Incident Report: Unauthorized Exfiltration of Corporate Crypto Assets

Incident Report: Unauthorized Exfiltration of Corporate Crypto Assets (Developer Camp)

Filing Date: March 11, 2026 (Updated March 12, 2026 – V2), IC3 submission ID: 2e7c81de09b943f0af10d5b4ed5d101a

Victim Entity: Developer Camp Inc.

Incident Window: March 10, 2026 | 22:35 UTC to 22:40 UTC

1. Executive Summary

On March 10, 2026, unauthorized actors compromised the private keys associated with two operational wallets belonging to the Developer Camp corporate token purchasing program (AutoBuy and Buy-Ups). During a 5-minute window, the attacker liquidated internal token reserves ($developer and USDC) into native SOL via decentralized exchange (DEX) aggregators, and exfiltrated the resulting SOL funds to attacker-controlled infrastructure. The attacker did not steal or hold the $developer or USDC tokens themselves; they fraudulently forced market sells of those assets to drain the wallets of pure SOL.

Total Stolen Assets:

>60 Native SOL (resulting from the liquidation of >10.45 Million $developer tokens and USDC reserves)

Total Estimated USD Loss: ~$4,900 USD

We are officially requesting that exchanges and market-makers flag the associated attacker addresses to freeze deposits pending further law enforcement action.

2. Victim Wallets & Specific Losses

Wallet A: Primary Operating Wallet (AutoBuy)

Address: CvacoRKrs8ZqsGLhixZuSQ1e9HabnndgxJFW5jdxq78U

Losses:

8.78 Million $developer tokens (Liquidated on DEX for 16.48 SOL)

$1,965 USDC (Liquidated on DEX for 22.82 SOL)

4.53 SOL (Existing balance)

Total Exfiltrated from Wallet A: 43.839214872 SOL

Wallet B: Secondary Operating Wallet (Buy-Ups)

Address: 9PNbjWrSfHEQbDyvv6kupBTGR7UG78S8fB8qUbR6Wmdk

Losses:

~1.67 Million $developer tokens (Liquidated)

~16+ Native SOL (including 4.26 SOL swept directly to Wallet A for consolidation)

3. Attacker Addresses (For Immediate Exchange Watchlists)

Primary Exfiltration / Exit Node:

Wallet Owner Address: E4a66ej1Fw3nAXwzpL6W29Af6MyQT5YwpdB2JFVpdSfS

Note to Exchanges: This is the direct recipient of the 43.83 stolen SOL from Victim Wallet A. The attacker swept pure SOL to this node.

Laundering / Consolidation Wallet:

Wallet Owner Address: nLxYHqgvDYkeML2LbFtNdTHguEoYYc9gguaweGQYjUg

Unwrapped SOL recipient: GJ56t8m2KmVyU8PNTZ6DT9HzCQGPBEDdHBCMgaRopxik

Note to Exchanges: The attacker is actively using these addresses to consolidate native SOL. If these addresses deposit to your exchange, they are directly handling proceeds of crime.

4. Verified Transaction Flow (Chain of Custody)

Step 1: The Primary $developer Token Liquidation (22:35:52 UTC)

Tx Hash:

DqUFrphja7v44AuM869AmHLH6bLwDEMADhkkYgTmWNE1BMjES1MKVXqXCCsb67je1jeD3Lgcr1hF4NNp8waZ85R

Action: The attacker forces Victim Wallet A to liquidate 8,785,954 $developer tokens via a DEX/Aggregator swap. The tokens are sold into a market maker/liquidity pool, and the victim wallet receives +16.48 SOL in return.

Step 2: The USDC Liquidation (22:36:00 UTC)

Tx Hash:

8H6cNbtMvMun22ABsZHQsvnyqSjyEubCMfv2yVoZ1czVz7kvAnAHiiCXDW338aTHJ3pQKFXJEjc3sxv6rV5goNs

Action: The attacker liquidates Victim Wallet A’s remaining reserve of $1,965 USDC directly into +22.82 native SOL inside the victim wallet via another swap.

Step 3: Wallet B Consolidation Sweep (22:37 UTC)

Action: The attacker sweeps 4.26 SOL from Victim Wallet B directly into Victim Wallet A to aggregate the native SOL.

Step 4: The Pure SOL Exfiltration (22:39:21 UTC)

Tx Hash:

WHhgqhk9xT3E1SYWM5nZEgSiRpX2rFnYNH7TaaqWdZs6wTMEDZpVup9cpkLyKwZHAyzS8NWcvrd9KLENVAtTu6w

Action: The attacker sweeps all consolidated SOL from Victim Wallet A. Exactly 43.839214872 SOL is transferred out directly to the attacker exit node E4a66ej1Fw3nAXwzpL6W29Af6MyQT5YwpdB2JFVpdSfS.

5. Contact & Authorization

We are prepared to verify control of the victim domains and provide law enforcement with any necessary signatures to validate this claim.

Entity: Developer Camp Inc.

Contact: Dom Sagolla (Chairman) / Anna Spisak (ED)