Cryptocurrency investors, beware: cyber criminals are draining the money from unsuspecting investors through something called a “rug pull.”
Rug pulls are a lucrative scam in which a crypto developer promotes a new project—usually a new token—to investors, and then disappears with tens of millions or even hundreds of millions of dollars. This particular type of fraud accounted for $2.8 billion in lost money for victims, or 37% of all cryptocurrency scam revenue in 2021, according to Chainalysis, a blockchain analysis company.
That’s a huge jump—rug pulls only accounted for 1% of cryptocurrency scam revenue in 2020, according to Chainalysis.
How rug pulls happen
The ease of the scam might be why it has become so popular. It’s a fairly straightforward process to create new tokens on Ethereum or another blockchain, and get that token listed on decentralized exchanges (DEXes), or peer-to-peer marketplaces for crypto traders, without a code audit, according to the report.
Code audits are important from a security perspective because they assess any new code for errors, bugs, and quality standards set by the organization. Without assessing the code in smart contracts—also known as self-executing contracts—malicious developers can more easily introduce “bugs” or flaws, creating “backdoors” to steal user funds and perpetrate exit scams, according to a report by Elliptic, a London-based blockchain analysis provider.
“Smart contract platforms such as Ethereum and Binance Smart Chain allow developers easy access to build the smart contracts, which underpin rug pulls,” Konstantin Richter, CEO of Blockdaemon, a blockchain company, told Fortune. “Yet targets of such scams often don’t have the technical understanding to fully audit a project at a code level. The allure of fast, easy gains is often too tempting to resist.”
Look at the liquidity
One common trait of rug pull scams is when a new crypto project has low liquidity, meaning that it’s hard to convert the coin or asset into cash. Seasoned crypto traders avoid entering into projects with little liquidity because of the associated risks of unstable prices and price manipulation.
It can be helpful to check the liquidity of a cryptocurrency by looking at its 24-hour trading volume, according to Coin Telegraph.
“Small projects are more easily manipulated than big projects,” Richter said. “If there is low volume, low liquidity and a small community of over-hyped buyers, it may be time to back away.”
Never skip background checks
A first step in preventing rug pulls is to thoroughly research the crypto project before investing in it.
Never assume a project is legitimate merely because it looks official. Reputation matters, and only believe what you can verify. The acronym “DYOR” (Do Your Own Research) is often touted in crypto circles as a must for avoiding such scams, according to Richter.
“If something is too good to be true, it often is,” Richter told Fortune. “The famous Squid Game token is an example that comes to mind.”
In November 2021, a cryptocurrency token associated with the hit Netflix series went from $2,586 to a penny. The project promised that an anti-dumping mechanism was written into the code, making the $SQUID token immune to a flash-crash. Supposedly, token-holders could only sell by also holding the $MARBLE token. Yet, the anonymous founders made off with approximately $3.3 million with virtually no consequences.
When it comes to NFTs, or non-fungible tokens, Jamilia Grier, a blockchain attorney and NFT expert, also recommends fully vetting new projects and researching NFT teams on social media. With limited tech expertise, social media can be an accessible way to put a face to a name, according to Grier.
“You should really do your due diligence, which means go to the project’s Twitter and Discord,” Grier told Fortune, referring to a popular instant messaging platform where enthusiasts can talk about niche topics like cryptocurrency. “And once you find out who the core team members are, check out their social media profiles, talk to people in the Discord server, participate. Make sure you understand what the social value is and what the project’s mission is.”
Anonymity is a red flag
Many crypto projects are created by people who only disclose their pseudonyms. Complete anonymity means complete unaccountability when it comes to unvetted crypto projects.
“Rug pulls are often, but not always, orchestrated by anonymous founders promising fast, easy gains in return for blue-chip cryptocurrencies,” Richter told Fortune. “The blockchain space is one that respects anonymity, yet checking if the orchestrator has a proven track record as a good-actor can help avoid potential pitfalls. Anonymity is often a scammer’s shield for easy rug-pulls. Check for their ‘proof-of-history.’”
Grier recommended only investing in projects in which the core team uses real-world names and credentials.
“The core team should be real people,” Grier told Fortune. “Not just avatars with funny names where you never actually see a face, or there’s no way to verify their real identity or existence. And the reason for that is because if anything happens, you know who would be liable.”
