Research on Internal Sniping Arbitrage Behavior in Solana Token Issuance

Summary

This report investigates a prevalent and highly collaborative meme Token farming model on Solana: Token deployers transfer SOL to "sniper wallets," enabling these wallets to purchase the Token within the same block when the Token goes live. By focusing on the clear and provable financial chain between deployers and snipers, we identify a set of high-confidence extraction behaviors.

Analysis shows that this strategy is neither an偶然 phenomenon nor marginal behavior. In just the past month, over 15,000 SOL in realized profits have been extracted through this method from more than 15,000 token issuances, involving over 4,600 sniper wallets and more than 10,400 deployers. These wallets exhibit an exceptionally high success rate of (87% in sniper profits ), clean and quick exit methods, and a structured operational pattern.

Key Findings:

• The sniper funded by the deployer has systematic, profitable, and usually automated features, with sniper activities being most concentrated during US working hours.
• The structure of multi-wallet farming is very common, often using temporary wallets and collaborative withdrawals to simulate real demand.
• The methods of obfuscation are constantly upgrading, such as multi-hop capital chains and multi-signature sniper trading, to evade detection.
• Although there are limitations, a jump fund filter can still capture the clearest and most repeatable large-scale "insider" behavior cases.
• This report presents an actionable heuristic method to help protocol teams and front-end developers identify, label, and respond to such activities in real time.

Although the analysis only covers a subset of block sniping behavior within the same area, its scale, structure, and profitability indicate that Solana token issuance is being actively manipulated by a collaborative network, while existing defenses are far from sufficient.

Methodology

This analysis aims to identify the behavior of collaborative meme Token farming on Solana, especially in cases where deployers provide funding to sniper wallets at the same block when the Token goes live. The issues are divided into the following stages:

1. Filter the same block sniping
2. Identify the wallet associated with the deployer
3. Relate Sniping to Token Profit
4. Measuring Scale and Wallet Behavior
5. Machine Activity Trace
6. Exit Behavior Analysis

Focus on the clearest threats

We first measured the scale of same-block sniping in token issuance, and the results were shocking: over 50% of the tokens were sniped at the block creation—same-block sniping has transformed from a fringe case to a dominant issuance model.

To reduce false positives and highlight genuine collaborative behavior, we have implemented strict filtering in the final metrics: only counting direct SOL transfers between the deployer before going live and the sniper wallets. This allows us to confidently identify: wallets directly controlled by the deployer; wallets acting under the deployer's direction; and wallets with internal channels.

Case Study 1: Direct Funding

The deployer wallet sends a total of 1.2 SOL to 3 different wallets, and then deploys the token. The 3 funded wallets complete the buyout within the same block as the token creation, ahead of broader market visibility. Subsequently, they quickly sell out for profit, executing a coordinated flash exit. This is a textbook example of pre-funding sniper wallets flushing agricultural tokens, directly captured by our funding chain method. Despite the simplicity of the maneuver, it has been staged on a large scale across thousands of issuances.

Case Study 2: Multi-hop Funding

A certain wallet is related to multiple token sniping activities. This entity did not directly fund the sniping wallet but instead transferred SOL through 5-7 intermediary wallets to the final sniping wallet, thereby completing the sniping within the same block.

Our existing approach only detects some preliminary transfers from the deployer and fails to capture the entire chain leading to the final target wallet. These relay wallets are often "one-time use", solely for transferring SOL, making it difficult to associate them through simple queries. This gap is not a design flaw but a trade-off of computational resources.

Discover

Focusing on the subset of "same zone sniping + direct capital chain", we reveal a broad, structured, and highly profitable on-chain collaborative behavior. The following data covers from March 15 to present:

1. Sniping that is funded by the deployer in the same block is very common and systematic.

• In the past month, over 15,000 tokens were directly targeted by investment wallets at the time of their listing on the blockchain.
• Involving over 4,600 sniper wallets and more than 10,400 deployers
• Account for approximately 1.75% of the token issuance volume

2. This behavior is highly profitable.

• Directly obtaining capital from the sniper wallet has achieved a net profit of >15,000 SOL
• Sniping success rate 87%, very few failed trades
• Typical single wallet earnings 1-100 SOL, a few exceeding 500 SOL

3. Repeated deployment and targeting the brushing farm network

• Many deployers use new wallets to batch create dozens to hundreds of Tokens.
• Some sniper wallets execute hundreds of snipes in a day.
• Observed a "central-radiation" structure: one wallet funds multiple sniper wallets, all targeting the same Token.

4. Sniping presents a human-centered time pattern

• Active peaks are from UTC 14:00 to 23:00; UTC 00:00 to 08:00 is almost at a standstill.
• Aligns with US working hours, indicating it is triggered manually/cron scheduled, rather than being fully automated 24 hours globally.

5. Confusing ownership between single-use wallets and multi-signature transactions

• The deployer injects funds into several wallets simultaneously and signs the sniper in the same transaction.
• These wallets will no longer sign any transactions.
• The deployer splits the initial purchase into 2-4 wallets to disguise real demand.

Exit Behavior

To gain a deeper understanding of how these wallets exit, we break down the data along two major behavioral dimensions:

1. Exit Speed ( Exit Timing ) - From first buy to final sell time
2. 卖出笔数(Swap Count) - 退出所用独立卖出交易数量

Data Conclusion

1. Exit speed

   • 55% of the sniper orders were sold out within 1 minute
   • 85% liquidated within 5 minutes
   • 11% completed within 15 seconds

2. Number of sales

   • Over 90% of sniper wallets only exit using 1-2 sell orders.
   • Rarely adopts progressive sell-off

3. Profit Trend

   • The most profitable is the wallet that exits in less than 1 minute, followed by less than 5 minutes.
   • Although holding for a longer time or selling multiple times results in slightly higher average profit per transaction, the quantity is extremely small, which has a limited contribution to total profit.

These patterns indicate that the sniper funded by the deployer is not a trading behavior, but rather an automated, low-risk extraction strategy:

• Buy early → Sell quickly → Completely exit
• A single sell represents indifference to price fluctuations, simply taking advantage of the opportunity to sell.
• A few more complex exit strategies are just exceptions, non-mainstream models.

Conclusion

This report reveals a continuous, structured, and highly profitable Solana token issuance arbitrage strategy: deployer-funded block sniping. By tracking the direct SOL transfers from deployers to the sniping wallets, we identified a batch of insider-style behaviors that leverage Solana's high throughput architecture for collaborative arbitrage.

Although this method only captures a part of the same block sniping, its scale and pattern indicate that this is not sporadic speculation, but rather operators with privileged positions, repeatable systems, and clear intentions. The importance of this strategy is reflected in:

1. Distort early market signals to make the Token appear more attractive or competitive.
2. Endangering Retail Investors - They become exit liquidity without knowing.
3. Undermine the trust in open token issuance, especially on platforms that prioritize speed and usability.

To alleviate this problem, what is needed is not only passive defense, but also better heuristics, front-end early warning, protocol-level safeguards, and ongoing efforts to map and monitor collaborative behaviors. Detection tools already exist—the question is whether the ecosystem is willing to truly apply them.

This report takes the first step: it provides a reliable and reproducible filter to identify the most obvious co-movement behaviors. But this is just the beginning. The real challenge lies in detecting highly obfuscated, constantly evolving strategies and building an on-chain culture that rewards transparency rather than extraction.