On-chain investigator Specter (@SpecterAnalyst) has traced the hacks of three high-profile X accounts — Roaring Kitty (Keith Gill), Matt Furie (Pepe the Frog creator), and WinRAR — to the same threat group, uncovering wallets holding over $14 million in profits from a systematic operation spanning bundled token launches, account compromises, and cross-chain laundering.
The investigation maps fund flows across five chains—Solana, BNB Chain, Ethereum, Tron, and Hyperliquid—and connects the group to a 2024 phishing attack that drained $2.45 million in wstETH from a single victim, significantly expanding the known scope of the operation beyond the three high-profile X account hacks.
The Roaring Kitty Hack: $600K+ in 30 Minutes
On May 11, Keith Gill’s verified Roaring Kitty X account — dormant for 16 months and followed by 1.6 million users — suddenly posted a Pump.fun contract address for a Solana memecoin called Red Kitten Crew ($RKC) alongside a cartoon clip of a cat in a red bandana.
The token surged to a $12 million market cap within 20 minutes. Both posts were deleted within an hour. GameStop stock briefly spiked 13% before erasing all gains. Gill has not publicly addressed the incident.
Specter identified 11 hacker wallet addresses that executed the attack. The developer spent just 20 SOL ($1,950) across 10 wallets to acquire 395.18 million RKC tokens—39.52% of the total supply—then dumped the entire position for 5,071 SOL ($495,000). An additional 1,209 SOL ($118,000) was collected in Pump.fun creator fees. Total profit: $600,000+.
The laundering trail was immediate. $220,000 was bridged and swapped via Wagyu into XMR1 on Hyperliquid—a privacy-preserving route designed to break the on-chain trail. Another $4,000 was bridged to two Tron wallets.
Connecting the Three Hacks
Specter’s critical finding is the on-chain link between all three account compromises.
One of the RKC bundled wallets (2FYLb) bridged in $10,000 from BNB Chain from a wallet previously used to receive fees for a Pepe token launched through bnbshare[.]fun during the April 14 Matt Furie X account compromise. This single transaction links the Roaring Kitty and Matt Furie hacks to the same wallet cluster.
During the Matt Furie hack, the compromised account posted, claiming the creator had been “hacked by some Solana douchebags,” and launched a BNB Chain Pepe token with a 2% tax—a scam token deployed through bnbshare[.]fun. The BscScan data shows the deployer wallet was funded by KuCoin 100 days prior, suggesting premeditation. In a separate post from the compromised account, the hacker wrote: “dude actually just buy $PEPE on BAGS,” and shared a contract address, adding, “I need fees to escape guantanamo ong. help me out.”
The WinRAR (@WinRAR_RARLAB) hack on May 4 follows the same pattern. The compromised account posted, “Thank you @finnbags for helping us claim our fees” alongside a Solana contract address. Specter traced the second Tron wallet (TGX2E) used in the Roaring Kitty laundering chain to the fee wallet of the Solana Pepe token launched via @BagsApp during the Matt Furie compromise—and also to the WinRAR fee-claiming wallet, tying all three hacks to the same group.
The bnbshare[.]fun Connection and @aliasbacardi
Specter identified bnbshare[.]fun — a BNB Chain token launchpad — as a key piece of infrastructure. The platform was developed by @aliasbacardi and launched the token $SHARE. Fees from $SHARE were routed to wallet 0x4FC8…7257.
That same fee wallet bridged out $237 to the Solana wallet G9XSs…XBcD, which links directly to the Roaring Kitty hacker’s wallets. Specter noted that after checking @aliasbacardi’s profile, all posts had been deleted, though replies confirm activity as recently as May 6.
“This only points to one thing: @aliasbacardi either knows or is part of the threat group behind these hacks and launches,” Specter concluded.
$14 Million+ in Bundled Token Profits
The investigation goes far deeper than the three X account hacks. Specter traced the linked Solana wallets to a systematic bundled token operation that has generated eight figures in total profits.
The Tron wallet TK5Z used in the Roaring Kitty laundering chain had previously bridged $46,000 from Ethereum on March 26. Tracing that chain back linked it to an Ethereum wallet (0xE443…804c) and a Solana wallet (ERaq…GHBR) that connect to multiple addresses previously used to deploy and bundle tokens, including $USOR, $VDOR, $DROID, $WCOR, $UGOR, and others.
$USOR briefly hit a $200 million market cap before being rugged. $VDOR peaked at $45 million before the same fate. Specter published 12 Solana wallet addresses holding $14 million+ in profits from these launches.
“These tokens were heavily promoted by cheap KOLs across Telegram, X, Instagram, TikTok, and YouTube, with many of the same KOLs shilling every launch,” Specter wrote. “Looking at the charts should make it obvious these were bundled scam launches, yet cheap KOLs continued shilling them and using followers as exit liquidity.”
The cross-chain bridge data shows the group routinely moved funds between Solana, Ethereum, BNB Chain, and Tron — converting between SOL, ETH, USDT, USDC, and XMR to obscure the trail. One wallet converted 475.11 XMR1 ($188,364) on Hyperliquid on May 11 — the same day as the Roaring Kitty hack.
The 2024 Phishing Link
Specter’s deepest trace connects the group to a 2024 phishing attack. The threat group transferred funds to wallet D3xcYvt on Solana on March 8, 2026. That wallet bridged $355,000 to Ethereum wallet 0x4De0…718B, with $345,000 sent to an OTC wallet and $10,000 transferred to 0x6AB5…e148.
Five hours before that $10,000 transfer, the receiving wallet had received 1.09 ETH from wallet 0x49ad…5fD—labeled “Fake phishing” on Etherscan. That wallet is directly linked to a malicious signing attack flagged by Scam Sniffer in December 2024 that caused a victim to lose $2.45 million worth of wstETH through a fraudulent “permit” signature.
This connection extends the threat group’s known activity from bundled memecoin launches and account hacking into sophisticated DeFi phishing—suggesting a diversified criminal operation rather than a single-vector attack group.
The Laundering Infrastructure: Five Chains, One Pipeline
Specter’s fund flow analysis reveals a sophisticated multi-chain laundering infrastructure designed to fragment the trail across as many networks as possible.
From the Roaring Kitty hack alone, profits were dispersed across Solana (initial extraction), BNB Chain (bridged funds linking to Matt Furie hack), Tron (two wallets receiving bridged funds), Ethereum (historical bridge activity), and Hyperliquid ($220K converted to XMR1 via Wagyu). The Tron wallet TK5Z had previously bridged in $46,081.70 in USDT from Ethereum two months before the hack—suggesting pre-positioned laundering infrastructure.
The Solana wallet ERaq…GHBR shows a systematic pattern of converting between assets: 0.3 SOL to 0.0121 ETH, 9.97 ETH to 229.99 SOL, 25,000 USDT to 24,972 USDC, 10,000 USDT to 113.67 SOL, 160,000 USDC to 159,940 USDT, and 100,000 USDC to 100,026 USDT — all executed within a three-month window. This volume of cross-chain swapping is consistent with an operation actively managing and distributing proceeds across networks.
The Infrastructure of Celebrity Account Exploitation
The investigation reveals an industrialized pipeline: compromise high-follower accounts, deploy pre-bundled tokens on Pump.fun or bnbshare[.]fun, extract maximum value in the 20–30 minute window before posts are deleted, and then launder through cross-chain bridges to Tron and privacy assets on Hyperliquid.
The Roaring Kitty hack is the highest-profile instance, but it is one node in a network that has compromised at least three major accounts in a five-week span, launched dozens of bundled scam tokens, accumulated $14 million+ in identified wallets, and maintained operational infrastructure dating back to phishing attacks in 2024.
No arrests have been announced. @aliasbacardi’s account has been wiped. Keith Gill, Matt Furie, and WinRAR have not publicly commented on Specter’s investigation linking the three hacks.
Also Read: Chainalysis Traces THORChain Hacker’s Pre-Attack Monero-Hyperliquid Trail
