# RugTrace Investigation Report

![Case-level investigation graph](/case-reports/bonkfun-domain-drainer-2026-03/graph.svg)

## 1. Executive Summary
This report analyzes a case involving a reported frontend compromise and wallet drainer phishing incident associated with the BONK.fun domain. The investigation is based on a normalized transaction and a case-level graph. The primary finding is a single, reported transfer of 50 SOL (or equivalent token units) from a victim wallet to a merged suspect entity. The fund flow is minimal in the provided data, and the suspect-side movement beyond the initial receipt is not visible. The case matches several historical patterns from memory, most notably "OTC Counterparty Risk" and "Protocol Exposure Cascade," though these matches are based on structural similarities to the graph and not direct transactional evidence.

## 2. Input Transaction
- **Signature:** `case:bonkfun-domain-drainer-2026-03`
- **Block Time:** 2026-05-01T10:19:47.732Z
- **Signers:** `BONK.fun wallet drainer`
- **Native Transfers:**
    - From: `BONK.fun wallet drainer`
    - To: `Merged attack source`
    - Amount: 50
    - Symbol: `USD/SOL`
    - Reason: `reported frontend compromise / wallet drainer phishing`
- **Program Interactions:**
    - `BONK.fun warning source` (launchpad)
    - `Raydium` (dex)

## 3. Victim-Side Fund Flow
Based on the provided transaction and graph, the victim-side flow is a single transfer.
- **Source:** `BONK.fun wallet drainer` (Victim)
- **Destination:** `Merged attack source` (Suspect)
- **Amount:** 50 SOL/token units
- **Interpretation:** This transfer is reported as the result of a frontend compromise or wallet drainer phishing attack.

## 4. Suspect-Side Fund Flow
The suspect-side fund flow is not detailed in the provided data.
- **Initial Receipt:** The `Merged attack source` node received 50 SOL/token units from the victim.
- **Subsequent Movement:** No further transfers from the `Merged attack source` to other wallets are present in the provided graph edges or transaction data. The graph shows interactions with program nodes (BONK.fun warning source, Raydium, Wallet-drainer source), but these are labeled as "interaction" edges without associated transfer amounts or destinations.
- **Interpretation:** The suspect entity appears to be a terminal or aggregated node in this case-level graph. The lack of visible onward movement suggests either the data is incomplete, the funds were held, or the subsequent flow was not captured in the provided graph snapshot.

## 5. Wallets Involved
| Wallet ID | Label | Role | Risk Score | Notes |
| :--- | :--- | :--- | :--- | :--- |
| `victim-bonkfun-domain-drainer-2026-03` | BONK.fun wallet drainer | Victim | 0.35 | Case-level victim context. |
| `case-bonkfun-domain-drainer-2026-03` | Merged attack source | Suspect | 0.78 | Case-level aggregated node from reported suspicious flow. |
| `entity-bonkfun-domain-drainer-2026-03-0-bonk-fun-warning-source` | BONK.fun warning source | Program | 0.52 | Launchpad category; source article node. |
| `entity-bonkfun-domain-drainer-2026-03-1-raydium` | Raydium | Program | 0.52 | DEX category; ecosystem context. |
| `entity-bonkfun-domain-drainer-2026-03-2-wallet-drainer-source` | Wallet-drainer source | Suspect | 0.84 | Drainer behavior summary node. |

## 6. Evidence Table
| Signature | From | To | Amount | Token | Interpretation |
| :--- | :--- | :--- | :--- | :--- | :--- |
| `case:bonkfun-domain-drainer-2026-03` | `victim-bonkfun-domain-drainer-2026-03` | `case-bonkfun-domain-drainer-2026-03` | 50 | USD/SOL | reported frontend compromise / wallet drainer phishing |

## 7. Pattern Matches
The graph matched the following patterns from persistent memory. These matches are based on structural or contextual similarities and are not direct evidence of identical activity.

| Pattern ID | Label | Similarity | Confidence | Evidence from Graph |
| :--- | :--- | :--- | :--- | :--- |
| `memory_cmomib55r000l7k9gp9wg7r9l` | Split-and-Scatter Exit | 0.52 | 0.52 | known Solana program interaction is present in the graph; large single-hop movement of 50.000 SOL/token units |
| `case_memory_meteora-otc-scam-2026-04` | OTC Counterparty Risk | 0.83 | 0.83 | known Solana program interaction is present in the graph |
| `pattern_fast_fund_launch_drain` | Fast Fund -> Launch -> Drain | 0.56 | 0.56 | known Solana program interaction is present in the graph |
| `case_memory_carrot-drift-exposure-2026-04` | Protocol Exposure Cascade | 0.80 | 0.80 | known Solana program interaction is present in the graph |
| `case_memory_hawk-tuah-2024` | Fast Fund -> Launch -> Drain | 0.71 | 0.71 | known Solana program interaction is present in the graph |

## 8. Confidence and Limitations
- **Confidence:** Low to Medium. The core fund movement (50 SOL) is a reported fact, but the overall investigation is limited.
- **Limitations:**
    1.  **No Verified Transaction Signature:** The transaction signature `case:bonkfun-domain-drainer-2026-03` is a case identifier. No reviewed, on-chain Solana transaction signature is attached for independent verification.
    2.  **Case-Level Graph:** The graph combines source-reported entities with candidate transaction fixtures. The `Merged attack source` is a synthetic node aggregating reported flow, not a single, verified wallet.
    3.  **Minimal Fund Flow:** Only one transfer is documented. The suspect-side flow is absent, preventing analysis of fund layering, mixing, or cash-out.
    4.  **Pattern Match Basis:** Pattern matches rely on the presence of known program interactions and a large single-hop transfer, which are broad characteristics. They do not confirm the specific modus operandi of the matched cases.
    5.  **Metadata Interpretation:** Labels like "victim" and "suspect" are assigned based on case-level context provided in the graph metadata, not solely from the transaction data.

## 9. Suggested Next Steps
1.  **Obtain Original Transaction Signature:** Locate and analyze the actual on-chain transaction signature corresponding to the reported 50 SOL transfer to verify the details and trace any subsequent hops.
2.  **Analyze Merged Attack Source:** Investigate the `Merged attack source` node. If it represents a cluster of wallets, identify the individual addresses and analyze their full transaction history for fund consolidation, splitting, or interaction with mixers/bridges.
3.  **Cross-Reference with Other Reports:** Correlate this case with other reports of BONK.fun domain phishing to identify common destination wallets or drainer contract addresses.
4.  **Review Program Interactions:** Examine the specific program calls made in the transaction (e.g., to Raydium) to understand the exact nature of the interaction (e.g., swap, liquidity removal) that may have occurred after the drainer script executed.
5.  **Expand Graph Depth:** If a valid transaction signature is found, perform a deeper graph analysis (beyond depth 3) to map the full fund dispersal network from the suspect wallets.

## 6. Evidence Table
| Signature | From | To | Amount | Token | Timestamp | Interpretation |
|---|---|---|---:|---|---|---|
| `case:bon...026-03` | `victim-b...026-03` | `case-bon...026-03` | 50.000000 | USD/SOL | unknown | reported frontend compromise / wallet drainer phishing |