// Spot the rug · Learn extra credit
How the money actually leaves · plain English

Spot the rug.

DEV BASED's whole thing is devs who ship and a locked LP you can verify. This lesson is the other side of that promise: how the scams are actually built, so you can name one the moment you see it. Rug pulls, honeypots, wallet drainers, address poisoning, and the social engineering that feeds all of them. Not advice. Just the map of how people lose the money.

not advice · defensive education · verify everything
Why this lesson exists

Almost nobody gets scammed because they were stupid. They get scammed because a scam is engineered to look exactly like the real thing right up until the money moves. The tells are structural, not obvious. Once you know the four or five shapes, you stop having to trust your gut and start being able to point at the specific lie.

// 02 // 02 · the common shape

Every scam rhymes.

Strip the branding off and the same skeleton is underneath almost all of them. A scam needs you to do one irreversible thing — send funds, sign a transaction, approve a contract — and it needs you to do it before you think. Everything else is set dressing to get you to that moment.

So the reliable tells aren't about the logo or the website quality. They're about the shape of the ask:

The one rule under everything: the moment you feel rushed toward an irreversible action, that feeling is the alarm. Slow down exactly when the design wants you to speed up. Nearly every defense later in this page is a specific version of that one move.
// 03 // 03 · rug pulls

Rug pulls: the exit was the plan.

A rug pull is a token whose team always intended to take the money. The project can look completely alive — website, community, chart going up — because the point is to look alive long enough to attract buyers. Then the people who control the supply or the liquidity cash out into your buys and vanish. Mechanically there are three main flavors.

1 · deploy 2 · hype + buys 3 · team keeps control 4 · the pull 5 · you hold zero The chart looks great right up until stage 4
Anatomy of a rug — the price action is designed to be attractive; the trap is who controls the liquidity and the supply the whole time.

The three ways they pull

$LIBRAFeb 14, 2025
~$251M lost · 114,000 wallets

Promoted by Argentina's president, the token spiked to a ~$4.6B market cap and then collapsed to near zero within hours. On-chain analysts found insiders held roughly 70% of supply before the sell-off, and about $100M in liquidity was pulled during the crash. A textbook insider-supply-plus-liquidity rug, wearing borrowed presidential credibility as the hook. (TRM Labs; Wikipedia)

The check that would have caught it

Before buying any new token: is the LP locked or burned, is the mint authority revoked, and how concentrated are the top holders? Those three facts are public and take minutes. A "no" on any of them isn't proof of a scam, but it's the whole risk in one glance. Our Meme Sniper lesson walks through how an automated screener does exactly these checks on pump.fun launches.

// 04 // 04 · honeypots

Honeypots: you can buy, you can't sell.

A honeypot is a token whose smart contract lets you buy but silently blocks you from selling — or lets only the deployer sell. Everyone's buys push the price up, the chart looks like a rocket, and every holder is trapped inside it. The green candles are real; the exit door is welded shut in code you didn't read.

You buy tx Token contract hidden sell check buy ✓ You sell tx revert ✕ only the deployer's wallet is whitelisted to sell
Honeypot flow — the contract accepts your buy and reverts your sell. The price chart only ever goes up because nobody trapped inside can create a down candle.

Honeypots come in cruder and subtler forms: a hard sell-block, a 100% sell tax that eats the whole trade, a whitelist that only lets insiders exit, or a contract that can be flipped to block sells after enough people are in. The through-line is the same asymmetry — buying works, leaving doesn't.

SQUID (Squid Game token)Nov 1, 2021
~$3.38M taken · 40,000+ buyers

Riding the Netflix show's fame, SQUID ran from a cent to a reported peak near $2,861. Holders discovered the contract's hidden code blocked them from selling. The developers drained the liquidity, laundered it through Tornado Cash, and disappeared; the price fell to a fraction of a cent. A honeypot and a liquidity rug in one, sold entirely on a borrowed name. (Wikipedia; CBS News)

How to catch one: a chart that only ever goes up with almost no sells is a symptom, not a miracle. Contract scanners (honeypot checkers, token sniffers) simulate a buy and a sell before you trade and flag when the sell fails. On a brand-new token with no sell history, treat "can't confirm I can exit" as "don't enter."
// 05 // 05 · wallet drainers

Wallet drainers: one signature empties everything.

Rug pulls and honeypots need you to buy a bad token. Drainers skip that — they go straight for the wallet you already have. A drainer is a phishing site that gets you to sign one wallet interaction that authorizes an attacker's contract to move your tokens. Then a script pulls everything approved, often batched into a single transaction, and it's gone in seconds. No token purchase, no bad trade — just one signature on the wrong page.

The uncomfortable engine behind the volume is that this is a business. "Drainer-as-a-service" kits are rented out: a developer maintains the malicious contracts, the phishing templates, and the laundering pipeline, and affiliates run the lures in exchange for a cut of whatever they steal (Inferno Drainer took ~20%). That's why the same drain shows up across thousands of unrelated fake sites — it's one toolkit behind many storefronts.

STAGE 1 The lure fake site via sponsored search, fake airdrop, or hacked Discord link STAGE 2 The signature "connect + sign to verify" — actually an approval / Permit2 sig STAGE 3 The drain attacker calls transferFrom(), batches it all out in seconds DEFENSE one-link rule: bookmarks DEFENSE read + simulate the sig DEFENSE burner + revoked approvals
Drainer kill-chain — three stages, three defenses. You only have to break the chain once. The cheapest place to break it is stage 1, before your wallet is ever open.
the lessonWhy one signature can move all your tokens

The mechanic drainers abuse is the token approval. To let any app (a DEX, an NFT market) move a token on your behalf, you grant its contract an allowance. Two things make this dangerous:

  • Approvals don't expire. Once granted, a contract can move that token until you explicitly revoke it — months or years later. A drainer asks for an unlimited approval so it can take the whole balance whenever it wants.
  • Signatures can hide the ask. "Gasless" approvals (Permit and Permit2) are done by signing a typed message, not sending a transaction. In the wallet it looks like a harmless "sign this message" prompt — but that signature can authorize moving your entire balance. A drain can happen from a signature, with no obvious transaction and no gas paid by you.

So the drain itself is boring: the attacker later calls transferFrom() from their own wallet and pulls everything you approved, batching many tokens into one multicall. The theft was decided the instant you signed. Revoking an approval stops future transfers, but it cannot claw back one that already ran — which is why prevention is the whole game.

Inferno Drainer (drainer-as-a-service)Nov 2022 – 2024
~$87M stolen · 137,000+ victims

One kit, rented to affiliates for a ~20% cut, responsible for tens of thousands of drained wallets across countless fake sites impersonating real brands. It "shut down," resurfaced, and eventually sold its code to another operator (Angel Drainer). Across all drainers, Scam Sniffer counted ~$494M stolen from ~332,000 wallets in 2024 alone. (Group-IB; Check Point; Scam Sniffer)

The signing habit that saves you

Before you approve or sign anything, read the plain-language summary your wallet shows and ask: does this app actually need to move this token right now? Connecting a wallet to view something is safe. Signing an approval to "verify," "claim," or "validate" is almost always the trap — legitimate sites don't need blanket permission to move your funds just to prove you own the wallet.

// 06 // 06 · address poisoning

Address poisoning: the lookalike in your history.

This one exploits a habit almost everyone has: copying a wallet address from your own transaction history instead of retyping it. Attackers send you a tiny (or zero-value) transaction from an address engineered to match the first and last few characters of one you really use. Now their lookalike address is sitting in your history. The next time you go to pay that contact, you copy the poisoned one, and your funds go to the attacker.

What your wallet shows you: 0xd9A153a91 ← both addresses look exactly like this What's actually there: 0xd9A1b2C7f0e4...9Kd3Lm53a91 real — the middle is yours
Address poisoning — the ends match, the middle doesn't, and most wallet UIs only display the ends. The whole attack is a bet that you won't check the characters you can't see.
WBTC whale address poisoningMay 2024
~$68M sent to the wrong address · 1,155 WBTC

A holder copied a poisoned lookalike from their history and sent 1,155 wrapped Bitcoin to it in a single transfer. The campaign had seeded over 82,000 lookalike addresses hunting for exactly this mistake. In a rare twist the attacker later returned the funds — but the mechanism works, and almost nobody gets a refund. (Chainalysis; CoinDesk)

The fix is a 10-second habit: never copy an address from transaction history. Use a saved address-book entry, verify the whole string (or at least the middle), and send a small test amount first for any large or new transfer. The attack depends entirely on you trusting the ends.
// 07 // 07 · fake airdrops + lures

Fake airdrops: free money is the bait.

Most drains don't start with a scary threat — they start with a gift. A token you didn't buy appears in your wallet, or a post promises a claim for early users of a protocol you actually use. The lure is designed to make you reach out to them, so it feels like your idea. The claim site is the drainer.

The tell that survives everything

A real airdrop never needs you to approve token spending, enter a seed phrase, or sign a permit to receive it. Receiving is free and requires no permission. The instant a "claim" asks for an approval or a signature that moves funds, the gift was the hook. No exceptions worth the risk.

// 08 // 08 · the human layer

The human layer: the biggest losses aren't technical.

The contracts above steal thousands to millions. The scams that steal the most, in aggregate, barely touch a smart contract — they patiently manipulate a person. The FBI's 2024 figures put crypto investment scams alone at $5.8B, most of it "pig butchering," and Chainalysis attributes the single largest slice of 2025's record scam losses to these long-con and impersonation operations.

The conHow it worksThe tell
Pig butchering
romance / investment
A stranger builds a relationship over weeks (dating app, wrong-number text, friendly DM), then introduces a "great" crypto platform. Early "withdrawals" work to build trust. Then you're urged to put in more — and the platform is fake. It's an industry, run out of trafficking compounds in SE Asia. Someone you met online guiding you to invest, on a platform only they recommend, where withdrawals get harder as you deposit more.
Fake support
impersonation
You post a problem; a "support agent" DMs you first. They walk you to a site to "sync" or "validate" your wallet, or ask for your seed phrase to "restore" it. Real support never DMs first and never needs your phrase. Unsolicited help, urgency, and any request that ends in a seed phrase or a wallet signature.
Impersonation at scale
deepfakes, fake founders
A fake (often AI-generated) video or account of a known founder promotes a "giveaway": send 1 coin, get 2 back. Chainalysis clocked impersonation scam inflows up ~1,400% year over year as AI made the fakes cheap and convincing. Any "send to receive double" offer. It has never once been real, from anyone, ever.
The seed phrase rule, stated once

Your seed phrase (or private key) is your wallet. Anyone who has it owns everything, forever, with no recourse. No legitimate app, support desk, wallet, exchange, mod, or airdrop will ever need it. There is no scenario where typing it into a website or telling it to a person is correct. If something asks, you have already found the scam.

// 09 // 09 · defense

Defense: make yourself expensive to rob.

You can't audit every contract or out-read every drainer. You don't have to. A few habits break the chain at the cheap end and cap the damage when something slips through. None of this is exotic — it's the on-chain version of not leaving your keys in the car.

The habits, in priority order

The red-flag checklist

If two or more of these are true, stop and re-verify through a channel you already trust:

When it happens anyway

If you think a wallet is compromised, move fast: transfer remaining assets to a fresh wallet the attacker doesn't control, then revoke approvals from the compromised one. Assume the seed phrase is burned — never reuse it. Report to ic3.gov in the US. Recovery is rare and irreversibility is the point, so the honest lesson is that the only reliable win is not signing in the first place.

Keep going

The Meme Sniper lesson → shows how an automated screener runs the "is this a rug or a honeypot" checks on pump.fun launches, and why it rejects roughly 99% of what it sees. Same instincts, applied at machine speed.

← Back to the education portal