How to Spot a Cabal: A Forensic Field Guide
Every coordinated memecoin pump leaves the same fingerprints on-chain. We have read enough of them to compress the pattern recognition into a checklist. This is the one we run before we let anyone we like put real money in.
"Cabal" is loose language for something pretty specific. We use it to mean a coordinated group of wallets, usually funded from a common origin, that holds an outsized fraction of a token's float and trades it in concert. They are not the same as a fair whale — a single rich wallet that bought from the open market is not a cabal, even if it holds 5% of supply. The defining feature is coordination.
Coordination is detectable. Cabals leave six different fingerprints, and the more of them you can stack on the same set of wallets, the higher your confidence. None of these signals is conclusive in isolation; together they tell a clear story.
Signal 1 — Cluster shape
Before you look at any individual wallet, look at the cluster shape of the whole token. A healthy token's bubble map looks like a wide, low-rise field — many small clusters, no one cluster dominating. A cabal-controlled token looks like a mountain — one or two clusters that dwarf everything else.
The quick metric is top-cluster share — what fraction of supply the single largest cluster controls. Our rule of thumb:
- Under 20% — usually fine, even on a young token.
- 20% to 35% — pay attention. Investigate the cluster's funder and trade timing.
- 35% to 50% — concentrated enough to move price single-handedly. Treat as a thesis investment, not a holder-distribution play.
- Over 50% — the cluster controls the float. Anything that happens to the price happens because they decide.
This is the metric that drives our token grade cap. A token with a top cluster above 50% cannot grade higher than D in Intel Maps regardless of how clean its other numbers look — because the other numbers are downstream of the cluster's behavior.
Signal 2 — Shared funder
The single most reliable on-chain signal of coordination is shared funding. If twenty wallets all received their first transaction from the same origin address, they are not twenty independent buyers; they are one buyer, fanned out across twenty addresses for the optical effect.
To check: pick a suspicious wallet, walk its transaction history back to its first JettonTransfer or
TON receipt, and identify the source. Then check whether other large holders trace back to the same source. A
funder that originated more than three of the top fifty holders is suspicious; a funder that originated more than
ten is a cabal.
The counter-tactic to watch for: multi-hop funding. Sophisticated operators don't fund directly from a single source; they fan out through one or two intermediary wallets, often new EOAs created the same day, so the shared-funder check fails. The fingerprint shifts to the intermediate wallets — if you find a fresh address that funded multiple top holders and was itself funded once and then never touched again, you have found the cabal's distribution layer.
Signal 3 — Co-trade timing
Coordinated wallets buy and sell in concert. When a cabal exits, they don't exit one by one over a week; they exit in the same five-minute window, usually triggered by a pre-arranged signal in a Telegram group.
The diagnostic: pick a sharp price move (a 30% pump or dump that lasted under an hour) and pull the wallets that bought or sold the token within that window. Cluster them by funder. If a single funder family accounts for more than 40% of the volume in that window, the move was internal.
Co-trade timing is harder to fake than shared funding because it requires actual coordination at the moment of the trade. Tools that surface this signal cheaply (we built one into our cluster engine for exactly this reason) are increasingly the load-bearing piece of forensic stacks — the shared-funder check has been countered for years, but you can't fake atomicity.
Signal 4 — KOL entry timing
KOLs (key opinion leaders — the Telegram and Twitter callers who can move retail in size) have a characteristic entry pattern. They buy before they call. The interesting question is how long before.
A KOL who calls a token they bought ten minutes ago is doing something different from a KOL who calls a token they bought ten weeks ago. The first is functionally part of the cabal, even if there is no formal coordination — the call is the exit signal. The second is calling something they had conviction in.
The pattern that should make you back away: a token where the top three callers all entered within a 24-hour window of each other, weeks before the public call. That is not coincidence. The call is coordinated even if the wallets aren't shared.
Our KOL leaderboard tracks every known caller's entry timestamp per token. The seam between "they had conviction" and "they are part of the play" is usually visible in the timestamps.
Signal 5 — Infrastructure mislabels
This is the most subtle of the six and the most frequently abused. Forensic tools that don't label infrastructure correctly will frequently rank a DEX router contract, a vesting contract, or a CEX deposit address as a "top holder." A cabal that knows this will sometimes deliberately use the mislabel to obscure their float.
The diagnostic: pick the top ten holders and check whether each one is a person, a contract, or a piece of infrastructure. If three of the top ten are routers and pools, your "real" top ten is actually positions 4 through 13, and the concentration metrics you computed from the raw list are wrong by 30% or more.
The opposite mistake is also common: tools that label too aggressively, removing wallets that look like infrastructure but are actually large individual holders. Both errors are the same root cause — the tool didn't attest its labels against the actual DEX or CEX contract registry. First-party labels (where the DEX confirms "yes, this address is a router for our protocol") are the only reliable defense.
Signal 6 — Liquidity vs. holder ratio
A healthy token has liquidity proportional to its holder base. A cabal-controlled token frequently does not — either the liquidity is thin relative to the apparent market cap (because most of the float is held off-pool by the cabal), or it is suspiciously thick relative to the holder count (because the cabal is using its own funds to inflate apparent depth).
The cheap diagnostic: take the token's reported market cap and divide it by the sum of liquidity across its top three pools. A ratio above 50:1 means a small sell can move the price double digits, which is fine for a small token but a red flag on anything claiming a multi-million-dollar valuation. A ratio under 5:1 on a freshly launched token, with low holder count, often means the cabal is providing the liquidity itself.
The composite read
Any single signal can have an innocent explanation. Cluster shape can look bad on a brand-new token because the distribution hasn't had time to fan out. Shared funding can be real coincidence on small holder counts. KOL entry timing can reflect genuine early conviction. Liquidity ratios are noisy on tokens with thin pools.
The diagnostic is the stack. A token that fails on two signals is worth investigating. A token that fails on four is a cabal regardless of what the marketing says.
| Signal | Healthy range | Watch range | Cabal range |
|---|---|---|---|
| Top-cluster share | < 20% | 20–35% | > 35% |
| Top-funder share | < 3 of top 50 | 3–10 of top 50 | > 10 of top 50 |
| Co-trade concentration | < 25% in any one funder family | 25–40% | > 40% |
| KOL entry window | Spread > 14 days | 1–14 days | < 24 hours |
| Infra mislabel | 0–1 of top 10 | 2 of top 10 | 3+ of top 10 |
| MC / liquidity | 5:1 to 50:1 | 50:1 to 100:1 | > 100:1 or < 5:1 |
What to do with the verdict
Spotting a cabal doesn't necessarily mean "don't trade." It means "trade with your eyes open." Cabal-controlled memecoins can pump enormously — that is, in fact, the entire point of the structure for the people running it. The trader who knows a token is a cabal can sometimes ride the coordinated pump and exit before the dump. The trader who thinks the same token is a fair-launch community phenomenon is going to be the exit liquidity.
The asymmetry is what matters: a clean read of the on-chain structure costs you twenty minutes and a few API calls. Not having that read costs you a position.
The shortest version. Top-cluster share above 35%, shared funder across more than ten of the top fifty, KOL entries within a 24-hour window before the public call — if you see all three, it is a cabal. Treat any read you do without these three checks as guesswork.
Run the checklist on any TON token.
Intel Maps automates every signal above — the grade is the composite, and the cluster view shows the math.
Open a holder map Why Intel MapsSources & references
- tonapi.io — jetton transfer + holder data
- docs.toncenter.com — raw transaction reconstruction for cluster math
- dexscreener.com — pool discovery and liquidity reference
- Intel Maps cabal-aware grading rubric: cluster_share ≥ 50% → cap at F; ≥ 35% → D; ≥ 25% → C; ≥ 20% → B.
- Co-trade window classification uses a 5-minute block-time bucket on TON.
Methodology
These ranges are calibrated against a labeled set of roughly 60 TON tokens we have investigated by hand over the past nine months, plus precedent cases from EVM and Solana memecoin cycles. We update the thresholds as more data accumulates; the article will reflect material changes.