Title: Analysis: Link Between “Sol” and GCR Hack Revealed
Last weekend, the X account of GCR (@GCRClassic) was hacked, resulting in the release of “pump and dump” messages about ORDI and ETHFI, causing significant volatility in their market prices. Through on-chain analysis, ZachXBT has discovered a potential connection between this hack and the development team behind the meme token CAT on the Solana network.
Minutes before the hacker attack, an address associated with the “Sol” team opened a long position on Hyperliquid with $2.3 million worth of ORDI and $1 million worth of ETHFI.
Let’s dive into the analysis.
According to Lookonchain, a blockchain analysis service, the “Sol” team was previously suspected of manipulating their own meme token CAT, controlling 63% of the token supply. They have since cashed out over $5 million, dispersing the profits across multiple addresses.
One of these addresses, starting with 6M54xEUamVAQVWPzThWnCtGZ7qznomtbHTqSaMEsUHPF, received approximately 15,000 SOL (worth about $2.5 million). On May 25, funds were deposited into Kucoin (about 4,800 SOL) and MEXC (about 4,800 SOL and $1.4 million). Interestingly, shortly after these deposits on Solana, there were two withdrawal transactions related to Kucoin and MEXC on Ethereum and Arbitrum, with withdrawal amounts similar to the deposits. The relevant addresses are:
0x23bcf31a74cbd9d0578bb59b481ab25e978caa09
0x91f336fa52b834339f97bd0bc9ae2f3ad9beade2
On May 25, at 5:22 PM UTC, the address starting with 0x23bc transferred $650,000 worth of USDC to the address starting with 0x5e3edeb4e88aafcd1f9be179aa6ba2c87cbbadc8. The funds were then deposited into Hyperliquid for contract trading. Subsequently, between 5:45 PM and 5:56 PM on May 26, the address starting with 0x5e3 opened a long position on Hyperliquid with $2.3 million worth of ORDI.
At 5:55 PM on May 26, GCR’s X account posted a message about ORDI (“Bullish on and heavily invested in ORDI”), causing a short-term surge in ORDI’s price. The address starting with 0x5e3edeb4e88aafcd1f9be179aa6ba2c87cbbadc8 closed its position between 5:56 PM and 6:00 PM, making a profit of approximately $34,000.
At 5:58 PM on May 26, GCR confirmed in another X account post that their main account had been hacked.
Between 7:04 PM and 7:12 PM on May 26, the hacker repeated their actions. The address starting with 0x5e3 opened a long position on Hyperliquid with $1 million worth of ETHFI. At 7:12 PM, using the compromised GCR account, the hacker posted another “pump and dump” message about ETHFI. However, this time the market seemed to be more cautious, and ETHFI did not replicate the price surge seen with ORDI. Between 7:16 PM and 7:45 PM, the address starting with 0x5e3edeb4e88aafcd1f9be179aa6ba2c87cbbadc8 was forced to close the position, resulting in a loss of approximately $3,500.
Based on the data, the hacker’s profit from the two manipulation transactions was only around $30,000, and one of them even ended in a loss. This seems to be lower than what many would have speculated.
It is worth mentioning that ZachXBT had previously alerted the market to suspicious behavior by the “Sol” team, which led to mockery from the CAT token community when the price briefly surged (with a 75% decrease in the last 24 hours). Seizing this opportunity, ZachXBT couldn’t resist a bit of irony and concluded with the statement, “From their peculiar actions, it is evident that the hacker lacks intelligence.”