u/AlgonikHQ — reddlx

I run automated trading bots on Solana — memecoin sniper, scalp scanner — been running for months with a decent track record.
Woke up this morning to find my wallet completely empty. Here’s exactly what happened, with full on-chain evidence, so others can protect themselves.

What I noticed first
My bot’s hourly snapshot showed all positions as “done” — BONK, PENGU, MEW, WIF all exited. Normal enough, the staircase TP system had fired overnight. But my SOL balance was showing near zero when it should have been around £57-68 worth of SOL sitting idle between trades.
Checked Solscan on my wallet B679niFFxdhs14zUxe65ZKHhSxEXJJmMaMWZMgUqPw1p and found this sequence of transactions at around 21:53 UTC on May 4 2026:

The attack — exact on-chain sequence

Step 1 — SET AUTHORITY calls (the silent part)
Four transactions transferred authority over my token accounts to an unknown address 76XgWFGyVmqVx2QvdXz1:
• MEW — 15,536 tokens (~$9.43)
• WIF — 35.7 tokens (~$6.85)
• PENGU — 800 tokens (~$8.09)
• BONK — 1,555,030 tokens (~$9.76)
This happened silently. No popup, no confirmation I remember seeing. The attacker now controlled those token accounts.

Step 2 — SOL transfer (the drain)
Transaction 3nTzLAXT2fDe292jP4uizrmc6D75qvMRUu5UrDbDsbBFQW4VonwfmWzcZinse67MBc1aC9ibQ7adPMC68TZ8V7BW
Sent 0.802466936 SOL ($68) from my wallet directly to Avdnjm8cvsSzGXmLvZgwmzD2bnTPgX9Ts2rGtd6pNhNd
Gone within seconds. Finalized, confirmed, irreversible.

Step 3 — CLOSE ACCOUNT calls
Multiple closeAccount transactions sent small SOL rent reclaims to 6F3FAgjQLewG3LFbDuxJ — this is standard Jupiter cleanup but happened immediately after the drain, making the timeline look messier than it was.

The attack vector — tPEG
About 10 minutes before the drain, my wallet shows multiple Jupiter swaps involving a token called tPEG via Raydium. I did not consciously buy tPEG. I did not click any links, visit any sites, or approve any airdrops that I’m aware of.

The tPEG token does not appear anywhere in my bot’s codebase. My bot only trades tokens it discovers via DexScreener signals — but tPEG appearing in my wallet suggests either:
1. A malicious transaction was bundled into a legitimate-looking swap I approved without realising
2. My private key was used directly to execute the transaction without my interaction
The tPEG swap routed through Raydium Authority V2 — consistent with what security researchers describe as the drainer’s automated liquidation pipeline, converting stolen tokens to SOL before the final sweep.

The security failure on my end
I’ll be transparent about this because it’s important for others to learn from.
My Solana private key was stored as a plaintext environment variable exported in /root/.bashrc on my VPS. It was also visible in env output. While my server login history showed only my own IP addresses, the key’s exposure in shell environment meant any process running on that server could theoretically read it via /proc.
This is a serious operational security failure. The key should only ever live in a .env file with chmod 600 permissions, never exported as a shell variable.

Full attack pattern — what this looks like on-chain
If you’ve been hit by something similar, look for these signatures in your Solscan transfer history:
• SET AUTHORITY transactions you don’t recognise, transferring token account control to an unknown address
• A large outbound TRANSFER of SOL to an unfamiliar wallet immediately after
• CLOSE ACCOUNT transactions in bulk shortly after
• Unknown token (in my case tPEG) appearing via Raydium/Jupiter swaps just before the drain
This matches the documented “Owner Reassignment” drainer pattern that security researchers flagged as increasingly common in early 2026. The attack bundles a hidden setAuthority instruction into what looks like a routine token swap. Your wallet simulation may show it as benign.

What I’ve done since
• Old wallet fully abandoned — treat it as compromised
• New Phantom wallet generated, fresh seed phrase, written on paper only
• Private key moved to .env file only, chmod 600, removed from all shell config
• Token allowlist being added to bot — only pre-approved contract addresses tradeable
• Bot wallet will be topped up in small amounts only — never hold more than you’re willing to lose in a hot wallet

Attacker addresses for the community to flag
• Drain recipient: Avdnjm8cvsSzGXmLvZgwmzD2bnTPgX9Ts2rGtd6pNhNd
• Token authority transfer target: 76XgWFGyVmqVx2QvdXz1
• Drain tx: 3nTzLAXT2fDe292jP4uizrmc6D75qvMRUu5UrDbDsbBFQW4VonwfmWzcZinse67MBc1aC9ibQ7adPMC68TZ8V7BW

If you’ve seen these addresses before or have been hit by tPEG, please comment below. Tagging u/zachxbt if he’s tracking this drainer family.

TL;DR: Woke up to empty Solana wallet. On-chain forensics showed a setAuthority drainer attack via a token called tPEG. 0.8 SOL (~£68) gone. Private key exposure in .bashrc was likely the vector. Full addresses posted above — stay safe out there.

Been building algo systems for around a year now. UK-based, no formal coding background, picked it all up through AI-assisted development and a lot of broken services at 2am.

Running 4 bots live, all on a Hetzner Ubuntu 24.04 VPS, all systemd services.
Whole stack is open source.
This is the technical write-up. If you want the lifestyle/FIRE framing I post that elsewhere. Here it’s the build.

Stack overview
• VPS: Hetzner CPX11, Ubuntu 24.04
• Language: Python 3.12 across all bots
• Deployment: systemd units, Restart=always, journalctl + dedicated log files per service
• Repos: github.com/AlgonikHQ (trading-stack, statiqfc, 90minWaffle)

OANDA forex bot (live)
Repo: AlgonikHQ/trading-stack/oanda-bot
Account: spread betting (UK, 100% CGT and income tax free on profits), 30:1 leverage.
• Strategy: trend-following on M15. Entry stack = EMA 9/21 alignment + RSI + MACD histogram + ADX floor of 18 + price above/below EMA 21
• 9 instruments: EUR_USD, GBP_USD, USD_JPY, AUD_USD, USD_CAD, NZD_USD, EUR_GBP, EUR_JPY, GBP_JPY
• Exit: R-based staircase. TP1 = 0.75R (25% close), TP2 = 1.5R (25%), TP3 = 2.5R (25%), final 25% trails
• Position sizing: live unit re-fetch from OANDA before every order (fixed a UNITS_INVALID bug that was killing entries)
Open issue I’m tracking: GBP_JPY missed-entry case where EMA stack was 4/4 bullish, MACD/RSI/price>EMA21 all aligned for 40+ minutes, but ADX stuck between 8 and 10 against the 18 floor. Considering a secondary entry path with quarter-Kelly sizing at ADX≥12 if 3+ confirmation bars align. Won’t change settings until several weeks of live data are in.
Roadmap: VIX1D filter for high-uncertainty sessions (CBOE has free historical data), M15 candle audit around news events.
Solana sniper (live)
Repo: AlgonikHQ/trading-stack/solana-sniper
Files: scanner.py (main), filters.py, config.py, jupiter_swap.py, deployer_blacklist.json. Runs as solana-sniper.service.
• Filters live: honeypot, market cap, liquidity, age, volume, momentum, holder concentration, bundle wallet detection, cross-bot dupe prevention, pre-entry liquidity drain watchdog, post-entry LP watchdog (LIQUIDITY_DROP_THRESHOLD = 0.20), deployer blacklist that auto-populates on confirmed rugs, GMGN integration
• Sells: rug detection v3, staircase v1, peak chase v2, trail stop logic
• Stake: Kelly-sized per entry
Roadmap:
1. Name/ticker blacklist (regex in filters.py, auto-log losers)
2. Smart money wallet tracker (monitor known wallets, alert-only first, copy-trade Phase 2)
3. Raydium direct integration as Phase 2 execution fallback. Jupiter often misses tokens in the first few blocks. Direct Raydium SDK calls should lift hit rate from ~20-30% to ~70-80%
OSC scalper (live)
Repo: AlgonikHQ/trading-stack/solana-sniper (same dir, separate service)
Files: scalp_scanner.py, osc_watchlist.json, scalp_balance.json. Runs as scalp-sniper.service.
• Pure staircase sell manager, no buying logic. I add coins manually via osc_add_coin.py
• Watchlist: BONK, WIF, POPCAT, PENGU, MEW
• Staircase: +20% / +40% / +75% / +120% / +200% / +400%
• Hot-reloadable watchlist via osc_watchlist.json
• TP1 fired on all 5 launch coins on day one
Logs to /var/log/scalp_sniper.log (stdout) and /var/log/scalp_sniper.py.log (stderr). Sniper logs to /var/log/solana_sniper.log. Sniper log uses timestamps only with no date strings, so grep needs LIVE BUY / TP / STOP / RUG / P&L patterns rather than date filters.
StatiqFC football tipping bot (live)
Repo: AlgonikHQ/statiqfc
Service: statiqfc.service.
• Posts public results and transparency to @StatiqFCpicks
• Two-tier architecture: public channel (results only) and VIP channel (live edge alerts, skip notices, deep dives)
• Founding Member framing: free during build phase, paid after the unlock threshold. Founding members keep free access for life
• Current checks: BTTS, CS_HOME, OVER25 on combined form
• Discord webhook integration via send_discord_bets()
• Bug history worth noting: post_ft_results() was never being called in the main loop, get_alltime_stats import was missing. Both fixed.
Roadmap:
1. Home/away form split
2. Understat xG scraper
3. The Odds API gate (>1.70 only)
4. Standings via football-data.org
5. FBref scraper
6. Referee JSON layer

Critical workflow rule I follow on every change
Before any code change to a live bot file:
1. Stop all services together
2. Backup every file being changed with .bak suffix
3. Make changes
4. Verify output looks correct
5. Syntax check with python3 -m py_compile
6. Restart services
Skipping any step has bitten me. I do not skip steps even when I’m tired.

Why open source?

Two reasons. First, transparency: anyone reading can audit the actual code and call me out if I’m talking nonsense. Second, accountability: the code being public forces me to write it cleaner than I would in private.

Repos: github.com/AlgonikHQ

If you’re building something similar I’d genuinely like to see it.

Always learning from how other people structure their filter stacks, exit logic, and service supervision. Drop a link or DM me, happy to talk through performance and capital sizing privately.