The Book of Rugs

Part I: The Anatomy of a Modern Crypto Scam

Part I: The Anatomy of a Modern Crypto Scam

A comprehensive understanding of the threats is a prerequisite for evaluating the tools designed to detect them. Modern crypto scams are not simple tricks; they are multifaceted operations that combine technical exploits with sophisticated social engineering. This section provides a detailed breakdown of the most common scam methodologies.

1.1 Honeypots Unmasked: The Art of the Irreversible Transaction

In the world of cryptocurrency, the term "honeypot" has been repurposed from its traditional cybersecurity meaning. While in cybersecurity a honeypot is a decoy system set up by security professionals to attract and study attackers, in crypto it refers to a malicious trap set by scammers to steal from investors.1 The core principle of a crypto honeypot is to create a smart contract that allows users to deposit funds by buying a token but makes it impossible for them to withdraw those funds by selling it.

Technical Mechanisms

Scammers employ several technical methods to achieve this one-way flow of funds, often obfuscating them within the token's smart contract code.

  • The Blacklist: This is the most straightforward honeypot mechanism. The smart contract contains a function that adds a buyer's wallet address to a "blacklist" upon their first purchase. A subsequent check within the transfer or sell function then prevents any address on this list from executing a sale.19
  • Restrictive Logic and Deceptive Functions: More advanced honeypots use convoluted logic to hide their true intent. For example, a contract might contain a function that checks if a variable, such as _snapshotApplied, is set to true before allowing a sale. However, this variable is hardcoded within the contract to always be false, ensuring the condition for selling can never be met. Scammers often use confusing or random variable names to make this logic difficult for a casual observer to follow.19 Another tactic involves creating functions with misleading names, such as
    increaseAllowance(), that appear benign but actually contain code to drain a user's balance.19
  • Exorbitant Sell Taxes: A common and effective method is to code an extremely high tax on sell transactions. While a small transaction tax (1-5%) can be a legitimate feature for some projects, a honeypot contract will set this tax to 90% or even 100%. This means that when a user attempts to sell their tokens, almost all of the value is sent to the developer's wallet instead of back to the user, effectively trapping the investment.20 Some security tools, such as the Web3 Antivirus browser extension, automatically flag any token with a transaction tax exceeding 50% as a potential honeypot.20
  • The Sweeper Bot (Gas-Stealing Honeypot): This is a particularly insidious form of honeypot that relies on social engineering. A scammer will "leak" the secret recovery phrase to a wallet that appears to contain a large amount of valuable tokens (e.g., thousands of dollars in USDT). The catch is that these valuable tokens are on a network where a different native token (e.g., ETH on Ethereum, BNB on BNB Smart Chain) is required to pay for transaction (gas) fees.21 When a victim, believing they have found free money, sends a small amount of the native token to the honeypot wallet to cover the gas fees for transferring the valuable tokens out, a pre-programmed script, or "sweeper bot," instantly detects the incoming deposit and transfers it to another wallet controlled by the scammer. This happens within seconds, before the victim can initiate their own transaction, leaving the valuable tokens stranded and the victim's gas money stolen.6

1.2 The Rug Pull Playbook: Draining the Pool

A rug pull is a type of exit scam where the developers of a cryptocurrency project abandon it and abscond with investor funds.2 The most common method involves draining the liquidity from a token's trading pool on a decentralized exchange (DEX), which causes the token's price to instantly crash to zero, leaving holders with worthless assets.8

Key Indicators

While some rug pulls are executed through malicious code, many rely on exploiting trust and market mechanics.

  • Unlocked Liquidity: This is the single most critical red flag for a potential rug pull. When developers create a trading pair on a DEX (e.g., TOKEN/ETH on Uniswap), they receive Liquidity Provider (LP) tokens in return. These LP tokens represent their share of the liquidity pool and can be redeemed at any time to withdraw the underlying assets. In a legitimate project, developers will lock these LP tokens in a time-locked smart contract for a significant period (e.g., months or years) or "burn" them by sending them to an unrecoverable address. This proves to investors that they cannot simply remove the liquidity. If the LP tokens are not locked or burned, the developers can pull the liquidity at any moment, executing a rug pull.7
  • High Developer and Insider Holdings: If the project's creator or a very small number of wallets hold a large percentage of the total token supply, this poses a significant risk. These insiders can "dump" their tokens on the market, crashing the price, or use their large token holdings to drain the majority of the valuable asset (e.g., ETH or SOL) from the liquidity pool.7 A common tactic for hiding this is to distribute the supply across many different wallets that all appear unrelated but are controlled by the same entity.7
  • Soft vs. Hard Rugs: A "hard rug" involves malicious backdoors coded into the smart contract. A "soft rug," on the other hand, is an unethical but not always illegal act where developers with a large token allocation simply sell their holdings into the market and abandon the project.2 While the outcome for investors is similar, the mechanism is different. Soft rugs are harder to detect with code scanners alone and require analysis of token distribution and developer behavior.26

1.3 Beyond the Code: The Ecosystem of a Scam

Successful scams are rarely just about clever code; they are built on a foundation of deception and psychological manipulation.

  • Social Engineering and Hype: Scammers understand the power of perception. They create professional-looking websites, detailed (often plagiarized) whitepapers, and generate a flurry of activity on social media platforms like X (formerly Twitter), Telegram, and Discord. This often involves using bots to create fake engagement or paying influencers to promote the project, all designed to create FOMO and an illusion of legitimacy.1
  • Anonymity as a Weapon: The crypto world's culture of pseudonymity provides a shield for malicious actors. While not all anonymous teams are scammers, a complete lack of verifiable information about the developers makes it nearly impossible to hold anyone accountable when funds disappear.1
  • Censorship and Deception: A major red flag is the behavior within a project's community channels. Legitimate projects welcome questions and criticism. Scam projects, however, will often immediately ban any user who asks difficult questions about liquidity locks, developer holdings, or contract security. This censorship is a tactic to maintain a positive narrative and prevent warnings from reaching new potential victims.1

The scale and sophistication of these operations suggest a significant evolution in crypto crime. Evidence indicates that scammers are now automating the deployment of fraudulent contracts, capable of launching thousands of honeypots in rapid succession, sometimes as frequently as one every 30 minutes.19 This points not to a cottage industry of individual criminals, but to an industrialized, automated criminal enterprise employing developer operations (DevOps) pipelines on par with legitimate technology companies. The sheer volume of these automated attacks makes manual detection impossible, creating the very market gap that automated scanner tools aim to fill. The problem and the solution are thus locked in a high-stakes evolutionary race.

Furthermore, these scams are not static. Malicious actors constantly innovate to bypass existing detection methods. A prime example is the use of "mutable metadata" or proxy contracts, which allow a developer to alter a token's code after it has been deployed and even after it has been scanned.14 A token may appear perfectly safe at launch, passing all automated checks, only to be updated later with a honeypot function. This dynamic nature of threats means that security is not a one-time check but a continuous process. Any tool that provides only a static, point-in-time analysis is inherently limited and can foster a dangerous and false sense of security. True safety in this environment requires ongoing vigilance and monitoring.

Previous
Introduction
Next
Part II: The Arsenal