CONFIDENTIAL
CLASSIFIED: PUBLIC RECORD — SECURITY INCIDENTS

FILE 007

INTERNAL SECURITY INCIDENTS & EXPLOITS

COMPILED: JANUARY 2026 · STATUS: RESOLVED · SOURCES: 6 VERIFIED

SUBJECT

Pump.fun Security Incidents

Baton Corporation Ltd. operating entity — Documented internal-access related incidents and exploits

PRIMARY INCIDENT — MAY 16, 2024

Internal Exploit by Former Developer
Incident ID: MAY-2024-001
INSIDER THREAT — PRIVILEGED ACCESS ABUSE

Perpetrator Profile

  • Name: Jarett Dunn
  • Aliases: Stacc, StaccOverflow, @STACCoverflow
  • Role: Former senior developer/contractor

Attack Methodology

Abuse of privileged admin/withdraw authority:

  • Leveraged flash loans on Solana lending protocol
  • Artificially graduated multiple bonding curve contracts by purchasing tokens to reach migration threshold
  • Redirected intended liquidity migration SOL to attacker-controlled addresses instead of Raydium DEX pools
Amount Stolen
12,300–12,600 SOL
~$1.9–2 million USD at time of exploit
Attack Duration
30–60 min
Flash loan costs eventually made further exploitation unprofitable
Funds Distribution
Dispersed
Airdrops to random Solana wallets; attacker retained no funds
Stated Motive
Protest
Claimed "revenge" against platform

Distribution Details

  • Stolen SOL dispersed to random Solana wallet addresses (airdrops to users/projects)
  • Attacker retained no funds personally
  • Some sources note ~$600,000 in meme coins briefly held, later handed over

PLATFORM RESPONSE

MAY 16, 2024 — IMMEDIATE

Emergency Measures

  • Immediate contract upgrade to revoke compromised authority
  • Temporary site shutdown
MAY 17, 2024

Public Post-Mortem

Official post-mortem published confirming insider nature of attack

User Compensation: Full restoration of affected liquidity from platform treasury

Fee Waiver: 7 days post-incident

Source: [2]
RESOLUTION
FULL USER COMPENSATION COMPLETED — NO PROTOCOL FUNDS LOST

LEGAL PROCEEDINGS

MAY 18–19, 2024

Arrest

Dunn arrested in London (hotel near Pump.fun WeWork office)

Initially bailed; mental health evaluation/hospitalization noted post-arrest

Source: [3]
AUGUST 2024

Initial Guilty Plea

Pleaded guilty to:

  • Fraud by abuse of position
  • Transfer of criminal property
Source: [4]
OCTOBER 2024

Attempted Plea Withdrawal

Legal team withdrew; Dunn re-pleaded guilty

DECEMBER 18, 2025

Sentencing

SENTENCE

Two concurrent six-year prison terms

Wood Green Crown Court, London

Source: [1]
CURRENT STATUS (JAN 31, 2026)
INCARCERATION ONGOING — NO REPORTED DEPORTATION OR APPEALS

OTHER INCIDENTS

X Account Compromise
Incident ID: FEB-2025-001
EXTERNAL SOCIAL ENGINEERING
FEBRUARY 26, 2025

Official X Account Compromised

Account: @pumpdotfun

Activity: Used to promote fake "PUMP" governance token and other fraudulent coins (e.g., "GPT-4.5")

Resolution: Team regained control same day

Impact: No protocol/smart contract compromise

Source: [5]

Attribution

Linked to broader chain of X hacks including Jupiter DAO, DogWifCoin

External social engineering; not internal access compromise

POST-INCIDENT SECURITY STATUS

SECURITY POSTURE
NO ADDITIONAL INTERNAL EXPLOITS DOCUMENTED POST-MAY 2024
  • No additional internal/employee-access exploits documented (as of January 31, 2026)
  • No protocol-level breaches in public sources
  • PumpSwap launch (March 2025) passed multiple audits
  • No confirmed follow-on insider incidents

UNCORROBORATED / REDACTED ATTRIBUTES

  • Exact final recovered amount from dispersed funds (platform compensated fully; no public recovery breakdown)
  • Full forensic details of admin authority compromise mechanics (beyond flash loan + withdraw redirect; partial descriptions in post-mortem and court reporting)
  • Any unreported minor internal incidents or attempted accesses (none surfaced in litigation, media, or on-chain analyses)
  • Potential civil recovery actions by Pump.fun against Dunn (no public filings documented beyond UK criminal case)

SOURCE ANNOTATIONS

[1]
https://decrypt.co/352876/former-pump-fun-dev-sentenced-six-years-prison-2-million-solana-fraud
Sentencing details
December 18, 2025
[2]
https://www.theblock.co/post/295029/pump-fun-post-mortem
Official Pump.fun post-mortem (confirms insider, 12,300 SOL, compensation)
May 17, 2024
[3]
https://blockworks.co/news/pump-dot-fun-exploiter-arrest-london
Arrest confirmation
May 19, 2024
[4]
https://finance.yahoo.com/news/former-pump-fun-employee-pleads-214947166.html
Guilty plea and sentencing timeline
August 2025
[5]
https://www.tradingview.com/news/cointelegraph:8eed13f80094b:0-pump-fun-s-x-account-hacked-users-urged-to-avoid-interaction
X account compromise
February 26, 2025
[6]
https://www.coindesk.com/business/2024/05/16/solana-meme-coin-factory-pumpfun-compromised-by-bonding-curve-exploit/
Initial exploit reporting
May 16, 2024