← SIGMA Bot7 decisions on this page
Audit log
Every state-changing event for SIGMA Bot: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.
- #1publishby system:backfill2026-05-31 07:24:59ZScore: ? → ? (no score change)anchoranchored
- chain
- ●mainnet-betaslot 423,328,416
- sig
3MXXjk6rUXUC…jLojqh4Vexplorer ↗- hash
7qRa75rKDFqh…hsi4xzDosha256 → base58
verifying row…full verify ↗canonical bytes (16753 B) ▸
{"actor":"system:backfill","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","kind":"publish","page_slug":"sigma-bot","published_at":"2026-05-31T07:24:58.978Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SIGMA Bot","sections":[{"content":"SIGMA Bot (accessible at sigma.win) is a Telegram-native decentralized finance trading platform that allows users to trade, copy-trade, and snipe tokens across multiple blockchains from within the Telegram messaging application. The platform supports seven chains: Ethereum, Binance Smart Chain (BSC), Base, Solana, Avalanche, Unichain, and Berachain. SIGMA charges a flat 1% fee per transaction across all supported networks. The platform generates wallets automatically upon first use and supports import of externally generated wallets. Its documentation claims a non-custodial model stating 'you control your keys and funds,' though the security architecture underlying private key generation and server-side storage is not publicly documented or audited. SIGMA markets itself as 'the fastest, most secure multi-chain trading bot,' trusted by over 200,000 users according to promotional materials, though this figure is unverified by independent sources.","heading":"Platform Overview","severity":"low","sources":[{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":3,"name":"Sigma Review (2026) — Multi-Chain Telegram Bot: 7 Chains","type":"research","url":"https://defipill.xyz/telegram-trading-bots/sigma_review/"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":2,"name":"Sigma Trading Bot — DappRadar","type":"research","url":"https://dappradar.com/dapp/sigma-trading-bot"}]},{"content":"On May 11, 2026, crypto trader and X personality Unihax0r (@0xUnihax0r) had two wallets drained across Ethereum, Base, and Binance Smart Chain in a coordinated multi-chain attack totaling over $200,000. The largest single loss was approximately $125,000 in $POD tokens on Base, followed by approximately $21,000 in $FHE on BSC, with additional ETH and $SAT1 positions across chains. The drain was executed in an estimated 10 to 30 minute window (approximately 00:37 to 00:56 UTC). On-chain analyst @k0braca1 stated the attacker 'had full control over signing operations across multiple chains: Ethereum, Base and BSC,' and noted the absence of malicious token approvals, indicating the attack involved direct private key access rather than a smart contract exploit or phishing approval. The attacker sent small ETH amounts to compromised wallets first to cover gas fees before executing the drains. Both drained wallets had been originally generated via the SIGMA Telegram trading bot, then subsequently imported into GMGN and Rabby Wallet. Other wallets present on Rabby Wallet and Jupiter that were not created through SIGMA were not affected. Community investigators and fraud tracking accounts offered tracing assistance; funds were subsequently moved through mixers, with the majority of stolen assets sitting in attacker-controlled addresses primarily on Base as of reporting. Recovery prospects were assessed as low.","heading":"May 2026 Security Incident: Unihax0r Wallet Drain","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1083127"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":2,"name":"Crypto Trader Loses $200K After Telegram Bot Allegedly Exposes Private Keys — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-trader-loses-200k-after-telegram-bot-allegedly-exposes-private-keys/"},{"credibility":2,"name":"Crypto trader loses $200K after Telegram bot leaks private keys — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/crypto-trader-loses-200k-telegram-bot/"}]},{"content":"The precise mechanism by which the attacker allegedly obtained private key material has not been confirmed by SIGMA or by any on-chain forensics firm as of the date of this investigation. Community on-chain analysts and reporting outlets have identified four suspected vectors, none of which has been definitively established. First, malicious CAPTCHA bots allegedly embedded within SIGMA's Telegram channel: fake CAPTCHA challenges presented to users interacting with SIGMA may have functioned as credential-harvesting tools designed to deliver infostealers via clipboard hijacking, a technique documented in broader phishing campaigns during 2025 and 2026. Second, infostealer or other device-compromising malware may have captured private keys or seed phrases from the victim's local device independent of SIGMA's infrastructure. Third, a fake or malicious GMGN workflow may have intercepted key material when Unihax0r imported SIGMA-generated wallets into the GMGN platform. Fourth, malicious browser extensions could have captured keys during an import event. Analysts noted the correlation between SIGMA-generated wallets and the exclusive targeting of those wallets as circumstantially significant, but this correlation does not exclude the possibility that the private key leak occurred at a later stage such as during import into a third-party application. SIGMA has not published a statement addressing any of these vectors.","heading":"Alleged Attack Vectors (Unconfirmed)","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":1,"name":"Fake CAPTCHA websites hijack your clipboard to install information stealers — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers"}]},{"content":"As of the date of this investigation, SIGMA has not published a public post-mortem, incident report, or any official communication acknowledging the May 11, 2026 incident. No statement was identified on SIGMA's official X account (@SigmaTradingBot), official Telegram channel (@SB_sigmabot or @SigmaBotPortal), or its documentation site (docs.sigma.win). This stands in contrast to the response exhibited by the Banana Gun bot following a comparable September 2024 Telegram oracle vulnerability exploit, in which Banana Gun shut down its bot, publicly acknowledged the incident, patched the vulnerability, and reimbursed all eleven affected users approximately $3 million from its treasury. The lack of any statement from SIGMA is a transparency risk signal, particularly given that the incident was covered by multiple crypto news outlets and the causal link to SIGMA-generated wallets was publicly reported. Users currently relying on SIGMA-generated wallets have received no official guidance on whether to rotate keys or take protective measures.","heading":"Absence of Official Response and Transparency","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":1,"name":"Banana Gun promises to refund $3 million stolen from impacted users — The Block","type":"news_article","url":"https://www.theblock.co/post/318074/banana-gun-exploit-refund"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"}]},{"content":"SIGMA's team is not publicly identified. The documentation refers only to 'a team of professional coders and seasoned snipers' without disclosing any names, identities, or professional backgrounds. No founders or executives are listed on the platform's website or documentation. This anonymity is an elevated risk signal for a custodial-adjacent service where users' private keys are generated within the platform's infrastructure at wallet creation. Furthermore, no independent security audit of SIGMA's codebase, private key generation process, or server-side infrastructure has been identified in any publicly available source. Security firm Hacken has noted that most Telegram trading bots are closed-source and unaudited, and some explicitly disclaim responsibility for unauthorized access in their terms of service. The absence of both a named team and a third-party audit makes independent risk assessment of SIGMA's key management practices impossible.","heading":"Anonymous Team and Absence of Security Audit","severity":"high","sources":[{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"}]},{"content":"The SIGMA incident reflects a broader, documented systemic risk in the Telegram trading bot category. When users generate wallets through Telegram bots, private keys are created within and — in many implementations — stored or transmitted through the bot provider's server infrastructure. Unlike hardware wallets where keys never leave the device, Telegram bot wallets depend on the security of the bot operator's backend, the user's Telegram account, and every intermediary through which key material passes. A 2024 incident involving Banana Gun saw 11 wallets drained for approximately $3 million via a vulnerability in Telegram's message oracle, demonstrating that even established bots with named teams and significant user bases are exposed to infrastructure-level key compromise. The Telegram platform itself does not apply end-to-end encryption to bot interactions. ScamSniffer reported a 2,000% increase in Telegram group malware scams between November 2024 and January 2025. Security researchers have identified over 340 fraudulent crypto trading bots on Telegram during 2025 alone. The SIGMA incident, whether or not SIGMA's own infrastructure was the proximate cause, underscores the category-wide risk of concentrating significant holdings in Telegram-bot-generated wallets.","heading":"Systemic Risk: Telegram-Native Bot Private Key Custody","severity":"medium","sources":[{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"credibility":2,"name":"Decoding How The Banana Gun Went Bananas: $3M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/banana-gun-exploit"}]}],"sources_used":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1083127"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":2,"name":"Crypto Trader Loses $200K After Telegram Bot Allegedly Exposes Private Keys — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-trader-loses-200k-after-telegram-bot-allegedly-exposes-private-keys/"},{"credibility":2,"name":"Crypto trader loses $200K after Telegram bot leaks private keys — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/crypto-trader-loses-200k-telegram-bot/"},{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":2,"name":"Sigma DeFi Platform (official website)","type":"official","url":"https://sigma.win/"},{"credibility":2,"name":"Sigma Trading Bot — DappRadar","type":"research","url":"https://dappradar.com/dapp/sigma-trading-bot"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":3,"name":"Sigma Review (2026) — defipill.xyz","type":"research","url":"https://defipill.xyz/telegram-trading-bots/sigma_review/"},{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"credibility":1,"name":"Banana Gun promises to refund $3 million stolen from impacted users — The Block","type":"news_article","url":"https://www.theblock.co/post/318074/banana-gun-exploit-refund"},{"credibility":2,"name":"Decoding How The Banana Gun Went Bananas: $3M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/banana-gun-exploit"},{"credibility":1,"name":"Fake CAPTCHA websites hijack your clipboard to install information stealers — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers"}],"summary":"SIGMA Bot is a multi-chain Telegram-native cryptocurrency trading and sniping platform operating across seven blockchains, including Ethereum, BSC, Base, Solana, Avalanche, Unichain, and Berachain. On May 11, 2026, prominent crypto trader Unihax0r lost over $200,000 across Ethereum, Base, and BSC in what on-chain analysts identified as a probable private key compromise; both drained wallets had been exclusively generated via SIGMA, while wallets created through other tools were unaffected. SIGMA has not published a public post-mortem or confirmed the exposure vector as of the date of this investigation, and its team remains pseudonymous with no formal security audit publicly disclosed.","timeline":[{"date":"2024-09-19","event":"Banana Gun Telegram trading bot exploited via Telegram message oracle vulnerability; 11 wallets drained for approximately $3 million. Banana Gun patched the issue and refunded all victims, establishing a precedent for incident response in the category.","source":"Web3 Is Going Great; The Block","source_url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"date":"2026-05-11","event":"Crypto trader Unihax0r loses over $200,000 across Ethereum, Base, and BSC. Both drained wallets were originally generated through SIGMA. On-chain analyst @k0braca1 identifies the attack as a private key compromise rather than a smart contract exploit. Funds drained in approximately 10-30 minutes; subsequently moved through mixers.","source":"CryptoTimes; CryptoNews.net; Crypto Economy","source_url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"date":"2026-05-11","event":"Multiple crypto news outlets (CryptoTimes, MEXC News, CryptoNews.net, Cryptopolitan, Crypto Economy) report the incident, noting SIGMA's role in wallet generation and the absence of any official statement from the SIGMA team.","source":"MEXC News","source_url":"https://www.mexc.com/news/1083127"}]},"v":1}Verify offline (run on your own machine)python -m src.verify_decision 74abe133-54b9-4762-8a95-500b1551d4bc - #2reviewby reviewerreviewer2026-06-02 02:51:59ZScore: 22 → 22 (no score change)The investigation's core factual claims — the May 11, 2026 incident amount, chains affected, victim identity, timing, analyst attribution, SIGMA's silence, and comparative incident data — are well-supported by multiple corroborating news sources. The primary weaknesses are: one Hacken quote attributed to bulk private key export could not be found in the cited source; the CoinTelegraph Banana Gun URL is dead (404); The Defiant Unibot URL is inaccessible (403); and the terms-and-conditions inaccessibility claim is ambiguous given search engine indexing of the page. The SIGMA-as-root-cause framing is appropriately hedged throughout as an inference rather than a confirmed breach, which is accurate given the available evidence.anchoranchored
- chain
- ●mainnet-betaslot 423,722,393
- sig
5B7enKqELvEY…Pa5Gf3mpexplorer ↗- hash
APJCQM25i9d2…3T82LU74sha256 → base58
verifying row…full verify ↗canonical bytes (1077 B) ▸
{"actor":"reviewer","decided_at":"2026-06-02T02:51:58.824Z","decision":"review","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":22,"page_slug":"sigma-bot","prev_score":22,"reason":"The investigation's core factual claims — the May 11, 2026 incident amount, chains affected, victim identity, timing, analyst attribution, SIGMA's silence, and comparative incident data — are well-supported by multiple corroborating news sources. The primary weaknesses are: one Hacken quote attributed to bulk private key export could not be found in the cited source; the CoinTelegraph Banana Gun URL is dead (404); The Defiant Unibot URL is inaccessible (403); and the terms-and-conditions inaccessibility claim is ambiguous given search engine indexing of the page. The SIGMA-as-root-cause framing is appropriately hedged throughout as an inference rather than a confirmed breach, which is accurate given the available evidence.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 1d825e84-8bf0-4740-93cd-e93e1f38b787 - #3review reviseby judgejudge2026-06-02 02:51:59ZScore: 22 → 14 (-8)The core incident reporting — the May 11, 2026 drain amount, chains, victim identity, timing, wallet origin analysis, and SIGMA's silence — is confirmed across multiple independent Tier 2 sources and is not in dispute. The reviewer's 15.4% disputed_pct reflects three issues warranting revision: (1) claim_findings[15] flags that a direct quote attributed to Hacken about bulk private key export could not be found in the cited source (hacken.io), which is a citation integrity concern regardless of whether the underlying sentiment is accurate; (2) two instances of link rot on a Tier 1 CoinTelegraph URL (Banana Gun, claim_findings[16]) and a Tier 2 Defiant URL (Unibot, claim_findings[20]) — both are dead but their underlying facts are corroborated by alternative sources; and (3) the summary's characterization that both wallets are 'traceable exclusively to SIGMA's wallet generation infrastructure' (claim_findings[2]) overstates forensic certainty relative to what sources confirm. No status change or delisting is warranted given the page's appropriate epistemic hedging throughout and the strong corroboration of its central claims. Revision should focus on verifying or removing the unlocatable Hacken quote and updating or replacing the two broken citations.anchoranchored
- chain
- ●mainnet-betaslot 423,722,395
- sig
2t3p6t8WK3cc…nChgXc8hexplorer ↗- hash
DwvzD63fFvEb…yK4ECouRsha256 → base58
verifying row…full verify ↗canonical bytes (1620 B) ▸
{"actor":"judge","decided_at":"2026-06-02T02:51:58.824Z","decision":"review_revise","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":14,"page_slug":"sigma-bot","prev_score":22,"reason":"The core incident reporting — the May 11, 2026 drain amount, chains, victim identity, timing, wallet origin analysis, and SIGMA's silence — is confirmed across multiple independent Tier 2 sources and is not in dispute. The reviewer's 15.4% disputed_pct reflects three issues warranting revision: (1) claim_findings[15] flags that a direct quote attributed to Hacken about bulk private key export could not be found in the cited source (hacken.io), which is a citation integrity concern regardless of whether the underlying sentiment is accurate; (2) two instances of link rot on a Tier 1 CoinTelegraph URL (Banana Gun, claim_findings[16]) and a Tier 2 Defiant URL (Unibot, claim_findings[20]) — both are dead but their underlying facts are corroborated by alternative sources; and (3) the summary's characterization that both wallets are 'traceable exclusively to SIGMA's wallet generation infrastructure' (claim_findings[2]) overstates forensic certainty relative to what sources confirm. No status change or delisting is warranted given the page's appropriate epistemic hedging throughout and the strong corroboration of its central claims. Revision should focus on verifying or removing the unlocatable Hacken quote and updating or replacing the two broken citations.","score_delta":-8,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 4346bc55-a5e1-4a4c-80a0-43c6b8c2ee01 - #4reviewby reviewerreviewer2026-06-02 16:20:06ZScore: 14 → 14 (no score change)The investigation is substantively accurate across its core claims. The May 11, 2026 incident facts — amount, chains, timing, victim identity, analyst attribution, wallet origin pattern, and SIGMA silence — are confirmed by multiple independent news sources. Two dead links (CoinTelegraph 404, The Defiant 403) are flagged but their underlying claims are corroborated by other sources. One notable sourcing error: the Hacken article cited for 'bulk private key export' language does not contain that phrase — similar language appears in KuCoin's Polycule coverage instead, suggesting a misattribution. The terms-and-conditions inaccessibility claim is weakly disputed given search engine indexing. The framing of SIGMA as the root cause is appropriately hedged throughout as an inference from wallet origin correlation, not a confirmed server-side breach.anchoranchored
- chain
- ●mainnet-betaslot 423,844,500
- sig
575Ut7YbVfHr…8aGEiTzQexplorer ↗- hash
5K2WrNSfubmD…DgvnnjaYsha256 → base58
verifying row…full verify ↗canonical bytes (1200 B) ▸
{"actor":"reviewer","decided_at":"2026-06-02T16:20:06.774Z","decision":"review","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":14,"page_slug":"sigma-bot","prev_score":14,"reason":"The investigation is substantively accurate across its core claims. The May 11, 2026 incident facts — amount, chains, timing, victim identity, analyst attribution, wallet origin pattern, and SIGMA silence — are confirmed by multiple independent news sources. Two dead links (CoinTelegraph 404, The Defiant 403) are flagged but their underlying claims are corroborated by other sources. One notable sourcing error: the Hacken article cited for 'bulk private key export' language does not contain that phrase — similar language appears in KuCoin's Polycule coverage instead, suggesting a misattribution. The terms-and-conditions inaccessibility claim is weakly disputed given search engine indexing. The framing of SIGMA as the root cause is appropriately hedged throughout as an inference from wallet origin correlation, not a confirmed server-side breach.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision e2b26ad2-63bf-4af3-8f4a-c20046aa6823 - #5review reviseby judgejudge2026-06-02 16:20:07ZScore: 14 → 4 (-10)The investigation's core incident claims — the May 11, 2026 drain amount, chains, timing, victim identity, analyst attribution, and SIGMA's silence — are confirmed by multiple independent Tier 2 news sources across claim_findings[1] through claim_findings[8]. The reviewer's disputed_pct of 13.3% falls in the minor-issues band. Three items require remediation: (1) claim_findings[15] identifies a sourcing misattribution where the 'bulk private key export' quote attributed to Hacken in sections[6] does not appear in the cited Hacken article — similar language originates from KuCoin's Polycule coverage and the quote should be verified or removed; (2) two dead citations need replacement, as the CoinTelegraph Banana Gun URL (claim_findings[27]) returns 404 across three page locations and The Defiant Unibot URL (claim_findings[28]) returns 403; and (3) three high-priority coverage gaps remain open — independent block explorer verification of attacker wallet 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A, a search for additional SIGMA victims beyond Unihax0r, and direct review of SIGMA's Telegram and X channels post-May 11 — any of which could materially change the incident scope assessment.anchoranchored
- chain
- ●mainnet-betaslot 423,844,516
- sig
4GpiM3NJhreb…naAPhGDwexplorer ↗- hash
9rkTMqm9zieC…iHVKjFt8sha256 → base58
verifying row…full verify ↗canonical bytes (1548 B) ▸
{"actor":"judge","decided_at":"2026-06-02T16:20:06.774Z","decision":"review_revise","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":4,"page_slug":"sigma-bot","prev_score":14,"reason":"The investigation's core incident claims — the May 11, 2026 drain amount, chains, timing, victim identity, analyst attribution, and SIGMA's silence — are confirmed by multiple independent Tier 2 news sources across claim_findings[1] through claim_findings[8]. The reviewer's disputed_pct of 13.3% falls in the minor-issues band. Three items require remediation: (1) claim_findings[15] identifies a sourcing misattribution where the 'bulk private key export' quote attributed to Hacken in sections[6] does not appear in the cited Hacken article — similar language originates from KuCoin's Polycule coverage and the quote should be verified or removed; (2) two dead citations need replacement, as the CoinTelegraph Banana Gun URL (claim_findings[27]) returns 404 across three page locations and The Defiant Unibot URL (claim_findings[28]) returns 403; and (3) three high-priority coverage gaps remain open — independent block explorer verification of attacker wallet 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A, a search for additional SIGMA victims beyond Unihax0r, and direct review of SIGMA's Telegram and X channels post-May 11 — any of which could materially change the incident scope assessment.","score_delta":-10,"sequence_num":5,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision fba5ede4-92c0-4946-ada2-1e4b573e435c - #6reviewby reviewerreviewer2026-06-03 04:23:52ZScore: 4 → 4 (no score change)The investigation is factually solid on its core claims. The May 11, 2026 incident details, wallet origin analysis, @k0braca1 analyst findings, comparative Telegram bot incidents, and SIGMA's silence are all independently confirmed. Two source URLs are inaccessible (CoinTelegraph 404, Defiant 403) and one ForkLog quote lacks a traceable citation, but the underlying facts in all three cases are verified through alternative sources. The most significant structural gap is the absence of direct on-chain trace evidence and documented inspection of SIGMA's own post-incident communication channels, which would further substantiate the central attribution and no-response claims.anchoranchored
- chain
- ●mainnet-betaslot 423,953,605
- sig
2H5k5LyodguG…b8Wkr37gexplorer ↗- hash
5cqsq8jj3LAE…aosZJ3jHsha256 → base58
verifying row…full verify ↗canonical bytes (1022 B) ▸
{"actor":"reviewer","decided_at":"2026-06-03T04:23:52.659Z","decision":"review","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":4,"page_slug":"sigma-bot","prev_score":4,"reason":"The investigation is factually solid on its core claims. The May 11, 2026 incident details, wallet origin analysis, @k0braca1 analyst findings, comparative Telegram bot incidents, and SIGMA's silence are all independently confirmed. Two source URLs are inaccessible (CoinTelegraph 404, Defiant 403) and one ForkLog quote lacks a traceable citation, but the underlying facts in all three cases are verified through alternative sources. The most significant structural gap is the absence of direct on-chain trace evidence and documented inspection of SIGMA's own post-incident communication channels, which would further substantiate the central attribution and no-response claims.","score_delta":0,"sequence_num":6,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision 284ddbb2-e422-41bd-948a-9802c60a0450 - #7review approveby judgejudge2026-06-03 04:23:53ZScore: 4 → 4 (no score change)The reviewer found 23 of 28 claims confirmed, 4 partially supported, and zero outright disputed, yielding a disputed_pct of 4% — within the 0–10% approval band. The four partially-supported findings (claim_findings[1], [13], [21], [24]) reflect minor precision gaps in causal inference language and one unverified verbatim quote, not factual contradictions. Two dead source URLs (claim_findings[16] link_rot finding: CoinTelegraph 404; Defiant 403) affect comparison-section citations only, and the underlying facts they support are independently confirmed by working Tier 2 alternates. Two high-priority coverage gaps — on-chain wallet trace for 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A and direct inspection of SIGMA's post-incident communication channels — are noted for future expansion but do not undermine the page's published claims. Reviewer confidence of 0.82 supports approval.anchoranchored
- chain
- ●mainnet-betaslot 423,953,612
- sig
W9iUX5AudyhW…USFCc3hGexplorer ↗- hash
AoAfWrWcUXYg…qgD2M9QFsha256 → base58
verifying row…full verify ↗canonical bytes (1237 B) ▸
{"actor":"judge","decided_at":"2026-06-03T04:23:52.659Z","decision":"review_approve","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","new_score":4,"page_slug":"sigma-bot","prev_score":4,"reason":"The reviewer found 23 of 28 claims confirmed, 4 partially supported, and zero outright disputed, yielding a disputed_pct of 4% — within the 0–10% approval band. The four partially-supported findings (claim_findings[1], [13], [21], [24]) reflect minor precision gaps in causal inference language and one unverified verbatim quote, not factual contradictions. Two dead source URLs (claim_findings[16] link_rot finding: CoinTelegraph 404; Defiant 403) affect comparison-section citations only, and the underlying facts they support are independently confirmed by working Tier 2 alternates. Two high-priority coverage gaps — on-chain wallet trace for 0xF7cFFC27732a5C9c4E2D592F3E33435F8dDb019A and direct inspection of SIGMA's post-incident communication channels — are noted for future expansion but do not undermine the page's published claims. Reviewer confidence of 0.82 supports approval.","score_delta":0,"sequence_num":7,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}Verify offline (run on your own machine)python -m src.verify_decision a4db0c4e-516a-4aeb-bda2-5d1c406fd1c1
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine —
python -m src.verify_decision <event_id>.