Back to all stories
Incident Analysis
Santa Coin Incident Analysis
Santa Coin Incident Analysis


On October 24, 2022, the Santa Coin team conducted an exit scam on $SANTA token and stole 765 BNB (~$209K) from $SANTA holders. The deployer has been slowly draining liquidity over a long period of time; however, our analysis explicitly focuses on the funds drained on October 24, 2022.


Santa Coin was originally launched as a meme coin in November 2021. The Santa Coin team claimed to be expanding with the addition of experienced developers and crypto marketers that will “carry on with the vision of creating a rewarding ecosystem focused on Defi & NFT P2E gaming”.

On August 15, the Santa Coin moderator posted an announcement in the Official Santa Coin Telegram that was later edited by the team. It is unclear what the announcement from the Santa Coin team originally said. It appears that the Santa Coin team planted the message on August 15 2022, so that the moderator could go back and make it appear to holders that this incident was a migration rather than an exit scam while taking additional funds from holders who attempted to migrate through the fake migration phishing link.

Santa coin image 1 Image: Santa Coin moderator Telegram migration announcement Screen Shot 2022-11-23 at 9.10.40 AM Image: Phishing Link from Santa Coin moderator Telegram announcement

The link provided in the Santa Coin Telegram announcement led $SANTA holders to phishing website Coin Trading Solution (hxxps:// According to, Coin Trading Solution was registered on November 1st, eight days after the incident. Screen Shot 2022-11-23 at 9.41.59 AM Image: Coin Trading Solution website

Users were then prompted to select the option to migrate (various other functions were also available); the website then asked holders to provide their private keys (pictured below). Screen Shot 2022-11-23 at 10.23.14 AM Image: Coin Trading Solution prompt for private keys

Attack Flow

The Santa Coin deployer called the removeLiquidity() function to drain the liquidity from the Pancakeswap pool, removing approximately 600 BNB in multiple transitions.

The deployer then sent 39,535,213,129,140 $SANTA tokens to the second actor 0xc80... in the following transaction: 0x35b97e72048419c7fc056e255af27aa36523031e1b7be7000e644a5d6845f2f6

Finally, the second rugpuller then sold these tokens for 165 BNB.


Santa Coin:

Deployer (first rugpuller):

Second rugpuller:

Pancakeswap pool:

Exploit Transactions

In this exit scam, there are many token sales and remove liquidity transactions:

Deployer (first rugpuller):

Second rugpuller:

See DeBank | Your DeFi wallet for a complete list

Profits and Asset Tracing

Total funds lost from holders in this exit scam was around 765 BNB (~$209K). The 595 BNB has been transferred from the deployer wallet (first rugpuller) to 0xc94. Funds were then transferred to wallet 0xc40. The other 165 BNB from the second rugpuller has been sent to account 0xc40. Since the incident, 0xc40 distributed the tokens to Pancakeswap, BUSD-T Stable coin, and 0xb2E.


It is almost certain that this token was designed to be an exit scam from the beginning. The issue lies in intentional poor contract design and the initial token distribution created by the actors. Since the incident, Santa Coin’s Twitter is still up and has been stripped of previous promotional tweets of Santa Coin. Is this in preparation for a promotion of a new coin this year?

Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, and visiting as part of your due diligence.

Do your own research and beware of scam tokens this holiday season!