Tracing Solana wallet funding provenance: what the first SOL transfer reveals

Spinning up a clean wallet on Solana costs nothing. A keypair is free, funding it takes one transfer, and from that moment it looks identical to a genuine newcomer: no trade history, no PnL, no labels, no red flags. Every serious sniper operation, farm, and sybil ring exploits this constantly. Fresh wallets are manufactured by the hundreds, used for a launch or two, and discarded.

Most screening tools have nothing to say about these wallets, because most screening is built on history. Win rate, hold time, badge taxonomy: all of it needs trades to exist first. A wallet created an hour ago defeats every one of those checks by construction.

But the SOL had to come from somewhere. Rent, transaction fees, and the position itself all require an inbound transfer, and that transfer has a sender, which has its own funding history. Walk the chain backward far enough and almost every active wallet roots at something recognizable: an exchange hot wallet, a known entity, or another wallet inside the same operation. That walk is funding provenance. Conyr has resolved over 250M provenance transfers in its live rolling window, parsed in real time from its own Solana node, and serves the result for any wallet through a single API call.

The fresh wallet blind spot#

An empty transaction history reads as innocence to tooling that only looks forward. That assumption fails in exactly the situations where screening matters most: token launches. The wallets buying in the first minutes of a launch skew heavily toward addresses that did not exist a day earlier, seeded specifically for that buy.

The useful question for a fresh wallet is not "what has it done" but "where did its SOL come from." The first inbound transfer is frequently the highest-signal fact about the wallet: it fixes when the wallet came alive, who funded it, and (after tracing the funder's own lineage) what kind of operation it belongs to. A wallet funded straight from a Coinbase withdrawal ten minutes ago and a wallet funded by a distributor that seeded forty other wallets in the same window look identical in a trade-history view. In a provenance view they could not be more different.

How the trace works#

Conceptually the trace is a hop-by-hop walk. Start at the wallet, find the SOL transfer that funded it, step to the sender, and repeat, up to 20 hops, until the chain lands on a recognizable root. Conyr resolves roots against a curated set of 230+ CEX hot wallets covering Binance, OKX, Bybit, Coinbase, Kraken, and others, alongside known on-chain entities.

The curation is the hard part, and it is where single-hop "funded by" lookups fall short. Exchange hot wallets are not labeled on-chain; they have to be identified and maintained as exchanges rotate addresses. And one hop is rarely enough: operators deliberately route withdrawals through intermediary wallets precisely to break naive funder checks. A 20-hop walk through a maintained root set survives that layering. A single-hop lookup just returns the throwaway intermediary.

There is a second curation problem on the other side: high-fanout infrastructure. Exchange hot wallets, terminal fee vaults, and tip accounts fund or touch enormous numbers of wallets in the normal course of business. A naive shared-funder heuristic would cluster half the chain into one fake "farm." Conyr's entity registry distinguishes infrastructure funders from actual farm distributors, so a thousand wallets withdrawing from the same Binance hot wallet do not get flagged as a coordinated ring. Forty wallets seeded by one anonymous distributor in two minutes do.

Two outcomes are possible. The chain roots at a known entity, and the API returns that entity, the on-chain root address, and the hop count. Or it reaches 20 hops without finding one, and the root comes back null. The null case is itself a signal: an active trading wallet whose funding lineage avoids every known on-ramp made an effort to do so.

The patterns that fall out#

Once funding lineage exists for every wallet, structural patterns become queryable instead of anecdotal.

A few of these deserve unpacking.

Distance from the CEX#

Hop count is a trust gradient. One hop from an exchange usually means a direct withdrawal: a KYC'd account moved funds to its own wallet, which is what ordinary retail flow looks like. Five or more hops through wallets that themselves have thin history means someone built distance on purpose. Neither is proof of anything alone, but hops is one of the cheapest priors available, and it is returned on every provenance call. The same value ships as provenance_hops inside Conyr's 45-field label payload. The wallet-labels write-up covers how it combines with the behavioral axes.

Seeded launch cohorts#

The launch-manipulation pattern is mechanical: fund a batch of fresh wallets, wait, buy the token early from all of them. Conyr's funding-abuse endpoint (Layer 3) analyzes exactly this. It inspects every wallet that bought a token within a configurable early window (default 60 minutes) and reports how many were freshly seeded, how many were farm-funded, how fast the funding-to-buy gap was, and whether their CEX roots converge on a few hot wallets or disperse across many. The response carries explicit reason codes like SEED_WAVE_HEAVY, FARM_FUNDED_FRESH_WALLETS, and FAST_FUND_TO_BUY, so an integration can branch on stable flags instead of re-deriving thresholds.

Funding lineage as bundle evidence#

Shared funding is also one of the evidence trails behind Conyr's coordinated-cluster detection. The SybilPoisoning bundle type is defined by it: multiple wallets funded from the same root, buying in coordination. The per-bundle evidence in the API reads like "8 wallets funded from same root within 2 minutes." The bundle-detection post walks through the full classification; the short version is that provenance turns "these wallets feel related" into an attributable funding graph.

Querying provenance over the API#

The endpoint is GET /v1/wallet/{address}/provenance, available on Layer 2 ($75/mo, full tier matrix on the API page):

curl -H "Authorization: Bearer $CONYR_API_KEY" \
  "https://api.conyr.ai/v1/wallet/7xKXtg.../provenance"

{
  "wallet": "7xKXtg...",
  "root_entity": "Binance",
  "root_source": "5tzFkiKscXHK5ZXCGbXZxdw7gTjjD1mBwuoFbhUvuAi9",
  "hops": 3,
  "direct_funder": "9aBcD...",
  "last_funded_ts": "2026-03-01T08:30:00Z"
}

Reading the fields:

• root_entity is the resolved origin ("Binance" here), or null if no curated root was reached within the trace.
• root_source is the actual on-chain hot-wallet address the chain terminated at. It is useful for grouping: wallets sharing a root_source withdrew from the same exchange wallet.
• hops counts the funding steps between the wallet and the root, the distance signal discussed above.
• direct_funder is the wallet one hop up. For cohort analysis it is often the most actionable field: many suspicious wallets share a direct_funder long before they share anything else.
• last_funded_ts is when the funding event landed, which makes fresh-wallet detection a timestamp comparison instead of a judgment call.

Responses are cached for 300 seconds. The same trace also powers fields in GET /v1/wallet/{address}/labels: root_source, provenance_hops, funded_by_farm, and the ROOT_CEX identity badge, so a single labels call carries the provenance verdict alongside the behavioral read. Full schemas for both live in the wallet-intelligence reference.

Pre-trade screening for agents#

Provenance earns its keep as a veto check inside an automated flow. Before a copy-trade bot follows a wallet, before an agent acts on a "smart money is buying" signal, one cheap call answers a single question: is this wallet fresh-funded, farm-funded, or cleanly rooted at an exchange with history behind it?

Conyr's hosted MCP server ships this as query_wallet_provenance, one of 40+ tools available to Claude, GPT, or any MCP-capable agent, and the wallet_overview composite tool bundles funding provenance with classification, coordination context, and recent performance in a single fetch. Setup takes a few minutes via the agents docs, and keys are self-serve now. A free key is enough to start exploring before upgrading to Layer 2 for the wallet-intelligence endpoints.

The pipeline behind all of it is the same one serving the rest of the platform: a self-hosted Yellowstone gRPC node parsing 20M+ Solana swaps per day across 3.4M+ active wallets, with provenance resolved as transfers land rather than backfilled in batches. A wallet funded thirty seconds ago is traceable thirty seconds ago. For launch-time screening, that is the whole point.

Where to go next#

• Docs quickstart, first request in a couple of minutes
• API tiers and pricing, provenance is Layer 2 and funding-abuse is Layer 3
• Detecting coordinated bundles on Solana, where funding lineage becomes cluster evidence
• Wallet-intelligence API reference, full provenance and labels schemas