Title: Mapping the Underground: How Stolen Funds Are Laundered Through the Solana Ecosystem

Introduction

The Solana ecosystem, celebrated for its high-speed transactions and low costs, has rapidly become a magnet for both innovation and exploitation. As DeFi and NFTs flourish on Solana, malicious actors are also exploiting the network’s features to execute and launder the proceeds from some of the most complex attacks in crypto. The $1.5 billion Bybit hack is a case in point: tens of thousands of wallets, dozens of tokens, and multiple bridges were used in a vast web of obfuscation.

This report shines a light on how stolen funds are laundered through Solana. By detailing techniques, tracking funds, and labeling key wallet clusters, we aim to empower defenders with the intelligence necessary to act fast. This research isn’t theoretical—it's practical. Understanding laundering playbooks enables us to freeze assets swiftly, design better monitoring tools, and proactively secure vulnerable protocols.

Chapter 1: Anatomy of a Web3 Exploit

All web3 exploits, across any blockchain, follow a similar pipeline:

  1. Funding – The attacker funds their wallets, often via mixers, stolen funds, or compromised accounts.
  2. Preparation – This may involve setting up phishing sites, malicious contracts, or exploiting known bugs.
  3. Execution – The actual attack is carried out.
  4. Exfiltration – The stolen assets are laundered and monetized.

This report zeroes in on the fourth stage: Exfiltration—the laundering and off-ramping of stolen assets on Solana.

Chapter 2: Why Solana Is Attractive to Launderers

Solana’s technical advantages also make it a haven for laundering: