Meme coins on TON: anatomy of rugpulls and pumps 2026

Meme coins on TON aren’t a separate asset class — they’re a structural pattern. The genre has its own rules: 80–100% of supply is distributed via airdrop or fair launch, vesting is minimal or absent, and the product is usually either a meme or a promise. On top of that genre an industry has grown around extracting retail capital through rugpulls, hidden dev-wallet dumps, and paid-shill campaigns.

This article documents the genre red flags you can verify before buying and the on-chain forensics tools for post-mortem analysis. No naming of specific “scammers” — only verifiable patterns with examples of how to detect them through tonviewer and tonscan. Educational, not financial advice.

TL;DR — what to check in 5 minutes before buying

1. Liquidity locked? LP tokens sent to a burn address or a verified timelock contract. If LP sits on a team address, it’s one-click rugpull territory.
2. Dev wallet concentration. Top-10 holders should hold under 50% supply (adjusted for known CEX wallets). Over 70% is a structural red flag.
3. Contract audit. A meme coin without a formal audit is fine, but the vesting/airdrop contract has to be inspectable. Closed source is a red flag.
4. Age of contract. Under 24 hours old = zero discipline. Hour-1 is literal “vibes only.”
5. Paid shill detection. A TG channel suddenly posts about the coin with no prior history — search the same phrase across 3–5 other channels. Synchronous shilling = paid.
6. Social signals. An active team in TG/Twitter responding to criticism is not a scam by itself. Silence after the first pump = caution.

Each item in detail below.

What is a jetton scam: genre taxonomy

“Meme-coin scam” on TON is a collective label. Technically it covers several distinct patterns:

Rugpull type 1: LP drain. Team deploys a jetton, adds liquidity to a pool on STON.fi or DeDust, keeps the LP tokens on its own wallet. After retail piles into the pool, the team burns the LP tokens with one call and takes the base pair (usually TON). Retail is left with a jetton that no longer trades. Trivial to execute, legally a gray area.

Rugpull type 2: dev-wallet dump. Team holds a meaningful share of supply (often 20–50%), frequently split across 5–15 addresses. Once retail pushes price up in the pool, dev wallets sequentially sell through the router. Each transaction looks like a “regular sell,” but in aggregate it’s a coordinated dump. Detectable by on-chain pattern: linked addresses, synchronized sells along identical router paths.

Pump-and-dump type 3: coordinated. A group of wallets (not necessarily the team itself — often external “pumpers” hired by the project) coordinates buys, paired with a paid-shill campaign in TG. Price prints 5–20x in minutes. When retail enters “on the hype,” the coordinated group sells. Technically not a rugpull (the team formally did nothing), but retail loses anyway.

Soft rug: quiet exit. No explicit dump. The team simply stops posting, stops shipping, stops engaging in TG. Liquidity stays, but over time it evaporates — nobody trades. After 3–6 months the pool is half-empty, price punches through every floor. Formally not a scam; retail loses either way.

Honeypot: a technical trap. The jetton contract embeds a mechanism that allows buying but not selling (or selling only at extortionate fees). On TON this is done via a custom transfer handler in the jetton minter or jetton wallet. Detected on the first exit attempt — less common on TON than on EVM, but cases exist.

Pre-purchase checklist: 8 checks before clicking “buy”

Each item is a concrete action with a concrete tool. If even 2 items flag red, it’s reasonable not to enter at all.

1. Liquidity lock check

Where to look: tonviewer.com or tonscan.org. Find the jetton by address, open the DEX pool (Pools section or manually on STON.fi/DeDust). Open the pool contract, look at Holders — that’s where the LP tokens are.

What to look for: the LP-token holder should be either EQAA...AAAA (burn address) or a publicly verifiable lock contract with a timelock. Alternatively — DAOlama, Tonana, or other lock services with transparent mechanics.

Red flag: LP tokens on an address linked to the jetton deployer. That means the team can pull liquidity with a single transaction. One-click rugpull setup.

Limits of this check: the “lock” address can be a fake lock contract with no real timelock. Read the lock contract code or at least look up an audit of it.

2. Holder distribution

Where to look: tonviewer — Holders → Top Holders. Tonscan has a dedicated section.

What to look for: distribution across the top-20 wallets. Ideally, top-10 hold under 30–40% (with the caveat that CEX wallets are formally top holders but actually store retail balances — they can be roughly excluded from “concentration”).

Red flag: top-10 hold over 70% supply with no recognizable CEX addresses (Binance, OKX, Bybit) among them. That means concentration in the team’s hands or in linked addresses. Any realization attempt will cascade-crash the price.

Bonus check: see whether the top holders are “linked.” On TON this shows up via first-funder pattern: several addresses funded from a single source over a short window. Tonviewer shows the first funder of every address — if 10 top wallets received their initial TON from the same source, that’s a coordinated group.

3. Audit and open source

Where to look: project README, GitHub, audit reports on CertiK / SlowMist / Hexens / Hacken.

What to look for: public source of the jetton minter and any related contracts. For a meme coin the jetton is usually a standard TEP-74, but check — there may be customization (transfer fees, blacklist, mint function accessible to the team after deploy).

Red flag: closed source. Or “public source” that, when compiled, yields different bytecode than what’s deployed on mainnet. That means you don’t know what’s actually in the contract.

Baseline verification: tonviewer / tonscan show Verified Source — if the contract is verified, you can read the code yourself. A pure TEP-74 jetton with no modifications is a normal baseline for a meme coin. Any non-standard function in transfer logic is a red flag.

4. Age of contract and pool

Where to look: tonviewer — Created field or first transaction in History.

What to look for: age of the jetton minter and age of the DEX pool. Under 24 hours = zero discipline, fair launch with no review. Under 72 hours still “hour-1” risk.

Red flag: contract under 24 hours old combined with significant trading volume already (over $100k in the first hours). That’s a coordinated pump pattern — retail enters at peak, the team exits.

5. Paid shill detection

Where to look: Telegram, Twitter, Reddit.

What to look for: the date of the first meme-coin mention in large TG channels. If three or more channels post about the coin within one hour with similar phrasing, it’s a coordinated shill campaign.

Bonus check: the channel’s posting history. If the channel used to cover NFTs, DeFi, serious projects — a sudden meme-coin post with no announcement and no context = paid. If the channel specializes in “memecoin alpha,” it’s genre-standard, but look at the track record (what they’ve recommended before and what happened next).

Red-flag content cues: “100x guarantee,” “next NOT/DOGS,” “my friend at the team told me,” “buy before Binance listing.” These phrases are a structural marker of paid shill, regardless of venue.

6. Team social signals

Where to look: project TG, Twitter, GitHub commits (if any).

What to look for: team activity, responses to critical questions, real people (not stock photos) in admin lineup. Regular updates are not a scam signal; silence after the first pump is.

Red flag: anonymous team + closed TG (admin-only posting, no discussion) + paid ads in large channels. That combination is almost always a rugpull candidate.

Anonymity alone is not a red flag — it’s normal on TON. But anonymity plus zero public team activity plus aggressive marketing is a structural signal.

7. Tokenomics and vesting

Where to look: project documentation, jetton contract on tonviewer.

What to look for: supply allocation by bucket: airdrop, public, team, treasury, advisors, marketing. Vesting schedule for each. For a meme coin, 80–100% airdrop without vesting is normal — “honest” structure for a meme coin, no team premine, no insider dump risk.

Red flag: “team holds 20% supply without vesting” while positioning as “community memecoin.” That’s a contradiction — either it’s not community, or it’s a premine with known dump risk.

8. Small-amount test

Where to do it: STON.fi / DeDust.

What to do: buy a minimum amount (1–10 TON), immediately try to sell back. If sell goes through with reasonable fee and slippage, baseline honeypot test passed. If the sell fails, or the fee is over 90%, it’s a honeypot — never enter again.

This check is the last one. All previous items are filters. If the project passes the 7 checks, the small-amount test is final insurance.

On-chain investigation tools

Tools that convert “general suspicion” into concrete verifiable observations.

tonviewer.com — primary tool

Tonviewer is a TON explorer with a focus on readability and UX. Useful for forensics:

• Holders distribution with top-20 and percentages of supply.
• First funder for every address — lets you untangle linked wallets.
• Transaction history with type filters (jetton transfers, swap, mint).
• Linked Jettons / NFTs on a wallet page — shows what else the address holds.
• Verified Source — if the contract is verified, you can read the code yourself.

Baseline flow for analyzing a suspect meme coin:

1. Find the jetton minter by address or symbol.
2. Open the pool on STON.fi / DeDust, find the LP owner.
3. Check first-funder of the LP owner — if it’s the jetton deployer, liquidity is under team control.
4. Open the top-10 holders, check first-funder of each — find linked wallets.
5. Scan transactions of the linked wallets over the past 24–72 hours — usually pre-pump buys are visible.

Full comparative guide to explorers — tonviewer vs tonscan: which to choose.

tonscan.org — alternative explorer

Tonscan is the more “classical” explorer with raw data. Useful when:

• You need exact cell values and transaction internals.
• Tonviewer doesn’t show the internal calls you want.
• You want a second source.

The same contract is worth checking in both — they sometimes surface different slices.

DEX analytics

STON.fi analytics and DeDust pool pages show:

• Pool TVL in real time.
• Trading volume 24h / 7d.
• Liquidity providers (LP-token holders).
• Recent swaps with types (buy/sell) and sizes.

A sharp TVL drop with no matching price move = either LP drain (rugpull type 1) or DEX arbitrage (normal). Distinguish by who pulled the LP — team or market maker.

DEX aggregators and rugcheck services

Third-party services aggregate signals:

• TON Rug Check and peers — auto-scoring on holder distribution, age, LP lock.
• CoinGecko / CoinMarketCap — basic volume and market cap data, but they often lag fresh listings by days.
• DEX Screener — added TON support in 2024, convenient for real-time price charts.

The limit of third-party services: they aggregate but don’t verify. Final decisions always come back to on-chain data you check yourself.

Pump-and-dump patterns on TON

Not all retail losses come through a rugpull. More often it’s a structural pump-and-dump where the team formally does nothing “bad” but retail still loses.

Anatomy of a typical pump

1. Pre-pump accumulation. The team or a linked group of wallets buys the token at low levels 24–72 hours before the hype window. Volume is small, price rises modestly.
2. Coordinated marketing. In a short window (1–4 hours) posts go out simultaneously across 5–15 TG channels, influencer retweets, a Reddit post.
3. FOMO entry. Retail sees “motion” and enters. Price prints 5–20x in minutes to hours. Volume explodes.
4. Distribution. Pre-pump wallets start selling in pieces — small orders so as not to break the pool. Each sell looks like a retail sell. Price holds on continuing FOMO.
5. Collapse. At some point FOMO runs out — typically when the most obvious shill channels exhaust their audience. Sharp volume drop + ongoing distribution-wallet sells = price collapse. Retail entering at peak exits −70 to −95%.
6. Silence. Within 24–72 hours of the dump the pool is half-empty, volume is noise, nobody trades. The team (if still in TG) moves to the next project.

Full cycle: 24–72 hours from first pump to full collapse. Retail planning to “enter and exit within an hour” physically can’t: the first pump minutes are accessible only to those already in the pool. By the time an ordinary user sees the shill, price is already at 50–80% of peak — the remaining upside lives in the team’s distribution window.

Why it works

Information asymmetry. Pre-pump wallets know when the shill will start. Retail learns after the fact, when the move is already underway. That’s a structural edge retail can’t compensate without insider access.

FOMO as behavioral failure. A “+10x in an hour” curve bites against biology — the brain sees “missed opportunity” and compensates with risk. It works on any meme-coin cycle; on TON it’s just more pronounced because of TG distribution infrastructure.

Thin liquidity. A pool with $50–200k TVL has order book depth where a $10k order moves price 5–10%. A coordinated wallet group can manufacture “motion” without much capital.

How a retail trader can work with these statistics

If you’re a trader, not an investor, and you accept meme-coin risk knowingly:

• Fix the risk capital. No more than 1–2% of the portfolio per trade. Never “all in.”
• Watchlist before the pump. You can only enter the pool before the shill campaign. That means monitoring new jettons in their first hours — heavy work for low success rate.
• Pre-defined exit. Before the trade decide: “exit at +50%, exit at −20%.” No emotions. Most retail loses because they wait “a bit longer” after peak.
• Never buy on a shill. If a TG channel posts about a meme coin and you’re “hearing it for the first time” — you’re late. Pre-pump is already done.

This is not investment advice. It’s a description of a known technique that still has negative expected value for most retail. If you’re not sure you’re in the minority with edge — better not to enter.

Known cases 2024–2026: verifiable patterns

A few publicly analyzed cases in the TON ecosystem, without accusations. Just observable on-chain patterns.

Case 1: rugpull via LP drain (anonymous meme coin, autumn 2025). Jetton positioned as “community memecoin,” deployed via ad-hoc fair-launch with no audit and no vesting. LP tokens stayed on the deployer address. 72 hours after listing — LP burn, TON withdrawal, retail left with a poolless jetton. The pattern was visible in advance: tonviewer showed LP on the deployer address, holder distribution at 75% across the top-10 linked wallets. Every red flag was in place 24 hours before the rugpull — but FOMO outweighed.

Case 2: coordinated pump-and-dump (mid 2025). Meme coin with an aggressive TG campaign, listed via STON.fi launchpad. Pool grew from $50k to $2M TVL in 4 hours. Tonviewer later showed: 8 wallets with similar funding patterns (single source) coordinated buys 24 hours before the pump and sold in the first hours of hype. Not a classical rugpull — LP wasn’t drained, the team formally violated nothing. But retail returns were negative for everyone who entered after the first hour.

Case 3: soft rug (winter 2025–2026). Mid-size meme coin (peak TVL ~$500k), active team for the first 3 months, regular updates. After 3 months — gradual decline in team activity: fewer posts, no new features. After 6 months — half-empty TG, trading volume under $5k/day, price −85% to listing. No dump, no rugpull — the project just “went quiet.” Retail holding “for the long term” sits at a loss.

These are illustrations of known patterns, not pointers at specific teams. The goal is to learn to see the structure before it’s too late.

What to do if you got caught

Emergency protocol on a rugpull or pump-and-dump suspicion:

1. Don’t panic. The pool may still work for minutes or hours. Decide fast but not emotionally.
2. Try to exit. Open a DEX, try to swap back to TON. If slippage is under 10%, exit even at −30 to −50%. If slippage is over 50%, the pool is broken — exiting is pointless.
3. Document. Save jetton address, deployer address, screenshots of top holders, links to shill posts in TG. Useful for community disclosure.
4. Don’t try to “recover.” Buying more at the bottom is the most common mistake. If it’s a rugpull, price won’t return. If it’s just a dump, it won’t return any time soon either.
5. Don’t respond in the project TG. Post-rugpull the channel admin or linked accounts often offer “refund,” “next project airdrop,” “just hold for the next round” — that’s roping into the next scam.
6. Share the analysis with the community. TON Society security channel, security TG chats. It saves later victims and sometimes leads to identifying the team.

Recovery of lost funds is in the vast majority of cases impossible. Prevention is cheaper than “treatment.”

Connection to launchpad infrastructure

Not all meme coins go through a rugpull pattern. Some launches happen via structured launchpads with minimal discipline. Comparison of launch models — TON launchpads: TONStarter vs TONUP vs BigPump. In short: the BigPump format (instant meme-coin listings with no KYC and no vesting) is exactly the environment where genre rugpulls and pump-and-dumps are most common. TONStarter with strict KYC and vesting doesn’t guarantee returns, but it structurally reduces the rugpull risk class.

Conclusion

Meme coins on TON aren’t a separate “bad” asset class. They’re a structure in which genre rules create elevated risks for retail, and in which an industry has emerged around extracting retail capital through rugpulls and coordinated pump-and-dumps.

Most of these risks are visible before buying. Liquidity lock, holder distribution, dev-wallet concentration, paid-shill detection — concrete checks with concrete tools (tonviewer, tonscan, DEX analytics). A 5-minute pre-purchase checklist filters out most rugpull candidates.

The remaining risks are structural. Pump-and-dump in the first hours is part of the genre, not a bug. Soft rug at 3–6 months is normal for meme coins, not an anomaly. Any participation in the meme-coin segment should be with fixed risk capital and the understanding that negative expected value is the base case, not an anomaly.

Discipline is cheaper than rebuilding the lost balance from scratch. This is not financial advice — it’s an attempt to record the structure of the genre.

Topical glossary

• Jetton — fungible token standard on TON (TEP-74).
• Rugpull — team pulls liquidity or dumps allocation.
• Honeypot — a contract you can buy into but not sell out of.
• Pump and dump — coordinated price inflation followed by dump.
• DEX — decentralized exchange.
• Liquidity pool — pool of liquidity for swap operations.
• Slippage — deviation of execution price from expected.

Further reading

• Security on TON: complete asset protection guide — general security framework.
• TON memecoins 2025-2026: what’s left of the airdrop season — post-TGE retrospective.
• Dust attacks and fake airdrops on TON — neighboring jetton scam category.
• Drainer sites in TON: how they work — phishing scenario around buying a jetton.
• Tonviewer vs Tonscan: which explorer — detailed explorer guide.
• Top-10 TON scams on Telegram — catalogue of neighboring attacks.

Sources

• docs.ton.org/develop/smart-contracts/security — TON Foundation security guidelines.
• github.com/slowmist/Toncoin-Smart-Contract-Security-Best-Practices — SlowMist best practices.
• tonviewer.com — primary explorer for on-chain forensics.
• tonscan.org — alternative explorer.
• defillama.com/chain/TON — ecosystem metrics.