Solana bundle detection: how coordinated buying actually works, and how to catch it in real time

By now the standard Solana rug check is a ritual, and every modern bundle is built to slip past it. Open the holders tab, eyeball the top-10 concentration, confirm the LP is burned and the mint authority is revoked. All green, buy. The trouble is the checklist was built for an attacker who stopped being the dominant one years ago. A dev wallet sitting on 40% of supply is trivial to spot, so nobody does that anymore. The operator who matters in 2026 runs a bundle: a quarter of the float spread across forty wallets, each one under 1%, funded through a different path, buying at a slightly different time.

A bundle, concretely, is a set of wallets buying a token in coordination so that one operator controls far more supply than any single wallet reveals. Conyr parses 20M+ Solana swaps per day off a self-hosted Yellowstone gRPC node and runs bundle detection live in that stream. As of June 2026 that is 600K+ bundled swaps flagged in the trailing window. This post walks through how coordinated buying works, what links wallets that look independent, and how to check any token through the API before touching it. The first check is free.

Takeaways#

• A bundle is one operator's supply split across many wallets. Forty wallets at 0.7% each is 28% of the float, and the top-10 holders view shows nothing.
• A burned LP and a revoked mint authority do not stop a bundle. The bundle is the soft rug: a quarter of the supply can hit the pool in the same handful of slots.
• Wallets that look independent get linked by three signals: shared funding lineage, execution timing, and exit synchrony. That is the cluster the chart and the holders page both hide.
• The headline metric is bundled_supply_pct, the share of supply inside detected clusters. One free API call returns it for any mint.
• Status is the whole game. A cluster that has exited is history; one sitting active and unsold on a fifth of the supply is a loaded spring.
• Coordinated exits take slots, not minutes. A push notification is too slow to catch one. The WebSocket dumping event catches it.

What a bundle looks like in 2026#

Coordinated buying shows up in three broad shapes, roughly in order of sophistication.

Launch-slot cohorts. The crudest version: the pool goes live and a cohort of wallets buys in the same slot, or the slot after. On pump.fun-style launches the deployer funds sniper wallets in advance and fires them the moment the token exists. This is the shape most "bundler %" checkers measure, which is exactly why serious operators stopped doing it this way.

Jito-bundled buys. Jito lets anyone submit a group of transactions as an atomic bundle: they land sequentially, in order, inside a single slot, or not at all. The legitimate use is MEV and multi-step DeFi. The abusive use is a deployer packaging pool creation plus buys from several "different" wallets into one atomic unit, so the operator's supply is locked in before any outside transaction can execute. On-chain it reads as same-slot sequential transactions from unrelated addresses.

Staggered sybil entries. The operator who knows same-slot buys get flagged spreads entries over minutes or hours, randomizes sizes, and routes through different DEXes. On a chart this looks like organic accumulation. In the data it is still a cluster. The wallets share too much history to be strangers.

The common thread is supply concentration without visible concentration. That distinction is the entire game.

Why the holders tab misses bundled tokens#

The math is simple, and it is the reason the ritual fails. Forty wallets holding 0.7% each is 28% of the float under one operator's control, and the top-10 holders view shows nothing alarming. Filters for "insiders" or "dev wallet" pass clean, because no individual address crosses any threshold.

That bundled supply is exit-liquidity risk in its purest form. The operator entered at launch prices. When the target multiple hits, those forty wallets do not sell like forty independent holders. They sell like one, often within the same handful of slots. There is no outrunning that. By the time the candle prints, the pool has absorbed a quarter of the supply and the price is somewhere else entirely.

This is also the connection to rugs. A burned LP and a revoked mint protect against contract-level theft, but they do nothing when 28% of the float can hit the pool at once. The bundle is the soft rug. A Solana rug check that only inspects contract switches answers a question from 2022. The 2026 question is behavioral: who controls the supply, and are they one entity.

What links wallets that look independent#

On the surface, bundle members share nothing: different addresses, different funding transactions, different entry times if the operator is careful. Three families of signal cut through that.

Funding lineage. Wallets funded from the same root address are not strangers. Neither is a wave of fresh wallets all funded minutes before their first buy. CEX withdrawals complicate this: when twenty wallets are all funded from an exchange hot wallet, the common funder is the exchange, not the operator, so naive one-hop tracing produces garbage. Multi-hop tracing through known exchange infrastructure is its own subject; the provenance write-up covers how Conyr walks funding back through 230+ curated CEX roots.

Execution timing. Same-slot landings, sequential ordering inside a slot, and the same wallets repeatedly co-occurring across tokens. One coincidence is a coincidence; the same eight wallets buying within seconds of each other on the fourth token in a row is a fingerprint.

Exit synchrony. Independent holders do not all sell within the same minute. Coordinated ones do, because the decision is made once and executed forty times.

Behavioral history feeds all of this. Every buyer Conyr sees already carries labels: bot operation, farm funding, trading style. So a cluster of farm_funded fresh wallets buying together is a very different crowd from organic profitable traders arriving separately. The wallet-labels post covers that taxonomy.

The free check: bundles summary#

Every detected cluster on a token rolls up into one summary read, and it sits on the free tier. You do not need a card, just a self-serve key from the dashboard:

curl -s -H "Authorization: Bearer $CONYR_API_KEY" \
  "https://api.conyr.ai/v1/token/{mint}/bundles/summary"

{
  "token_mint": "EPjFWd...",
  "bundle_count": 3,
  "open_bundle_count": 2,
  "bundled_supply_pct": 18.5,
  "bundled_value_usd": 24500.0,
  "bundled_realized_pnl_usd": 3200.0,
  "dominant_bundle_type": "SybilPoisoning"
}

Reading it, top to bottom:

• bundled_supply_pct is the headline number, the share of supply held inside detected clusters. The 18.5% here is one example token, not the forty-wallet math above, and it still means nearly a fifth of the float is coordinated, regardless of what the top-10 view says.
• open_bundle_count vs bundle_count separates clusters still live from everything ever detected on the token. Two of three still open means the risk is current, not historical.
• bundled_realized_pnl_usd is what coordinated wallets have already extracted. A positive number means the operator is in profit and the remaining supply is house money.
• dominant_bundle_type names the largest cluster's archetype.

The archetypes, as the bundles reference documents them:

Responses are cached for 15 seconds, so the read stays current enough for a pre-trade check. Full details for the free tier live in the free tier reference.

Layer 3: the full bundle-detection graph#

The summary tells you whether to worry. The Layer 3 endpoints tell you what is happening underneath it.

GET /v1/token/{mint}/bundles returns every detected cluster with its full state:

{
  "bundles": [
    {
      "bundle_id": "bndl_abc123",
      "bundle_type": "SybilPoisoning",
      "leader_wallet": "4mNqR...",
      "status": "active",
      "member_count_total": 8,
      "member_count_active": 6,
      "total_usd_invested": 5400.0,
      "total_usd_returned": 8600.0,
      "sold_pct": 50.0,
      "risk_score": 0.85,
      "evidence": [
        "8 wallets funded from same root within 2 minutes",
        "Coordinated buying in slot 245678901"
      ]
    }
  ]
}

The fields that matter most in practice are sold_pct and the invested-vs-returned pair. Together they tell you where the cluster is in its trade. This one put in $5,400, has already pulled out $8,600, and has sold half its position, so the operator is in pure profit on the remainder. evidence is a human-readable account of why these wallets were linked. And status tracks the full lifecycle: active, then dormant / dumping / derisked / exited / rugged / merged. A cluster that has already exited is history; one sitting active at sold_pct 0 on a fifth of the supply is a loaded spring.

Two follow-up reads complete the picture. GET /v1/token/{mint}/bundles/{bundle_id} breaks a cluster into its members: per-wallet chain balance, realized PnL, and the leader flag. And GET /v1/wallet/{address}/entanglement inverts the question: given a wallet, which clusters does it belong to. Run that before copy-trading anyone.

For positions you are already in, the WebSocket stream matters more than any REST poll. Subscribing to token:{mint}:security delivers bundle_detected, suspicious_activity, and rug_detected events as they fire, including the moment a cluster's status flips to dumping. These endpoints are Layer 3 ($149/mo, 600 requests/min, 50 WebSocket connections); the API page has the full tier matrix.

A pre-trade flow that puts this to work#

For humans, the flow is three steps.

1. Summary first. One free call. If bundled_supply_pct is past whatever your line is, say 10% or 20%, stop there. The trade does not need more research; it needs a different token.
2. Gray zone, pull the detail. A token at 8% bundled supply where the only cluster is exited is a different proposition from 8% sitting active and unsold. status, sold_pct, and the invested/returned ratio answer whether the risk is behind the token or ahead of it.
3. Holding, watch the stream. Subscribe to token:{mint}:security and treat a dumping flip as the highest-urgency alert the stream emits. Coordinated exits take slots, not minutes. A push notification is too slow to see it; a WebSocket frame is fast enough.

For agents, the same intelligence ships over MCP. The hosted server exposes the bundle reads alongside roughly 40 other tools, and the composite token_deep_dive tool pulls the bundle summary, holder breakdown, buyer quality, and security row in a single call, with every result carrying an evidenceUrl so the agent can cite where the finding came from. Setup is one config block; the MCP docs cover Claude Code, Cursor, and Claude Desktop.

The detection itself runs in the live transaction stream, off Conyr's own node, across 25+ DEX programs. Clusters are flagged as they form and tracked through the dump. That is the difference between a warning before entry and a post-mortem after.

The contract-level rug is the easy half now. Burned LPs and revoked mints are baseline. The open problem is behavioral: when a quarter of the float answers to one operator across forty wallets, the only question that matters is who controls it, and that never shows up on a holders page. That is the question Conyr answers in the live stream, before the candle prints.

Where to go next#

• Quickstart, first request in a couple of minutes
• API tiers and pricing, what each layer gets you (free tier included)
• Tracing Solana wallet funding provenance, the funding-lineage half of this story
• Self-serve API keys are live, create a key and run the summary call today