have large value-holdings and we haven't had any issues so far."

Eusden's confirmation of the researcher's employment was not the only source. In the months following the drain, the participant attended multiple crypto industry conferences and, in separate unprompted conversations with Consensys employees encountered there, received independent confirmation that the researcher was a known MetaMask employee. None of those conversations were initiated by the participant raising the researcher's identity; in each case, a Consensys staffer placed her at the company without being asked to. The participant has accordingly treated the researcher's employment with Consensys as established by multiple independent sources for the purposes of this investigation.

The participant asked for a copy of the call video, citing California's two-party recording statute and his right as a recorded party to obtain a copy. Despark initially declined. After three months of follow-up, on 2025-08-18, the company released only the portion of the video in which the participant himself spoke, along with a transcript of only his own speech. The researcher's video portion, audio, and questions were withheld. Eusden attributed the partial release to lawyer review.

Receiving only one side of a recorded two-party conversation is not a position California's recording statute requires the participant to accept. It is, however, the position Despark has held since.

The participant's screener responses — the questions Despark sends prospective participants before booking the mission — included one wallet address, which Eusden confirmed was the only wallet identifier shared with the researcher via the platform: the Polygon-active MetaMask wallet 0x118EDd03335D07B498A511213cDb9FDfB448EcA3.

That same wallet was later hijacked again, in a separate event, in September 2025 — via Ethereum's EIP-7702 mechanism, by delegate contracts both explicitly flagged as phishing operations by Etherscan's community-attribution system. More on that below.


How the keys were actually compromised

The participant's initial working theory was that an AI-driven signature exploit had abused DEX approvals he had previously granted on Raydium and QuickSwap.

That theory is wrong, but in a way that matters.

Solana does not have ERC-20-style approvals. To swap on Raydium, the wallet's private key must sign each transaction at submission time. Every one of the eight drain transactions on May 12 was signed by the participant's Phantom keypair — visible on-chain as the fee payer for every transaction in the burst. Nobody can sign with that key unless they hold it.

What this means is: at some point before the call, the participant's Phantom private key had been exfiltrated. The drain wasn't enabled by any signature given during the call — Despark's metadata, on this narrow point, appears to be accurate. The drain was enabled by the participant's keys already being in the operator's possession. The call's role was either (a) confirmation — a watcher on the operator's side hearing the participant catalogue what was in the wallet and triggering the drain accordingly — or (b) trigger via timing — the operator running a scheduled extraction bot keyed to a specific UTC window (which is consistent with the same operator's subsequent behavior on the same wallet — see below).

Crypto information stealers that exfiltrate browser-extension wallet state — Phantom, MetaMask, Xverse — are a well-documented and growing attack class, often delivered via fake job applications, malicious Chrome extensions, and Discord links. The North Korean "Operation Dream Job" / "Contagious Interview" campaigns are the highest-profile instance, but the technique is now commoditized and used by mid-tier crypto-criminal actors across multiple jurisdictions. SlowMist, Mandiant, Sekoia, and TRM Labs have all published detailed write-ups of the malware families involved.

The unanswered question for the Despark case is: at what point, and through what channel, did this participant's Phantom keys get stolen — and is the same channel sourcing Despark's research recruits, or sourcing the researcher's call list, or sourcing nothing at all related to either?

We will return to this question once we've explained why the operator infrastructure is still alive.


The drainer ring is still active right now

The Solana Address Lookup Table that the operator's relayer prepared at 11:48:14 AM PT on May 12, 2025 — the one used to compress the addresses for the participant's drain cash-out — contained ten distinct sink addresses. The participant's sink was one of them.

We profiled all ten.

Address Sig count Activity range Current balance Read GmgHSpuXYejy…jTrN9f 7 2025-05-12 only 0 SOL Participant's drain destination (burner-sink pattern) 4Z91xTzhDs7e…y7z2u 26 2025-05-12 only 0 SOL Burner-sink pattern 9gLYqGrhPiRk…sPyo 24 2025-05-12 only 0.001 SOL Burner-sink pattern 9SzPrMxtv76z…B9av 20 2025-05-12 to 14 0 SOL Burner-sink pattern 9GS4pvLLqVV7…RUgG 50+ 2025-05-11 to 12 0 SOL Burner-sink pattern 4tMW38hehQ5o…XoVR 14 2025-05-07 to 12 0.001 SOL Adjacent burner-sink pattern 7Q5hoiFy3FJu…K4Dhn 50+ 2025-04 to 2026-02 0 SOL Long-running infrastructure address (continuous activity) 7MoK8H31L7YB…hQy1 50 2026-05-15 to 2026-05-17 131.69 SOL (~$22,000) Heavy current inflow activity CYt5zhUNZfyX…eh71 50 2026-05-14 to 2026-05-17 32.22 SOL (~$5,500) Heavy current inflow activity HFUGwNE5Jj5G…LYXn 50 2026-05-13 to 14 0 SOL Recent flow-through activity

Two observations of public consequence:

Four other addresses in the same operator batch share the participant's drain-destination fingerprint. Each shows a single-day-or-narrow-window activity envelope, a low signature count, and a zero or near-zero ending balance — the same operational pattern as the participant's confirmed drain destination. We do not assert from this on-chain pattern alone that these are stolen-funds destinations; we are stating that the patterns are consistent and that the addresses warrant attention. Anyone who recognizes one of those four addresses as having received funds they did not authorize — we want to hear from you. Tip line at the end of this article.

The address cluster contains wallets receiving substantial current inflows. Two addresses in that same May-2025 Lookup Table — 7MoK8H31L7YB…hQy1 and CYt5zhUNZfyX…eh71 — have received inflows in the last 96 hours totaling more than $27,000 in SOL. We are reporting the on-chain balances and timing as facts; the interpretation of those facts is left to readers and to the analytics firms we expect will examine the cluster.

A long-running infrastructure address (7Q5hoiFy3FJu…K4Dhn) shows continuous activity from April 2025 through February 2026, with multiple shared-batch touchpoints between the May-2025 sink cohort and the currently-active addresses above. The on-chain signature is consistent with a single coordinating actor across that period, though attribution of pseudonymous addresses to a single real-world entity is necessarily inferential.

The operator infrastructure is not historical. It is running right now. Two of the addresses from the May-2025 drain — the custom drainer router 6m2CDdh…kBma and the persistent fee wallet 9yj3zvLS…t7djXf — each emit more than 1,000 signed transactions per hour as of publication, queried directly against public Solana RPC at 2026-05-19. That is roughly 20 signed transactions per minute, on each of two cooperating addresses, sustained. This is not the throughput envelope of a one-off crew working through a stolen-key inventory at human pace. This is the throughput envelope of a productized, multi-tenant, SaaS-drainer infrastructure deployment earning per-swap commission across an actively-flowing victim pipeline. The router and fee wallet that processed the participant's drain on May 12, 2025 are the same router and fee wallet processing other people's drains right now.

The participant was not the only address in his batch. He was not the only victim that week. And he is not the only victim today. He was one row on a spreadsheet, processed in sequence with everyone else who got cycled through that day, and the spreadsheet is still being processed.


We checked the dust list. The operator drained at least four other wallets from it. Three of them before the call.

After mapping the May 11 dust event, we ran a direct cross-check: for each of the nineteen other wallets in that 20-recipient batch, we pulled signature history via Solana RPC (getSignaturesForAddress), restricted to the May 11 17:14 PT → May 16 wave window, sampled the first eight transactions per wallet, and fetched the full account key list of each tx via getTransaction. For each transaction we then checked whether any of its referenced account keys matched the operator's known drainer router 6m2CDdhRgxpH4WjvdzxAYbGxwdGUz5MziiL5jek2kBma or the operator's persistent fee wallet 9yj3zvLS3fDMqi1F8zhkaWfq8TZpZWHe6cz1Sgt7djXf — the two addresses already confirmed as having processed the participant's May 12 drain.

Four of the nineteen wallets matched. Plus the participant's, that's five out of twenty in the dust batch confirmed as routed through the same SaaS drainer infrastructure.

Co-victim wallet Operator-infra hits in sample First operator-infra contact (UTC) T-relative to dust Dsa5FBjVZ1ejqKoPgBw7qvv9xQtfc9CbfdJnyxMQAZY2 3× (router + fee wallet) 2025-05-12 04:27:16 T + 4h 13m 55GVfiNkTg9bHZ1BZg2VHedtM1vQ1G4EmcMX7E8QNZxf 2× (router + fee wallet) 2025-05-12 02:24:15 T + 2h 10m B1JSkgsNjDhp141nP7JjeZva1LtvRt1kFMGfN4kN4NKz 1× (router + fee wallet) 2025-05-12 02:39:23 T + 2h 25m 4CRkYKSG6jWG2swKRMbQ5KziVWDcpnnmRxFT8EzDXH2g 1× (router) 2025-05-13 15:09:02 T + 39h HeJkAGASQu8esawJyrEW4WFkdoqTpsZSGatkoFb4XqVa (participant) full drain via router + fee wallet 2025-05-12 18:45:43 T + 18h 31m

The number that matters most in that table is the participant's position in the timing column. He was not first. Three other dusted wallets had already been routed through the same drainer infrastructure by the time the participant woke up on the morning of May 12, 2025 — 55GVfiNk… and B1JSkgsN… were each touched by the operator's router and fee wallet within roughly two-and-a-half hours of the dust; Dsa5FB… followed two hours after that. By the time the participant joined the Despark Zoom call at approximately 10:00 AM PT, three other addresses from his recon batch were already inside the operator's drain pipeline. The call did not start the drain wave. The drain wave was already running.

The methodology has one important undercount caveat: we sampled the first eight wave-window signatures per wallet. Wallets with many more wave-window signatures than that — Dsa5FB… had 156, DSDpQ… had 127, EWFSQ… had 101, B1JSkgsN… had 375 — likely have additional operator-infra contacts in the unsampled tail. The four confirmed co-victims are a floor, not a ceiling. A full enumeration of every wave-window transaction across all nineteen wallets would almost certainly raise the confirmed count.

A second pattern emerged from the same sweep. The dusting wallet 5Hr7wZg7oBpVhH5nngRqzr5W7ZFUfCsfEhbziZJak7fr did not perform the May 11 recon as a one-shot. Five separate wallets in the original batch received a second touch from the same dust source at exactly 2025-05-12 12:07:49 UTC — 11 hours 53 minutes after the original recon — and at least one wallet (9h8D1cvgtc2YHdUsjr5uModAwAcdNbEYZC55D2jhmCMt) was touched two further times, on May 16 12:11 UTC and May 17 00:15 UTC. The dust source is running a periodic batch liveness probe across surviving recipients. Whatever its operational purpose — re-confirming target rent exemption before the next drain batch, or distinguishing drained-and-dormant from drained-and-still-funded — it is not a single recon event. It is a running cadence.

What this section establishes, beyond the participant's individual case, is that the May 11 dust batch was not a piece of behavioral context. It was the operator's working target manifest. The keys were already in the operator's inventory before the dust; the dust verified the targets were live; the drainer infrastructure cycled through the targets at a sustained per-batch pace over the following hours and days; and the participant's wallet was one row of twenty that got processed in sequence with everyone else's.

Read the full article at: https://www.rexintelservices.com/intel/consensys-funded-research-call-preceded-a-fully-automated-multi-chain-drain-the-8d6ffea02188c65b

How do you rate this article?

2


EcosystemNetwork.io
EcosystemNetwork.io

The Ecosystem Network is a social engineering platform that aims to create more human to human trust with cryptocurrency. We are based in the Bay Area, with offices in South Carolina and Upstate, NY. Launching on 7 chains and compatible with Meta Mask!


Market Speculation Investing With Homies
Market Speculation Investing With Homies

I write about stocks and crypto it's all i really know about.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.