Documentation
Understanding how Rico Maps detects coordinated wallet activity and cabal networks.
1What We Detect
Cabal Networks
A "cabal" is a group of wallets that appear independent but are actually coordinated. We detect this by finding shared funders - wallets that funded multiple token holders.
DEX Obfuscation
Some actors route funds through DEXs (Jupiter, Raydium, etc.) to hide the funding source. We flag holders whose initial funding came through a DEX transaction as potentially obfuscated.
Fresh Wallet Funders
Wallets less than 7 days old that fund multiple holders are flagged as suspicious. Legitimate actors rarely create new wallets just to distribute tokens.
2What We Display
The token being analyzed (center node)
Clean token holders with no detected cabal connections
Holders linked to a cabal funder (suspicious)
Wallet that funded multiple token holders
Statistics Panel
- •Node Breakdown - Count of each node type
- •Cabal Links - Total connections between funders and holders
- •Top Cabal Funders - Ranked by how many holders they funded
- •DEX Funded - Holders with obfuscated funding sources
3Technical Implementation
Step 1: Fetch Token Holders
We use Helius's getTokenAccounts API to fetch all token holders, sorted by balance. We analyze the top 30 holders by default.
method: "getTokenAccounts"
params: { mint, limit: 1000 }
Step 2: Trace Funding Sources
For each holder, we fetch their earliest transactions usinggetTransactionsForAddress with the tokenAccounts: "balanceChanged" filter to capture Associated Token Account (ATA) transactions.
method: "getTransactionsForAddress"
params: [address, {
sortOrder: "asc", // oldest first
filters: { tokenAccounts: "balanceChanged" }
}]
Step 3: Build Funder Map
We extract nativeTransfers from each transaction to identify who sent SOL to each holder. We build a map of funder → [list of holders they funded].
funderMap = {
"FunderWallet1": ["Holder1", "Holder2", "Holder3"],
"FunderWallet2": ["Holder4"],
}
Step 4: Detect Cabals
Any funder that appears in 2 or more holders' funding history is flagged as a cabal funder. The holders they funded are marked as connected.
if holders.length > 1:
// CABAL DETECTED
mark funder as "cabal-funder"
mark holders as "connected"
Step 5: Render Graph
The resulting nodes and links are rendered using Three.js with a force-directed layout (d3-force-3d). Cabal connections naturally cluster together due to the link forces, making coordinated networks visually obvious.
4Data Sources
Helius API
Transaction history, token holders, and parsed transaction data via Helius RPC and Enhanced APIs.
DexScreener API
Token metadata, icons, and trending token data for the discovery section.
5Limitations
- •We analyze the top 30 holders by default. Smaller holders are not analyzed.
- •We trace the first 3 funders per holder. Deep funding chains may be missed.
- •CEX withdrawals and legitimate shared services may cause false positives.
- •Multi-hop obfuscation (A → B → C → Holder) is not fully traced.
6Embed on Your Site
Quick Start
Embed Rico Maps visualizations directly into your website, dashboard, or app. Simply use the iframe code below with your target address.
<iframe src="https://ricomaps.com/embed?address=&view=forensic" width="100%" height="500px" frameborder="0" allow="accelerometer; gyroscope" style="border-radius: 8px;" ></iframe>
URL Parameters
| Parameter | Description | Default |
|---|---|---|
address | Solana wallet or token mint address | required |
view | Visualization style: forensic or bubble | forensic |
hideWatermark | Hide the "Powered by RicoMaps" badge | false |
Example Embeds
Token Analysis (forensic view):
<iframe src="https://ricomaps.com/embed?address=TOKEN_MINT&view=forensic" width="100%" height="500"></iframe>Wallet Trace (bubble view):
<iframe src="https://ricomaps.com/embed?address=WALLET_ADDRESS&view=bubble" width="100%" height="600"></iframe>