Spot the rug.
DEV BASED's whole thing is devs who ship and a locked LP you can verify. This lesson is the other side of that promise: how the scams are actually built, so you can name one the moment you see it. Rug pulls, honeypots, wallet drainers, address poisoning, and the social engineering that feeds all of them. Not advice. Just the map of how people lose the money.
not advice · defensive education · verify everythingAlmost nobody gets scammed because they were stupid. They get scammed because a scam is engineered to look exactly like the real thing right up until the money moves. The tells are structural, not obvious. Once you know the four or five shapes, you stop having to trust your gut and start being able to point at the specific lie.
Every scam rhymes.
Strip the branding off and the same skeleton is underneath almost all of them. A scam needs you to do one irreversible thing — send funds, sign a transaction, approve a contract — and it needs you to do it before you think. Everything else is set dressing to get you to that moment.
So the reliable tells aren't about the logo or the website quality. They're about the shape of the ask:
- Manufactured urgency. Limited slots, a countdown, "claim before it's gone," a price about to run. Urgency exists to skip the step where you check. Real opportunities survive a night's sleep. Scams are built to not.
- The irreversible action framed as routine. "Just connect your wallet." "Just sign to verify." "Just send a small test first." The action that ends with your money gone is always dressed up as the boring, normal step.
- Trust borrowed from something real. A celebrity, a president, a brand, a protocol you use, a person you've been talking to for weeks. The scam rarely builds its own credibility — it rents yours or someone else's.
- Asymmetry hidden in the mechanics. You can buy but not sell. The contract can mint more. One wallet holds most of the supply. The signature does more than it says. The trap lives in the part you didn't read.
Rug pulls: the exit was the plan.
A rug pull is a token whose team always intended to take the money. The project can look completely alive — website, community, chart going up — because the point is to look alive long enough to attract buyers. Then the people who control the supply or the liquidity cash out into your buys and vanish. Mechanically there are three main flavors.
The three ways they pull
- Liquidity pull. The token trades against a pool of paired assets (SOL, ETH, a stablecoin). If the team controls that liquidity, they can withdraw it in one transaction. The moment they do, there's nothing to sell into — the price goes to zero and your tokens are unsellable. This is why a locked or burned LP is the single most-cited "is this real" check, and why DEV BASED locks its own.
- Mint-authority rug. On Solana a token has a
mint authority— an address allowed to create new tokens. If it isn't revoked, the team can print unlimited supply at any time and sell it into the market, diluting you to nothing. "Mint authority renounced" is a fact you can check on-chain, not a promise you have to trust. - Slow rug / insider supply. The subtle one. No dramatic single transaction — instead the team and insiders quietly hold most of the supply from launch and bleed it into every rally over days or weeks. By the time the chart rolls over, the insiders are out and retail is holding. This is why holder concentration matters: if a handful of wallets hold the float, you're their exit.
Promoted by Argentina's president, the token spiked to a ~$4.6B market cap and then collapsed to near zero within hours. On-chain analysts found insiders held roughly 70% of supply before the sell-off, and about $100M in liquidity was pulled during the crash. A textbook insider-supply-plus-liquidity rug, wearing borrowed presidential credibility as the hook. (TRM Labs; Wikipedia)
Before buying any new token: is the LP locked or burned, is the mint authority revoked, and how concentrated are the top holders? Those three facts are public and take minutes. A "no" on any of them isn't proof of a scam, but it's the whole risk in one glance. Our Meme Sniper lesson walks through how an automated screener does exactly these checks on pump.fun launches.
Honeypots: you can buy, you can't sell.
A honeypot is a token whose smart contract lets you buy but silently blocks you from selling — or lets only the deployer sell. Everyone's buys push the price up, the chart looks like a rocket, and every holder is trapped inside it. The green candles are real; the exit door is welded shut in code you didn't read.
Honeypots come in cruder and subtler forms: a hard sell-block, a 100% sell tax that eats the whole trade, a whitelist that only lets insiders exit, or a contract that can be flipped to block sells after enough people are in. The through-line is the same asymmetry — buying works, leaving doesn't.
Riding the Netflix show's fame, SQUID ran from a cent to a reported peak near $2,861. Holders discovered the contract's hidden code blocked them from selling. The developers drained the liquidity, laundered it through Tornado Cash, and disappeared; the price fell to a fraction of a cent. A honeypot and a liquidity rug in one, sold entirely on a borrowed name. (Wikipedia; CBS News)
Wallet drainers: one signature empties everything.
Rug pulls and honeypots need you to buy a bad token. Drainers skip that — they go straight for the wallet you already have. A drainer is a phishing site that gets you to sign one wallet interaction that authorizes an attacker's contract to move your tokens. Then a script pulls everything approved, often batched into a single transaction, and it's gone in seconds. No token purchase, no bad trade — just one signature on the wrong page.
The uncomfortable engine behind the volume is that this is a business. "Drainer-as-a-service" kits are rented out: a developer maintains the malicious contracts, the phishing templates, and the laundering pipeline, and affiliates run the lures in exchange for a cut of whatever they steal (Inferno Drainer took ~20%). That's why the same drain shows up across thousands of unrelated fake sites — it's one toolkit behind many storefronts.
the lessonWhy one signature can move all your tokens
The mechanic drainers abuse is the token approval. To let any app (a DEX, an NFT market) move a token on your behalf, you grant its contract an allowance. Two things make this dangerous:
- Approvals don't expire. Once granted, a contract can move that token until you explicitly revoke it — months or years later. A drainer asks for an unlimited approval so it can take the whole balance whenever it wants.
- Signatures can hide the ask. "Gasless" approvals (Permit and Permit2) are done by signing a typed message, not sending a transaction. In the wallet it looks like a harmless "sign this message" prompt — but that signature can authorize moving your entire balance. A drain can happen from a signature, with no obvious transaction and no gas paid by you.
So the drain itself is boring: the attacker later calls transferFrom() from their own wallet and pulls everything you approved, batching many tokens into one multicall. The theft was decided the instant you signed. Revoking an approval stops future transfers, but it cannot claw back one that already ran — which is why prevention is the whole game.
One kit, rented to affiliates for a ~20% cut, responsible for tens of thousands of drained wallets across countless fake sites impersonating real brands. It "shut down," resurfaced, and eventually sold its code to another operator (Angel Drainer). Across all drainers, Scam Sniffer counted ~$494M stolen from ~332,000 wallets in 2024 alone. (Group-IB; Check Point; Scam Sniffer)
Before you approve or sign anything, read the plain-language summary your wallet shows and ask: does this app actually need to move this token right now? Connecting a wallet to view something is safe. Signing an approval to "verify," "claim," or "validate" is almost always the trap — legitimate sites don't need blanket permission to move your funds just to prove you own the wallet.
Address poisoning: the lookalike in your history.
This one exploits a habit almost everyone has: copying a wallet address from your own transaction history instead of retyping it. Attackers send you a tiny (or zero-value) transaction from an address engineered to match the first and last few characters of one you really use. Now their lookalike address is sitting in your history. The next time you go to pay that contact, you copy the poisoned one, and your funds go to the attacker.
A holder copied a poisoned lookalike from their history and sent 1,155 wrapped Bitcoin to it in a single transfer. The campaign had seeded over 82,000 lookalike addresses hunting for exactly this mistake. In a rare twist the attacker later returned the funds — but the mechanism works, and almost nobody gets a refund. (Chainalysis; CoinDesk)
Fake airdrops: free money is the bait.
Most drains don't start with a scary threat — they start with a gift. A token you didn't buy appears in your wallet, or a post promises a claim for early users of a protocol you actually use. The lure is designed to make you reach out to them, so it feels like your idea. The claim site is the drainer.
- Dust tokens with a website baked in. A worthless token lands in your wallet; its name or metadata is a URL. Visit to "claim" or "sell" it and you're on a drainer that asks you to sign. Interacting with an unsolicited token is the trap — ignoring it costs nothing.
- Sponsored-search impersonation. Attackers buy ads so a fake version of a real app sits above the real one in search results. The URL is a near-miss lookalike. You click the top result out of habit and connect your wallet to the clone.
- Hacked-account lures. A real project's Discord, X account, or a moderator gets compromised and posts a "surprise mint" or "claim live now" link. The trust is real; the link is not. Verified accounts and pinned messages get hijacked constantly.
A real airdrop never needs you to approve token spending, enter a seed phrase, or sign a permit to receive it. Receiving is free and requires no permission. The instant a "claim" asks for an approval or a signature that moves funds, the gift was the hook. No exceptions worth the risk.
The human layer: the biggest losses aren't technical.
The contracts above steal thousands to millions. The scams that steal the most, in aggregate, barely touch a smart contract — they patiently manipulate a person. The FBI's 2024 figures put crypto investment scams alone at $5.8B, most of it "pig butchering," and Chainalysis attributes the single largest slice of 2025's record scam losses to these long-con and impersonation operations.
| The con | How it works | The tell |
|---|---|---|
| Pig butchering romance / investment |
A stranger builds a relationship over weeks (dating app, wrong-number text, friendly DM), then introduces a "great" crypto platform. Early "withdrawals" work to build trust. Then you're urged to put in more — and the platform is fake. It's an industry, run out of trafficking compounds in SE Asia. | Someone you met online guiding you to invest, on a platform only they recommend, where withdrawals get harder as you deposit more. |
| Fake support impersonation |
You post a problem; a "support agent" DMs you first. They walk you to a site to "sync" or "validate" your wallet, or ask for your seed phrase to "restore" it. Real support never DMs first and never needs your phrase. | Unsolicited help, urgency, and any request that ends in a seed phrase or a wallet signature. |
| Impersonation at scale deepfakes, fake founders |
A fake (often AI-generated) video or account of a known founder promotes a "giveaway": send 1 coin, get 2 back. Chainalysis clocked impersonation scam inflows up ~1,400% year over year as AI made the fakes cheap and convincing. | Any "send to receive double" offer. It has never once been real, from anyone, ever. |
Your seed phrase (or private key) is your wallet. Anyone who has it owns everything, forever, with no recourse. No legitimate app, support desk, wallet, exchange, mod, or airdrop will ever need it. There is no scenario where typing it into a website or telling it to a person is correct. If something asks, you have already found the scam.
Defense: make yourself expensive to rob.
You can't audit every contract or out-read every drainer. You don't have to. A few habits break the chain at the cheap end and cap the damage when something slips through. None of this is exotic — it's the on-chain version of not leaving your keys in the car.
The habits, in priority order
- The one-link rule. Reach every app through a bookmark you saved after verifying it once. Never through a search result, an ad, a DM, or a link in a post. This single habit defuses sponsored-search clones and most hacked-account lures before your wallet is even open.
- Approval hygiene — revoke regularly. Old approvals are standing permissions to move your tokens. Periodically review and revoke them with a tool like
revoke.cash(100+ EVM chains) or your wallet's built-in token-permission manager; on Solana, revoke token delegates the same way. Revoking a stale approval closes a door you forgot was open. - Burner wallets. Keep a separate, near-empty wallet for minting, claiming, and connecting to anything new. If it gets drained, it had nothing to take. Your real holdings live in a wallet that never touches an untrusted site — ideally a hardware wallet, so a signature can't happen without physical confirmation.
- Simulate before you sign. Wallets and extensions (transaction simulation / preview tools) show what a transaction or signature will actually do before you approve it. "This will transfer all your USDC" is a very different prompt than "sign to verify." Read the simulation; if it doesn't match what you expected, reject it.
- Verify the token, not the chart. Before buying: LP locked or burned, mint authority revoked, holders not concentrated, and a confirmable ability to sell. Minutes of checking against the whole downside.
The red-flag checklist
If two or more of these are true, stop and re-verify through a channel you already trust:
- You're being rushed — a countdown, "limited spots," "claim before it's gone."
- You were contacted first — an unsolicited DM, "support" that appeared, a stranger with an investment tip.
- You reached the site through a search result, ad, or link rather than your own bookmark.
- You're asked to sign or approve something to "verify," "validate," "claim," or "sync" your wallet.
- The offer is free money — an airdrop you didn't earn, a "send X get 2X" deal.
- Anyone, in any framing, wants your seed phrase or private key.
- The token only goes up with no visible sells, or a few wallets hold most of the supply.
If you think a wallet is compromised, move fast: transfer remaining assets to a fresh wallet the attacker doesn't control, then revoke approvals from the compromised one. Assume the seed phrase is burned — never reuse it. Report to ic3.gov in the US. Recovery is rare and irreversibility is the point, so the honest lesson is that the only reliable win is not signing in the first place.
The Meme Sniper lesson → shows how an automated screener runs the "is this a rug or a honeypot" checks on pump.fun launches, and why it rejects roughly 99% of what it sees. Same instincts, applied at machine speed.