
pump.science wallet private key leak: an ongoing storm
TechFlow Selected TechFlow Selected

pump.science wallet private key leak: an ongoing storm
An unresolved turmoil.
By Karen, Foresight News
On the evening of November 25, an address marked on pump.fun as the creator of RIF and URO launched a token called Urolithin B (URO), leading many community members to mistakenly believe it was an official token issued by pump.science. The fake Urolithin B (URO) quickly "graduated" from pump.fun and, within two minutes of liquidity being added, its market cap briefly surged to $10 million. However, it soon began a sharp decline and has since dropped to around $100,000.
This incident also appears to have impacted the market performance of both Urolithin A (URO) and Rifampicin (RIF), with both tokens dropping over 30% in the past 24 hours. So what exactly happened here?
Leak of pump.science Wallet Key Pair
The root cause was a leak of the private key pair belonging to pump.science.
According to the official pump.science team, due to an oversight in their GitHub repository, the wallet address T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc was compromised. Attackers discovered the private key within the website’s source code. This key pair had originally been used for testing purposes in pump.science’s GitHub repository, and the development team failed to recognize its significance.
The scam URO token page that appeared last night on pump.fun shows that the wallet address responsible for deploying this fraudulent token is indeed T5j2UBTvLYPCwDP5MVkSALN7fwuLFDL9jUXJNjjb8sc. According to pump.fun, this same address previously deployed the official tokens Urolithin A (URO) and Rifampicin (RIF) off-chain—tokens now valued at approximately $87 million and $37 million respectively.
The fraudulent URO token was issued on-chain using the leaked key pair associated with the address starting with T5j2UBT. This explains why pump.fun displayed the new token as having been issued by the same entity that deployed the official URO and RIF tokens.

pump.science clarified that this wallet was only designated on pump.fun as the off-chain creator of URO and RIF. Attackers may now exploit this wallet to issue additional tokens. Any token issued by this wallet other than the legitimate URO and RIF should be considered fraudulent.
Notably, pump.science has not offered any remediation or compensation to users who were misled into purchasing the scam URO token—an omission that has sparked widespread discussion and criticism within the community.
pump.fun's Off-Chain Creation Feature Causes Confusion in Blockchain Explorers and Data Tools
Another source of confusion lies in how token creators are displayed across pump.fun, blockchain explorers, and data platforms.
The official URO and RIF tokens from pump.science were created off-chain via pump.fun, whereas the fraudulent URO token was deployed on-chain through the same platform. However, on Solana blockchain explorer Solscan, the deployer address shown for both Urolithin A (URO) and Rifampicin (RIF) is BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ.


To understand this discrepancy, let’s examine pump.fun’s off-chain token creation mechanism. On pump.fun, creating a token off-chain is free, and the token does not immediately go on-chain. It only gets recorded on the blockchain when the first buyer purchases it—and that first buyer must pay the full deployment cost. As a result, for off-chain-created tokens, the first buyer’s wallet address is often incorrectly labeled by blockchain explorers like Solscan or data tools like GMGN as the actual token deployer.
For example, after the official URO and RIF tokens were created off-chain, the first buyer’s wallet address—BLDRZQiqt4ESPz12L9mt4XTBjeEfjoBopGPDMA36KtuZ—was mistakenly flagged by Solscan and GMGN as the deployer of these tokens.
In light of this, investors are advised to carefully distinguish between tokens created on-chain versus off-chain on pump.fun and verify creator information thoroughly to avoid falling victim to scams. Additionally, users should remain vigilant against any potential tokens issued from the compromised T5j2UBTvLY-address linked to pump.science. Furthermore, we urge both platform operators and token deployers to strengthen security protocols to prevent such incidents from recurring.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














