Hackers Behind RoaringKitty X Breach Linked to $14M Memecoin Scam Network - Blockonomi
by Brenda Mary · Blockonomi- The RoaringKitty X hack on May 11 generated $600K+ profit via a bundled $RKC Solana memecoin dump.
- Specter linked 12 wallets holding $14M+ to prior bundled token scams including $USOR and $VDOR.
- The Matt Furie and WinRAR X hacks are tied to the same group through shared fee and bridge wallets.
- The threat group spans phishing, memecoin fraud, KOL payments, and serial X account compromises.
A coordinated threat group hacked the X account of @TheRoaringKitty on May 11, launching a Solana memecoin that briefly hit a $12 million market cap. The attacker used multiple bundled wallets to sell into the pump, netting over $600,000 in profit.
On-chain investigator Specter traced the funds through bridges, swaps, and cross-chain transfers. The same group is now linked to two other major X account breaches and over $14 million in memecoin scam proceeds.
RoaringKitty Hack Tied to Serial Memecoin Bundling Operation
The hacker promoted a token called $RKC through the compromised account before deleting the post. Specter identified eleven wallet addresses connected to the attack.
Most profits moved to a centralized exchange. Around $220,000 was bridged and converted into Monero via Wagyu on Hyperliquid. Another $4,000 moved across Tron wallets.
Tracing one Tron wallet led back to an Ethereum address and a Solana wallet. That Solana address connected to prior token launches including $USOR, $VDOR, $DROID, $WCOR, and $UGOR.
According to Specter’s investigation, $USOR reached a $200 million market cap. $VDOR hit $45 million before collapsing. Charts confirm both were bundled scam launches.
Twelve additional wallets holding over $14 million in profits were uncovered. These tokens were promoted heavily across Telegram, X, Instagram, TikTok, and YouTube.
The same group of paid influencers promoted every launch. Specter noted these were cheap KOLs who used their audiences as exit liquidity.
Matt Furie and WinRAR Breaches Traced to the Same Group
One of the $RKC bundled wallets bridged funds from BNB Chain. That wallet previously received fees from a Pepe token launched through bnbshare[.]fun during the April 14 hack of @Matt_Furie’s X account. This connection links both hacks to the same operation.
Specter also traced the May 4 @WinRAR_RARLAB breach to this group via a shared fee wallet.
The bnbshare[.]fun platform was developed by a user identified as @aliasbacardi. Fee revenue routed to a specific Ethereum wallet. That wallet bridged funds to a Solana address directly connected to the RoaringKitty hacker wallets.
By the time the investigation surfaced, all posts on @aliasbacardi’s account had been deleted.
The group’s activity extends back to 2024 phishing operations. One linked wallet facilitated a signing attack that drained $2.45 million in wstETH from a victim.
Specter flagged transfers in March 2026 connecting current wallets to that earlier theft. The group has cycled through phishing, bundled token launches, influencer payments, and account hacking.
Specter called out X’s @nikitabier, urging a review of the three known account compromises within a single month. A similar pattern of coordinated X account hacks occurred in 2022 and 2023, previously documented by researcher @ZachXBT.