Audit log

Every state-changing event for SIGMA Bot: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-31 07:24:59Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,328,416

   sig

   3MXXjk6rUXUC…jLojqh4Vcopyexplorer ↗

   hash

   7qRa75rKDFqh…hsi4xzDocopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (16753 B) ▸

   {"actor":"system:backfill","investigation_id":"cfa54088-9549-4a76-a3e8-6567fa5722af","kind":"publish","page_slug":"sigma-bot","published_at":"2026-05-31T07:24:58.978Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SIGMA Bot","sections":[{"content":"SIGMA Bot (accessible at sigma.win) is a Telegram-native decentralized finance trading platform that allows users to trade, copy-trade, and snipe tokens across multiple blockchains from within the Telegram messaging application. The platform supports seven chains: Ethereum, Binance Smart Chain (BSC), Base, Solana, Avalanche, Unichain, and Berachain. SIGMA charges a flat 1% fee per transaction across all supported networks. The platform generates wallets automatically upon first use and supports import of externally generated wallets. Its documentation claims a non-custodial model stating 'you control your keys and funds,' though the security architecture underlying private key generation and server-side storage is not publicly documented or audited. SIGMA markets itself as 'the fastest, most secure multi-chain trading bot,' trusted by over 200,000 users according to promotional materials, though this figure is unverified by independent sources.","heading":"Platform Overview","severity":"low","sources":[{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":3,"name":"Sigma Review (2026) — Multi-Chain Telegram Bot: 7 Chains","type":"research","url":"https://defipill.xyz/telegram-trading-bots/sigma_review/"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":2,"name":"Sigma Trading Bot — DappRadar","type":"research","url":"https://dappradar.com/dapp/sigma-trading-bot"}]},{"content":"On May 11, 2026, crypto trader and X personality Unihax0r (@0xUnihax0r) had two wallets drained across Ethereum, Base, and Binance Smart Chain in a coordinated multi-chain attack totaling over $200,000. The largest single loss was approximately $125,000 in $POD tokens on Base, followed by approximately $21,000 in $FHE on BSC, with additional ETH and $SAT1 positions across chains. The drain was executed in an estimated 10 to 30 minute window (approximately 00:37 to 00:56 UTC). On-chain analyst @k0braca1 stated the attacker 'had full control over signing operations across multiple chains: Ethereum, Base and BSC,' and noted the absence of malicious token approvals, indicating the attack involved direct private key access rather than a smart contract exploit or phishing approval. The attacker sent small ETH amounts to compromised wallets first to cover gas fees before executing the drains. Both drained wallets had been originally generated via the SIGMA Telegram trading bot, then subsequently imported into GMGN and Rabby Wallet. Other wallets present on Rabby Wallet and Jupiter that were not created through SIGMA were not affected. Community investigators and fraud tracking accounts offered tracing assistance; funds were subsequently moved through mixers, with the majority of stolen assets sitting in attacker-controlled addresses primarily on Base as of reporting. Recovery prospects were assessed as low.","heading":"May 2026 Security Incident: Unihax0r Wallet Drain","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1083127"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":2,"name":"Crypto Trader Loses $200K After Telegram Bot Allegedly Exposes Private Keys — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-trader-loses-200k-after-telegram-bot-allegedly-exposes-private-keys/"},{"credibility":2,"name":"Crypto trader loses $200K after Telegram bot leaks private keys — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/crypto-trader-loses-200k-telegram-bot/"}]},{"content":"The precise mechanism by which the attacker allegedly obtained private key material has not been confirmed by SIGMA or by any on-chain forensics firm as of the date of this investigation. Community on-chain analysts and reporting outlets have identified four suspected vectors, none of which has been definitively established. First, malicious CAPTCHA bots allegedly embedded within SIGMA's Telegram channel: fake CAPTCHA challenges presented to users interacting with SIGMA may have functioned as credential-harvesting tools designed to deliver infostealers via clipboard hijacking, a technique documented in broader phishing campaigns during 2025 and 2026. Second, infostealer or other device-compromising malware may have captured private keys or seed phrases from the victim's local device independent of SIGMA's infrastructure. Third, a fake or malicious GMGN workflow may have intercepted key material when Unihax0r imported SIGMA-generated wallets into the GMGN platform. Fourth, malicious browser extensions could have captured keys during an import event. Analysts noted the correlation between SIGMA-generated wallets and the exclusive targeting of those wallets as circumstantially significant, but this correlation does not exclude the possibility that the private key leak occurred at a later stage such as during import into a third-party application. SIGMA has not published a statement addressing any of these vectors.","heading":"Alleged Attack Vectors (Unconfirmed)","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":1,"name":"Fake CAPTCHA websites hijack your clipboard to install information stealers — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers"}]},{"content":"As of the date of this investigation, SIGMA has not published a public post-mortem, incident report, or any official communication acknowledging the May 11, 2026 incident. No statement was identified on SIGMA's official X account (@SigmaTradingBot), official Telegram channel (@SB_sigmabot or @SigmaBotPortal), or its documentation site (docs.sigma.win). This stands in contrast to the response exhibited by the Banana Gun bot following a comparable September 2024 Telegram oracle vulnerability exploit, in which Banana Gun shut down its bot, publicly acknowledged the incident, patched the vulnerability, and reimbursed all eleven affected users approximately $3 million from its treasury. The lack of any statement from SIGMA is a transparency risk signal, particularly given that the incident was covered by multiple crypto news outlets and the causal link to SIGMA-generated wallets was publicly reported. Users currently relying on SIGMA-generated wallets have received no official guidance on whether to rotate keys or take protective measures.","heading":"Absence of Official Response and Transparency","severity":"high","sources":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":1,"name":"Banana Gun promises to refund $3 million stolen from impacted users — The Block","type":"news_article","url":"https://www.theblock.co/post/318074/banana-gun-exploit-refund"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"}]},{"content":"SIGMA's team is not publicly identified. The documentation refers only to 'a team of professional coders and seasoned snipers' without disclosing any names, identities, or professional backgrounds. No founders or executives are listed on the platform's website or documentation. This anonymity is an elevated risk signal for a custodial-adjacent service where users' private keys are generated within the platform's infrastructure at wallet creation. Furthermore, no independent security audit of SIGMA's codebase, private key generation process, or server-side infrastructure has been identified in any publicly available source. Security firm Hacken has noted that most Telegram trading bots are closed-source and unaudited, and some explicitly disclaim responsibility for unauthorized access in their terms of service. The absence of both a named team and a third-party audit makes independent risk assessment of SIGMA's key management practices impossible.","heading":"Anonymous Team and Absence of Security Audit","severity":"high","sources":[{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"}]},{"content":"The SIGMA incident reflects a broader, documented systemic risk in the Telegram trading bot category. When users generate wallets through Telegram bots, private keys are created within and — in many implementations — stored or transmitted through the bot provider's server infrastructure. Unlike hardware wallets where keys never leave the device, Telegram bot wallets depend on the security of the bot operator's backend, the user's Telegram account, and every intermediary through which key material passes. A 2024 incident involving Banana Gun saw 11 wallets drained for approximately $3 million via a vulnerability in Telegram's message oracle, demonstrating that even established bots with named teams and significant user bases are exposed to infrastructure-level key compromise. The Telegram platform itself does not apply end-to-end encryption to bot interactions. ScamSniffer reported a 2,000% increase in Telegram group malware scams between November 2024 and January 2025. Security researchers have identified over 340 fraudulent crypto trading bots on Telegram during 2025 alone. The SIGMA incident, whether or not SIGMA's own infrastructure was the proximate cause, underscores the category-wide risk of concentrating significant holdings in Telegram-bot-generated wallets.","heading":"Systemic Risk: Telegram-Native Bot Private Key Custody","severity":"medium","sources":[{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"credibility":2,"name":"Decoding How The Banana Gun Went Bananas: $3M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/banana-gun-exploit"}]}],"sources_used":[{"credibility":2,"name":"Crypto Trader Drained of $200K in Telegram Bot Linked Crypto Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1083127"},{"credibility":2,"name":"SIGMA bot blamed as attacker drains $200K from trader's wallets — CryptoNews.net","type":"news_article","url":"https://cryptonews.net/news/security/32844596/"},{"credibility":2,"name":"Crypto Trader Loses $200K After Telegram Bot Allegedly Exposes Private Keys — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-trader-loses-200k-after-telegram-bot-allegedly-exposes-private-keys/"},{"credibility":2,"name":"Crypto trader loses $200K after Telegram bot leaks private keys — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/crypto-trader-loses-200k-telegram-bot/"},{"credibility":2,"name":"Welcome to Sigma — Sigma User Guide (official docs)","type":"official","url":"https://docs.sigma.win/"},{"credibility":2,"name":"Sigma DeFi Platform (official website)","type":"official","url":"https://sigma.win/"},{"credibility":2,"name":"Sigma Trading Bot — DappRadar","type":"research","url":"https://dappradar.com/dapp/sigma-trading-bot"},{"credibility":3,"name":"Sigma Bot Review (May 2026) — CoinCodeCap","type":"research","url":"https://coincodecap.com/sigma-bot-review"},{"credibility":3,"name":"Sigma Review (2026) — defipill.xyz","type":"research","url":"https://defipill.xyz/telegram-trading-bots/sigma_review/"},{"credibility":2,"name":"Telegram Crypto Trading Bots: Security Risks and Safety Guide 2026 — Bitget Academy","type":"research","url":"https://www.bitget.com/academy/telegram-crypto-bots-8"},{"credibility":2,"name":"Almost $2 million taken from users of Telegram Banana Gun crypto trading bot — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"credibility":1,"name":"Banana Gun promises to refund $3 million stolen from impacted users — The Block","type":"news_article","url":"https://www.theblock.co/post/318074/banana-gun-exploit-refund"},{"credibility":2,"name":"Decoding How The Banana Gun Went Bananas: $3M Exploit — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/banana-gun-exploit"},{"credibility":1,"name":"Fake CAPTCHA websites hijack your clipboard to install information stealers — Malwarebytes","type":"research","url":"https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers"}],"summary":"SIGMA Bot is a multi-chain Telegram-native cryptocurrency trading and sniping platform operating across seven blockchains, including Ethereum, BSC, Base, Solana, Avalanche, Unichain, and Berachain. On May 11, 2026, prominent crypto trader Unihax0r lost over $200,000 across Ethereum, Base, and BSC in what on-chain analysts identified as a probable private key compromise; both drained wallets had been exclusively generated via SIGMA, while wallets created through other tools were unaffected. SIGMA has not published a public post-mortem or confirmed the exposure vector as of the date of this investigation, and its team remains pseudonymous with no formal security audit publicly disclosed.","timeline":[{"date":"2024-09-19","event":"Banana Gun Telegram trading bot exploited via Telegram message oracle vulnerability; 11 wallets drained for approximately $3 million. Banana Gun patched the issue and refunded all victims, establishing a precedent for incident response in the category.","source":"Web3 Is Going Great; The Block","source_url":"https://www.web3isgoinggreat.com/single/banana-gun-exploit"},{"date":"2026-05-11","event":"Crypto trader Unihax0r loses over $200,000 across Ethereum, Base, and BSC. Both drained wallets were originally generated through SIGMA. On-chain analyst @k0braca1 identifies the attack as a private key compromise rather than a smart contract exploit. Funds drained in approximately 10-30 minutes; subsequently moved through mixers.","source":"CryptoTimes; CryptoNews.net; Crypto Economy","source_url":"https://www.cryptotimes.io/2026/05/11/crypto-trader-drained-of-200k-in-telegram-bot-linked-crypto-hack/"},{"date":"2026-05-11","event":"Multiple crypto news outlets (CryptoTimes, MEXC News, CryptoNews.net, Cryptopolitan, Crypto Economy) report the incident, noting SIGMA's role in wallet generation and the absence of any official statement from the SIGMA team.","source":"MEXC News","source_url":"https://www.mexc.com/news/1083127"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 74abe133-54b9-4762-8a95-500b1551d4bccopy