Top 10 On-Chain Red Flags That Signal a Solana Token Scam
Every day, thousands of new Solana tokens are launched, and a meaningful percentage of them are designed from the start to extract money from buyers. The sophisticated ones have polished websites, active Telegram communities, scheduled AMAs, and convincing roadmaps. The less sophisticated ones don't
What the blockchain reveals that marketing can't hide
Every day, thousands of new Solana tokens are launched, and a meaningful percentage of them are designed from the start to extract money from buyers. The sophisticated ones have polished websites, active Telegram communities, scheduled AMAs, and convincing roadmaps. The less sophisticated ones don't even bother — and still find victims.
What all scam tokens share, regardless of how much effort went into their marketing, is on-chain fingerprints. The Solana blockchain is a permanent, public ledger. Every transaction, every wallet balance, every permission setting is readable by anyone. Scam projects rely on buyers not knowing where to look or what to look for.
This guide documents the 10 most reliable on-chain signals that appear consistently in Solana token scams. None of these require developer knowledge to check. All of them are visible within minutes using free tools.
Red flag 1 — Mint authority is not revoked
Active mint authority means the token creator can generate unlimited new supply at any moment. This single flag, on its own, is sufficient reason to avoid a token. Verify on Solscan: the "Mint Authority" field under Token Info should read "None." Anything else means new tokens can be created without your knowledge.
Hannisol weight: 25% of Pump-Dump Risk score.
Red flag 2 — Freeze authority is not revoked
Active freeze authority means the creator can lock any holder's wallet, preventing them from selling. This is the mechanism behind some of the most sophisticated Solana scams — the team waits until retail positions are large, freezes all non-team wallets, then drains liquidity. Verify the same way: "Freeze Authority" should read "None."
Hannisol weight: 20% of Pump-Dump Risk score.
Red flag 3 — Top 10 wallets control more than 50% of supply
Open the "Holders" tab on Solscan for any token and look at the top wallets. Exclude the liquidity pool address (identifiable by its association with Raydium or Orca). If the remaining top 10 wallets collectively hold more than 50% of supply, coordinated selling by any subset of them will cause severe price impact. Above 70% concentration is a near-certain setup for a coordinated dump. This data is public, free, and takes two minutes to read.
Red flag 4 — All top wallets were funded from the same source
Even moderate holder concentration can be more dangerous than it appears if the top wallets are all related. On-chain, you can trace the funding source of each wallet: where did their SOL come from? If wallets 1, 3, 5, 7, and 9 on the holders list all received their initial SOL from the same origin wallet — or from wallets that received SOL from the same origin — those "different" holders are almost certainly the same person or team. This makes 30% concentration actually equivalent to 100% insider control.
Tools like Solscan's transaction history make this traceable. Hannisol's manipulation scoring looks for related-wallet clusters in holder data.
Red flag 5 — Liquidity is unlocked or locked for less than 7 days
If the team can withdraw liquidity at any time, they will — the moment price reaches a level that makes it worthwhile. Verify lock status on RugCheck.xyz or by checking Streamflow or Raydium's own lock dashboard. A lock of less than one week provides almost no real protection; serious projects lock for 6–12 months minimum. Always note the percentage locked as well — locking 10% while keeping 90% accessible is meaningless.
Red flag 6 — Token was deployed in the last 24 hours
Token age is visible in the creation transaction on Solscan. The overwhelming majority of hard rugpulls execute within 24–48 hours of token creation. This doesn't mean all new tokens are scams — but it means new tokens carry maximum uncertainty and should receive maximum scrutiny before any capital allocation. The creation timestamp is the first thing Hannisol displays when you search a token.
Red flag 7 — The project website was registered days ago
A polished website with a long roadmap means nothing if the domain was registered three days before the token launched. WHOIS and RDAP data reveals when a domain was first created. Legitimate projects planning serious development work typically register their domain months before launch. A token with a "professional" website on a domain created the same week as the token is a strong signal of a pre-planned scam. Hannisol's domain intelligence system checks domain age automatically via a direct RDAP registry lookup and displays it on the token analysis page.
Red flag 8 — The contract code is a direct copy of a known scam
Most Solana meme token scams do not write original code. They copy-paste token programs from prior projects, sometimes from previously rugged tokens. RugCheck.xyz identifies known-malicious code patterns. Hannisol integrates RugCheck data and flags copy-paste programs with specific risk markers. If a token's program matches the bytecode of a project that previously rugged, that is not a coincidence.
Red flag 9 — Trading volume is dominated by one or two wallets cycling trades
Wash trading — buying and selling between related wallets to generate artificial volume — creates the appearance of organic activity while costing almost nothing on Solana's low-fee network. The signature pattern: a small number of wallets accounting for 60–80% of all volume, with trades alternating direction in regular intervals, with no net profit/loss because they are trading with themselves. On Solscan's token transactions tab, scan for wallets that appear repeatedly on both the buy and sell side within narrow time windows. Hannisol's manipulation score flags statistical anomalies in volume distribution.
Red flag 10 — No prior transaction history on the deployer wallet
The wallet that deployed the token tells a story. A deployer wallet with 2–3 total transactions, funded 48 hours ago, with no history of prior project deployments is a wallet created specifically for this launch and potentially for abandonment afterward. Compare this to a deployer wallet that has months of on-chain activity, prior interactions with legitimate protocols, and verifiable historical presence. The deployer wallet is visible on the token's creation transaction on Solscan — one click to check.
How many red flags does it take to walk away?
No single flag automatically means a token is a scam. A new token from an anonymous team with moderate concentration might still be a genuine community project. But flags compound. Here is a practical decision framework:
| Red flags present | Risk level | Recommended action |
|---|---|---|
| 0 – 1 | Low | Proceed with normal due diligence |
| 2 – 3 | Elevated | Reduce position size significantly; set tight stops |
| 4 – 5 | High | Speculative only; assume loss is possible at any time |
| 6+ | Critical | Do not buy — this token exhibits a scam pattern |
Hannisol's composite risk score aggregates all 10 of these signals automatically, weights them by historical correlation with actual rugpulls, and presents the result as a single score with a full breakdown of contributing factors. Run a free analysis on any token at Hannisol before your next trade.
Ready to apply this to a real token?
Run any Solana mint address through Hannisol's 8-dimension risk engine — free, no signup required.
Analyze a token on Hannisol →