Guide
Solana NFT Drain: How to Trace Stolen pNFTs and cNFTs
Document outbound Metaplex, compressed NFT, and marketplace activity after a Solana NFT theft — signatures to copy, drain patterns, and when a $20 case file helps.
Solana NFTs are not ERC-721 rows
Solana NFTs live in token accounts tied to Metaplex, Token Metadata, or compressed NFT (cNFT) trees. Solscan shows program names (Magic Eden, Tensor, Bubblegum) that EVM victims are not used to reading.
- Standard NFT: NonFungible or ProgrammableNonFungible in Solscan
- cNFT: compressed NFT — still a real outbound transfer when stolen
- Marketplace listing: a program action, not always an NFT leaving your wallet
Drain patterns vs benign activity
- Drain: many NFTs to one destination wallet in minutes, often with low SOL fees
- Not a drain: you listed on Magic Eden — listing signature ≠ transfer to buyer yet
- Not a drain: Jupiter swap or PUMP trade in the same session as unrelated NFT clicks
- Gray area: you signed a fake mint site — document the exact signature you clicked
Evidence to collect before contacting marketplaces
- Your base58 wallet address and each outbound NFT transfer signature
- Collection name / mint address from Solscan token or asset tab
- UTC timestamp of the first NFT that left without your intent
- Whether a SPL delegate was set beforehand — run delegate audit if unsure
What Tracefunds adds
- $5 single_tx — decode one suspicious signature (listing vs transfer vs swap)
- $20 incident — fund-flow graph, NFT proof table, labeled CEX paths, verification checklist
- Indexes cNFT and marketplace actions honestly — no invented drain verdict