In the crypto world, a rug pull refers to a scam where token creators suddenly abandon their project and walk away with investor funds. This often happens in decentralized finance (DeFi) environments, where oversight is limited and anyone can launch a token. Typically, the project starts by generating hype, encouraging users to buy in. Once enough liquidity is added or tokens are purchased, the developers either drain the liquidity or dump their tokens, causing the price to crash and leaving investors with worthless assets.
Platforms like RugCheck have emerged to reduce the chances of falling for such scams, especially within ecosystems like Solana. RugCheck allows users to input a token address and get an instant analysis of key risk indicators. These include factors such as whether minting is still enabled (which can be exploited to create more tokens), whether token ownership is overly concentrated, whether liquidity is locked, and whether the token has unusual trading limitations. Tools like this help users make better-informed decisions and protect themselves before engaging with unknown tokens.
The purpose of this research is to study on-chain behavior linked to potential rug pulls within the Solana ecosystem. By closely analyzing wallet activity, token distribution, and transaction patterns, we aim to identify the common signals that typically appear before a scam takes place. Understanding these patterns can help build stronger detection methods and early alert systems, making it easier for users and platforms to spot and avoid risky tokens before it’s too late.
To identify potential rug-pulled tokens, we followed a structured approach using both RugCheck's API and on-chain data from Dune Analytics.
The initial token list was generated through the RugCheck API by selecting tokens with a normalized risk score above 70, which typically indicates a higher likelihood of malicious behavior. We then applied the following filters to narrow down the dataset:
Holder Percentage ≤ 90% and > 0%
This ensures that the token supply is not almost entirely controlled by a single wallet.
If more than 90% of the supply is held by one address, the token is unlikely to be exploited as a rug pull due to the lack of external participants.
Rug pulls tend to happen when there’s a broader distribution among holders, making it profitable to extract liquidity from unsuspecting users.
Holder Count > 15
Tokens with more than 15 holders indicate some level of adoption.
This helps us focus on tokens that attracted real users, rather than inactive or dead projects.
Token's Risk Field Includes “rugging”
This checks if the token creator has a history of deploying scam or previously rug-pulled tokens.
A prior record increases the likelihood of malicious intent and justifies further investigation.
After applying these filters, we enriched the dataset using Dune Analytics, which provided access to real-time on-chain activity. This helped us analyze transactional behavior, liquidity movements, and wallet interactions to strengthen the quality of our findings beyond the static contract data.
During our analysis, we observed several recurring behaviors that are often associated with high-risk or potentially malicious tokens. These patterns can serve as early warning signs and help in building more reliable risk detection systems:
Concentrated Token Holdings: When a large portion of the token supply is held by a small group, especially the top 10 wallets, it increases the risk of coordinated dumping. Such centralization gives insiders the power to manipulate prices or suddenly remove liquidity.
Large Post-Launch Dumps: In many cases, creators or early holders were found to sell a significant amount of tokens shortly after launch. This sudden liquidation usually signals a rug pull, as these insiders quickly cash out before the token gains broader adoption.
Immediate Token Transfers: Large or rapid token movements within minutes of a token’s creation may indicate pre-planned activity. These early transfers are often used to distribute tokens among insider wallets before trading begins publicly.
Dramatic Trading Volume Shifts: A sharp rise in trading volume followed by an abrupt drop often reflects manipulation. These spikes are typically used to attract new buyers, after which the activity dies down once insiders have exited.
Identifying these patterns helps us understand how rug pulls unfold and what behaviors to watch for when evaluating new tokens.
To understand how token ownership is distributed at the time of launch, we analyzed the share of token supply held by individual wallets. This helps identify whether a small group of holders had outsized control over the token, which often signals a higher risk of manipulation or rug pulls.
For each token, we calculated the percentage of total supply held by each address on the launch date. Our findings showed that, on average:
Source:- Holder Percentage
Source:- Proportion of Tokens Held By Top-10 Holders
The top individual holder controlled approximately 17% of the total supply at the time of launch. This level of ownership concentration by a single wallet is concerning, as it gives that holder significant influence over the token's price and liquidity.
The top 10 holders combined held around 25.17% of the total supply. This means that a small group of wallets had control over a quarter of the circulating tokens right from the start, which is a strong risk indicator for potential rug pulls.
These findings reinforce the idea that tokens with centralized ownership are more vulnerable to exploitation, especially if early holders decide to exit the market suddenly.
One of the strongest warning signs of a rug pull is a sudden and drastic drop in token balances held by the creator or early holders shortly after launch. To identify such activity, we examined balance changes for key wallets over time.
We introduced a metric called the change ratio, calculated as:
(post_balance - pre_balance) / pre_balance
This helps us detect sharp declines in token holdings. If the ratio falls below -0.9, it indicates that more than 90% of the balance was removed—an event we flagged as potentially suspicious.
Source:- Balance Drop
The analysis revealed two major trends:
Holder dumps typically occurred around 524 minutes (about 8.7 hours) after the token launch. These events resulted in an average balance reduction of 99.92%, suggesting a near-complete sell-off by early participants.
Creator dumps happened a bit later, on average around 1,705 minutes (approximately 28.4 hours) post-launch. These were similarly drastic, with an average balance drop of 99.88%.
3. Token Transfer Analysis
A closer look at token transfers soon after launch revealed patterns often linked with suspicious or fraudulent behavior.
Source:- Token Transfers
We found that many of the large token movements occurred within the first three days of the token’s creation. In particular, transfers initiated by the creator or related wallets were often executed very soon after deployment. Among these, transfers that happened at the 0-minute mark, essentially the moment the token was created, stood out as especially concerning. These transfers are likely used to strategically distribute tokens across wallets ahead of planned dumps.
On average, these early transfers took place just 27.6 minutes after launch, suggesting they were not organic activity but deliberate actions designed to manipulate token movement and mislead new participants.
This type of early token reshuffling is a strong signal in identifying potential rug pulls and highlights the need to monitor immediate post-launch activity for early warnings.
Rug pulls often exhibit a distinctive trading pattern: an initial surge in activity to attract investors, followed by a sharp collapse when the creators dump their tokens or withdraw liquidity. This section analyzes these trading phases to identify potential collapse indicators.
The focus here was to detect significant changes in trading activity by looking for:
Massive drops in trading volume
A sudden disappearance of traders
Categorizing tokens into High, Medium, or Low-risk groups, providing an early warning system to investors
Source:- Daily Trading Activity Of The Token
🔵 Normal Activity
Transaction volume drop: Less than 50%
Trader count drop: Less than 70%
Significance: Indicates stable user engagement and ongoing participation without signs of distress.
🟠 Significant Volume Drop
Transaction volume drop: Between 50% and 80%
Trader count drop: Remains below 70%
Significance: Could signal waning trust or interest, suggesting an early warning of potential issues.
🔴 Extreme Volume Drop
Transaction volume drop: Exceeds 80%
Trader count drop: Significant decline
Significance: Strong indication of either a rug pull or mass abandonment of the project, which requires immediate attention.
This classification helps in pinpointing projects that may be on the verge of collapsing, allowing users to act early and avoid risky tokens.
The Analysis revealed the following Average Changes Across Categories:
Our research identified several anomalous behaviors that act as strong indicators of potential rug pulls or fraudulent activities:
A small number of wallets, especially the top 10, control a large portion of the token supply right after the launch.
This concentration makes it easier for a few actors to manipulate the token’s price or liquidity, significantly increasing the risk of a rug pull.
Creators or early holders quickly sell off a large portion of their tokens soon after the launch.
We measured these dumps using the change_ratio metric, where values less than -0.9 signal sudden and massive balance reductions, which are often associated with malicious intent.
Large token transfers happening within minutes of token creation are a common red flag.
When creators or key holders transfer large amounts of tokens early, it strongly indicates a pre-planned intention to liquidate or manipulate the token's price.
A sharp decline in the number of unique traders suggests that either community trust has been lost or that the token is being abandoned after initial hype.
This drop in trader participation usually correlates with decreasing market interest, often following the creators’ exit strategy.
By recognizing these anomalies, users can more effectively assess the risk of potential rug pulls and make informed decisions.
In our analysis, we identified several early warning signals that strongly suggest the likelihood of a rug pull. These signals include:
When token creators quickly liquidate their holdings within minutes of launch, it represents one of the strongest early warning signs of fraudulent intent.
Such rapid token dumps indicate a premeditated effort to extract liquidity from investors.
These early signals, when identified promptly, can help investors avoid falling victim to malicious projects.
To help users stay proactive and protect themselves from potential rug pulls, we recommend implementing the following alert actions using available tools or custom monitoring systems:
Action: Use on-chain explorers or wallet trackers to monitor the creator’s token holdings immediately after launch.
Alert Trigger: If the creator dumps more than 90% of their tokens within minutes or hours of launch, exit the token or avoid buying it.
Action: Check the distribution of token holdings using platforms like Solscan or RugCheck.
Alert Trigger: If the top 10 holders collectively own more than 25% of the total supply, consider the token high-risk.
Action: Use real-time trading dashboards to track transaction volume and trader participation.
Alert Trigger: If the trading volume drops by more than 50% and the number of active traders decreases by more than 70%, consider exiting the token.
Action: Paste the token address into RugCheck to examine its risk score and any flagged risks.
Alert Trigger: If the risk score is high (above 70) or if the token is flagged with risks such as "rug pulling," avoid investing in it.
Action: Use wallet profiling tools like Breadcrumbs or SolanaFM to check if the token creator has a history of deploying fraudulent tokens.
Alert Trigger: Avoid tokens created by wallets linked to past scams or suspicious activities.
By integrating these actions into your routine monitoring, you can take proactive steps to avoid risky tokens and make more informed investment decisions.
To further enhance user protection, RugCheck could develop or improve the following advanced features:
🔔 Real-Time Creator Dump Alerts
Notify users immediately when a creator sells a large portion of their tokens (e.g., more than 90% dump) shortly after launch, allowing them to take action quickly.
⚠️ Holder Concentration Warnings
Flag tokens where top wallets (particularly the top 10 holders) control a significant percentage of the token supply (e.g., greater than 25%) at launch. This helps users identify potential risks related to centralized ownership.
📉 Trading Volume Anomaly Detection
Monitor token performance post-launch and alert users when there is a steep drop (e.g., more than 80%) in trading volume or a significant reduction in trader participation. This is crucial for identifying tokens losing investor interest quickly.
📊 Multi-Factor Risk Scoring System
Develop a more transparent and composite risk score by integrating multiple indicators such as:
Mintability (can new tokens be created?)
Ownership concentration (percentage of tokens held by top wallets)
Liquidity lock status (whether liquidity is locked)
Wallet history (whether the creator has been involved in rug pulls)
🕵️ Wallet Connection & History Analysis
Detect and alert users when token creators are linked to wallets with past involvement in rug pulls or fraudulent activities. This helps identify potential risks based on creator history.
📈 Network Graph Analysis
Implement wallet connection mapping to identify repeat offenders who are involved in multiple tokens across different projects. This helps track malicious actors operating across a wide range of tokens.
🤖 Machine Learning Integration
Develop predictive models based on historical rug pull patterns to anticipate new variants of scams. These models could identify emerging trends and help detect suspicious activity before it escalates.
🌐 Cross-Chain Monitoring
Extend the analysis beyond Solana to track bad actors moving across different blockchains. This would provide a more comprehensive view of potential risks and help protect users across a broader ecosystem.
👥 Community Reporting System
Implement a user-submitted reporting feature to allow the community to flag suspicious activity. This can complement algorithmic detection and enhance the overall accuracy and reliability of the system.
🔒 Liquidity Lock Verification
Add a feature that verifies liquidity lock periods and conditions as an additional security measure. This would provide users with an extra layer of assurance before they invest in tokens.
📡 API Enhancement
Expand the API capabilities to allow third-party platforms to integrate real-time risk assessments. This would enable broader use of RugCheck's insights across various blockchain tools and services.