Key Takeaways
A former employee of memecoin creation and trading platform pump.fun who allegedly carried out a recent $1.9 million exploit, claims to have been arrested and charged .
On May 16, Twitter user “STACCoverflow,” who identified himself as Jarrett Dunn, took responsibilit y for the attack. Pump.fun alleges Dunn used a “privileged position” to access a “withdraw authority” and compromise the protocol’s systems. Meanwhile, Dunn says British police arrest him and charged him with the theft. He claims he is currently on bail.
In a series of posts on May 18 from a different Twitter account, Dunn claimed he “spent overnight in custody” accused of stealing $1.9 million and conspiring to steal a further $80 million. He added that he was “released on bail and placed under mental health observation”.
Dunn stated that he was currently in hospital, using an iPad provided by the facility to post updates. He mentioned that his mental health makes him potentially unfit for a police interview at present.
Dunn said that the Canadian High Commission had contacted his family with “a list of lawyers”. However, he is currently unable to communicate with them until he regains access to his mobile phones and computers. He went on to claim that police seized two of his devices.
Dunn also noted that he still has his passport and that the authorities have not restricted him from leaving the country.
Dunn reportedly informed another Twitter user, The Rollup, that he has to return to a police station on August 15. Additionally, it has been claimed that a private intelligence company tried to find Dunn in London.
In a separate Tweet, Dunn called for British citizens to press charges against Baton Corporation, a company he claimed was linked to pump.fun. He also mentioned that his bail conditions prohibit him from communicating with this company and its CEO.
The Metropolitan Police did not immediately respond to a request for comment.
The Solana memecoin creation tool, pump.fun, reported that a former employee misused their access to siphon nearly $2 million through a “bonding curve” attack.
According to a tweet on May 16 by pump.fun, the ex-employee exploited their privileged position to gain “withdraw authority” and disrupt the protocol’s internal systems. The hacker took $1.9 million from the $45 million held in pump.fun’s bonding curve contracts.
Following the incident, the platform briefly halted trading, but has since resumed normal operations. Pump.fun reassured users that the smart contracts were secure. It said it would reimburse affected users with “100% of the liquidity” they lost within 24 hours.
Before pump.fun’s announcement, Igor Igamberdiev, head of research at cryptocurrency market maker Wintermute, suggested the hack resulted from an internal leak of a private key. He suspected that Twitter user “STACCoverflow” took part in the incident.
In a series of cryptic tweets, STACCoverflow claimed they were “about to change the course of history. n [sic] then rot in jail.” In a separate post, they said: “I do not care, I am already fully doxxed.” Earlier, pump.fun said that it was collaborating with police but did not identify the former employee involved. The company also did not immediately respond to a request for comment.
The hack on pump.fun unfolded when an exploiter used flash loans from Solana lending protocol, Raydium, to borrow SOL. According to pump.fun, the exploiter used these tokens to “buy as many coins” as possible.
Once the coins reached 100% on their respective bonding curves, the exploiter was able to withdraw the bonding curve liquidity and repay the flash loans. Pump.fun reported that it lost approximately 12,300 SOL, valued at $1.9 million, during the incident, which happened between 3:21 pm and 5:00 pm UTC on May 16.