Rug Pulls: The Most Common DeFi Scam

A rug pull is when a project’s developers build enough hype to attract investors, collect a significant amount of funds — and then disappear with everything overnight.

The name comes from the phrase “pulling the rug out from under someone.” One day the project exists, the token is pumping, the Discord is buzzing. The next day the website is gone, the developers have vanished, and the token is worthless.

Rug pulls happen in two main forms:

Hard rug pulls are the dramatic version — developers drain the liquidity pool instantly and disappear. The token price drops to zero within seconds. By the time most holders notice, it’s over.

Soft rug pulls are slower and harder to spot. Developers gradually sell their token holdings over weeks or months, quietly dumping on retail investors while continuing to post updates and maintain appearances. By the time the community realizes what’s happening, the founders have already cashed out.

Red flags to watch for:

• Anonymous team with no verifiable history or LinkedIn profiles
• No smart contract audit from a reputable firm
• Liquidity that isn’t locked — meaning developers can withdraw it at any time
• Unrealistic promises: “10,000% APY,” “guaranteed returns,” “can’t lose”
• Pressure to buy quickly before a “limited window” closes
• Token allocation heavily concentrated with the founding team

Phishing Attacks: Stealing Your Wallet

Phishing is the art of tricking you into handing over access to your wallet — usually by impersonating a legitimate platform or person you trust.

In crypto, phishing attacks are sophisticated and everywhere. Here’s how they typically play out:

Fake websites are clones of real DeFi platforms — identical in appearance but with a slightly different URL. You connect your wallet, sign a transaction, and instead of swapping tokens you’ve just given the attacker permission to drain your entire wallet. The difference between “app.uniswap.org” and “app-uniswap.org” is easy to miss when you’re moving fast.

Fake customer support is rampant on Discord and Telegram. Post a question in any major crypto community and within minutes you’ll have “support agents” in your DMs offering to help. They’ll walk you through a “fix” that ends with you entering your seed phrase on a malicious site.

Airdrop scams promise free tokens in your wallet. To claim them, you just need to visit a link and connect your wallet. That connection request contains a transaction that approves the attacker to withdraw your funds.

Red flags to watch for:

• Anyone DMing you first on Discord, Telegram, or Twitter — legitimate support never does this
• URLs with subtle differences: hyphens, extra letters, different domains (.net instead of .com)
• Any request to enter your seed phrase or private key — ever, for any reason
• Unsolicited airdrops requiring wallet connection to claim
• Browser extensions asking for wallet permissions you didn’t initiate

Fake Token Scams and Honeypots

Not every scam is dramatic. Some are elegantly simple.

Fake tokens impersonate real ones. Scammers create a token called “USDC” or “ETH” with a different contract address and list it on a DEX. Unsuspecting buyers think they’re buying the real asset — they’re not.

Honeypot contracts are tokens you can buy but never sell. The smart contract is coded so that only the deployer can execute sell transactions. You watch the price rise, try to sell your profit, and discover your funds are permanently locked.

Red flags to watch for:

• Always verify token contract addresses against the official project website or CoinGecko
• Check sell transaction history on Etherscan — if nobody has successfully sold, that’s a serious warning sign
• Be skeptical of any token you heard about first on social media rather than established sources

Social Engineering and Impersonation

Some scams don’t involve code at all — just human psychology.

Scammers impersonate well-known figures in crypto — Vitalik Buterin, popular influencers, even Elon Musk — running fake giveaways: “Send 1 ETH, receive 2 ETH back.” They never send anything back. Ever.

Others pose as project founders, investment managers, or even romantic interests in long-running cons that build trust over weeks before asking for crypto transfers.

The rule that never fails: Nobody legitimate in crypto will ever ask you to send them crypto first to receive more back, share your seed phrase, or connect your wallet to an unsolicited link.

Your Non-Negotiable Safety Checklist

Before interacting with any new protocol or token, run through this list:

• ✅ Is the smart contract audited by a reputable firm (CertiK, Trail of Bits, OpenZeppelin)?
• ✅ Is the team public and verifiable?
• ✅ Is liquidity locked for a defined period?
• ✅ Did I type the URL manually or use a saved bookmark — not a link from social media?
• ✅ Have I verified the token contract address on CoinGecko or the official website?
• ✅ Does this opportunity involve any pressure, urgency, or promises that sound too good?

If any answer is no or uncertain — stop. The opportunity will still be there after you’ve done your research. And if it won’t — that’s your answer.

The Bottom Line

Crypto scams are sophisticated, but they’re not invisible. They rely on urgency, greed, and the assumption that you haven’t seen their tricks before. Now you have.

Bookmark this page. Share it with anyone new to crypto in your life. The best defense against losing money in DeFi isn’t complex — it’s knowing what to look for before you click anything.

Educational content only — not investment, financial, tax, or legal advice. Cryptocurrency and DeFi involve substantial risk, including the potential for total loss of capital. See our full Terms & Conditions and Privacy Policy.