Serial Ruggers: How to Identify Wallets Behind Multiple Failed Solana Projects

The operator behind a new scam is often the same as behind the last one

One of the most underappreciated risks in the Solana ecosystem is not the first-time scammer — it's the professional one. Serial ruggers are operators who have launched multiple scam token projects, drained liquidity each time, and repeated the process under new identities, new token names, and new project narratives. They've optimized the process over dozens of operations. They know how to generate enough initial interest to attract capital, how to maintain plausible deniability during the promotion phase, and exactly when to exit before community backlash becomes overwhelming. Because they operate pseudonymously and change project names, many buyers never realize they're dealing with someone who has already rugged them — or someone in their wallet's community — multiple times.

But blockchain transparency works both ways. The same immutable ledger that cannot be altered also cannot hide on-chain behavior, and serial ruggers consistently leave traceable fingerprints at the wallet and domain level that can be detected with the right tools.

---

Wallet-level detection: tracing the deployer

Every Solana token has a deployer wallet — the address that created the token program and often the first address to hold a significant amount of supply. This wallet's history is permanently recorded on-chain and is the primary forensic entry point for serial rugger detection.

The detection process on Solscan:

1. Find the token's creation transaction (search the mint address, look for the "Token Created" transaction in the earliest records)
2. Open the deployer wallet address
3. Review its complete transaction history, starting from the oldest records
4. Look for: other token program deployments, interactions with other liquidity pools, patterns of rapid LP addition and removal (the rugpull signature), and funding connections to wallets that were themselves deployers of other tokens

A deployer wallet with a history of 5–10 token deployments followed by liquidity drain events is a serial rugger's wallet. The current token is simply the next operation in a consistent pattern.

---

The funding chain: going up the tree

Experienced serial ruggers often use fresh wallets for each project — wallets with no visible history that appear legitimate. The trace goes up the funding chain: what wallet funded the deployer's initial SOL? Where did that wallet's SOL come from? Following this chain often connects a "new" deployer wallet to a network of previously-used wallets with documented rugpull history.

Tools that facilitate this analysis: Solscan's transaction graph (manually followable), and on-chain analytics platforms like Bubblemaps.io, which visualize token holder relationships and funding chains graphically.

---

Domain-level detection: what Hannisol's WHOIS system catches

Beyond on-chain wallet traces, serial ruggers often reuse domain registration patterns, hosting providers, or website templates. Hannisol's RDAP/WHOIS integration checks every project domain in its database and maintains pattern records. When a new token appears with a domain registered through the same registrar, on the same hosting infrastructure, with the same privacy protection settings as multiple prior confirmed rugpull projects, this pattern constitutes meaningful evidence of a repeat operator.

The domain age check (flagging domains registered in the last two weeks) is the baseline. The pattern-matching component — identifying stylistic, technical, or registrar-level similarities to known rugpull sites — is the advanced layer that catches serial operators even when they use new domain names.

---

What to do when you detect a serial rugger

If your research identifies a match between a new project's deployer wallet and documented prior rugpulls, the appropriate action is clear: do not buy, regardless of the project's marketing, community excitement, or apparent momentum. There is no scenario in which knowingly buying into a serial rugger's operation is a rational decision. Additionally, consider reporting the pattern to the communities where the project is being promoted — documenting the specific on-chain connection between the new deployer wallet and prior rugpulls provides the community with verifiable, falsifiable evidence rather than speculation. Hannisol's flagging system automatically incorporates documented serial rugger wallet addresses into its risk scoring for any token those wallets deploy.

Run a full analysis — including deployer wallet intelligence — for any Solana token at Hannisol.