$15 Million Loss Behind the Rug Pull Scheme: Don't Fall Victim Again!

Original Author: Ada

TenArmor and GoPlus have a powerful Rugpull detection system. Recently, the two joined forces to conduct an in-depth risk analysis and case study of recent Rugpull incidents, unveiling the latest tactics and trends of Rugpull attacks and providing users with effective security protection advice.

Rugpull Event Statistics

TenArmor's detection system identifies a large number of Rugpull events every day. Looking back at the data from the past month, Rugpull events have been on the rise, especially on November 14th, when there were as many as 31 Rugpull incidents in a single day. We believe it is necessary to expose this phenomenon to the community.

The losses from these Rugpull events mostly fall within the range of 0 - 100K, with a total cumulative loss of 15M.

The most typical Rugpull type in the Web3 space is the Ruggy Farm. GoPlus's Token Security Detection Tool can detect whether a token is a Ruggy Farm. In the past month, GoPlus has detected a total of 5688 Ruggy Farms. More security-related data can be accessed on GoPlus's data dashboard on DUNE here.

TL;DR

Based on the characteristics of current Rugpull events, we have summarized the key points for prevention as follows:

1. Do not blindly follow trends. When buying popular coins, check if the coin's address is legitimate to avoid purchasing counterfeit coins and falling into a scam trap.

2. When participating in token launches, conduct thorough due diligence. Check if the early traffic is coming from the deployer's associated addresses. If so, it may indicate a potential scam trap, so try to avoid it.

3. View the contract's source code, especially pay attention to the implementation of the transfer/transferFrom functions, and see if buying and selling can proceed normally. For obfuscated source code, it is necessary to steer clear.

4. When investing, check the distribution of holders. If there is a significant fund concentration, try to avoid it as much as possible.

5. Check the source of funds for the contract deployer, trace back at least 10 hops, and see if the contract deployer's funds originate from a suspicious trading platform.

6. Pay attention to the alerts published by TenArmor and take timely action. TenArmor has the capability to detect Scam Tokens of this kind in advance. Follow TenArmor's X account to receive timely alerts.

7. The TenTrace system has now accumulated address information on scams, phishing, and exploits from multiple platforms, which can effectively identify the flow of funds to and from blacklisted addresses. TenArmor is committed to improving the community's security environment and welcomes partners with needs to discuss cooperation.

RugPull Event Characteristics

Through the analysis of numerous RugPull events, we have identified the following characteristics of recent RugPulls.

Impersonating Prominent Coins

Starting from November 1st, the TenArmor detection system detected 5 RugPull events impersonating the PNUT token. According to this tweet summary, PNUT began operating on November 1st and surged 161 times within 7 days, successfully attracting investors' attention. The timing of PNUT's operation and surge aligns closely with the scammers' commencement of impersonating PNUT. Scammers chose to impersonate PNUT to lure in more unsuspecting individuals.

The RugPull event impersonating PNUT totaled a scam amount of 103.1K. TenArmor reminds users not to blindly follow trends and, when purchasing popular coins, to verify if the coin's address is genuine.

Launchpad Bot Targeting

The issuance of a new coin or token usually generates significant market attention. When a new coin is launched, the price experiences high volatility, with significant price differences between one second and the next. Pursuing transaction speed becomes a key objective for gaining profits. Trading bots far outperform human traders in both speed and responsiveness, making launchpad bots highly sought after in the current environment.

However, scammers have also keenly observed the existence of a large number of launchpad bots and set traps to lure them in. For example, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has initiated over 200 scam events since October 2024, with each event, from deploying a honeypot contract to executing a rug pull, concluding within a few hours.

As an example of the most recent scam event initiated by this address, the scammer first utilized 0xCd93 to create the FLIGHT token and then established the FLIGHT/ETH trading pair.

Immediately after the trading pair was created, a large number of Banana Gun launchpad bots swarmed in to swap small amounts of the token. Analysis revealed that these launchpad bots were all controlled by the scammer, aiming to create artificial volume.

After around 50 small transactions to generate volume, genuine investors were attracted. Most of these investors also utilized the Banana Gun launchpad bot for trading.

Following a period of trading, the scammer deployed a rug pull contract, with funds originating from the address 0xC757. Shortly after deploying the contract, in just 1 hour and 42 minutes, the rug pull occurred, draining the liquidity pool in one go and profiting 27 ETH.

Analyzing the modus operandi of this scammer, it is not difficult to discover that the scammer first creates traffic through small exchanges to attract whitelisting bots, and then deploys a Rug contract. Once the expected profits are achieved, they perform the Rug. TenArmor believes that although whitelisting bots can conveniently and quickly purchase new coins to gain a competitive edge, one must also consider the presence of scammers. When whitelisting, due diligence should be conducted to see if the pre-listing traffic is coming from the deployer's associated address; if so, it should be avoided.

Source Code Hidden Secrets

Transaction Taxation

The following is the transfer function implementation code of FLIGHT. It is clear to see that this transfer implementation differs significantly from the standard implementation. Each transfer must determine whether to levy a tax based on the current conditions. This transaction tax restricts both buying and selling and is highly likely indicative of a scam coin.

In cases like this, users only need to inspect the token's source code to uncover clues and avoid falling into the trap.

Code Obfuscation

In the TenArmor latest and major Rug Pull event review: how investors and users should respond article, it is mentioned that some scammers intentionally obfuscate the source code to make their intentions less understandable. In such cases, it is advisable to steer clear immediately.

Brazen rugApproved

Among the many Rugpull events detected by TenArmor, there are those who are brazen in their actions. For example, this transaction blatantly reveals the intention.

From scammers deploying contracts used for Rugpull to an actual Rugpull, there is usually a time window. For example, in this case, the time window is close to 3 hours. To prevent this type of scam, you can pay attention to TenArmor's X account, as we will promptly send deployment messages for such risky contracts to remind users to withdraw their funds in a timely manner.

In addition, rescueEth/recoverStuckETH is also a commonly used Rugpull interface. Of course, the existence of this interface does not necessarily mean it is a Rugpull; other features need to be considered for identification.

Holder Concentration

In recent Rugpull events detected by TenArmor, the distribution of holders also has significant characteristics. We randomly selected the holder distribution of 3 tokens involved in Rugpull events. The situations are as follows.

0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a

0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115

0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

In these 3 cases, it is easy to see that the Uniswap V2 pair is the largest holder, with an overwhelming amount of tokens held. TenArmor reminds users that if they notice a concentration of holders in a specific address, such as in the Uniswap V2 pair, they should be cautious when trading that particular token.

Funds Source

From the Rugpull event detected by TenArmor, we randomly selected 3 to analyze the source of funds.

Case 1

tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291

Tracing back 6 hops revealed funds inflow to FixedFloat.

FixedFloat is an automated cryptocurrency exchange that does not require user registration or KYC verification. The perpetrator chose to source funds from FixedFloat to obscure their identity.

Case 2

tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725

Tracing back 5 hops revealed funds inflow to MEXC 1.

On March 15, 2024, the Securities and Futures Commission of Hong Kong issued a cautionary announcement about the platform MEXC, stating that MEXC actively promoted its services to Hong Kong investors without obtaining a license from the Commission or applying for one. The Commission on March 15, 2024, included MEXC and its website in the Alert List of suspicious virtual asset trading platforms.

Case 3

tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

Forward 5 hops revealed funds inflow to Disperse.app.

Disperse.app is used to disburse ETH to various contract addresses (distribute ether or tokens to multiple addresses).

Transaction analysis revealed the caller of this Disperse.app instance to be 0x511E04C8f3F88541d0D7DFB662d71790A419a039, with funds inflow to Disperse.app observed 2 hops prior.

Transaction analysis revealed the caller of this Disperse.app instance to be 0x97e8B942e91275E0f9a841962865cE0B889F83ac, with funds inflow to Disperse.app observed 2 hops prior, followed by funds inflow to MEXC 1.

Based on the analysis of the 3 cases above, the scammer chose to deposit funds on unlicensed and non-KYC-compliant trading platforms. TenArmor reminds users that when investing in a new token, they should check whether the fund source of the contract deployer comes from a suspicious trading platform.

Preventive Measures

Based on the data compiled by TenArmor and GoPlus, this article provides a comprehensive review of the technical characteristics of Rugpull and showcases representative cases. In response to the Rugpull characteristics mentioned above, we have summarized the corresponding preventive measures as follows.

1. Do not blindly follow trends. When purchasing popular coins, verify that the coin's address is genuine to prevent buying counterfeit coins and falling into a scam trap.

2. During a token launch, conduct thorough due diligence to check if the initial liquidity comes from the deployer's associated address. If so, it may indicate a potential rug pull scam, and it is advisable to avoid it as much as possible.

3. Review the contract's source code, paying close attention to the implementation of the transfer/transferFrom functions to ensure smooth buy and sell transactions. Avoid contracts with obfuscated source code.

4. When investing, analyze the distribution of holders. If there is a significant concentration of funds, consider avoiding that particular token.

5. Examine the source of the contract deployer's funds, tracing back at least 10 transactions to identify any suspicious origin, such as funds from dubious exchanges.

6. Stay informed about alerts issued by TenArmor and act promptly. TenArmor has the ability to detect potential scams early, particularly related to Scam Tokens. Follow TenArmor's X account to receive timely alerts.

All malicious addresses involved in Rugpull events are promptly added to the TenTrace system. TenTrace is an Anti-Money Laundering (AML) system developed by TenArmor, applicable to various scenarios such as AML, anti-fraud, and attacker identification. The TenTrace system has compiled information on addresses related to scams, phishing attacks, and exploits from multiple platforms, enabling the identification of funds flowing to these malicious addresses and accurately monitoring their outflow. TenArmor is dedicated to enhancing the community's security environment and welcomes partnerships with interested parties.

About TenArmor

TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions focusing on addressing the unique challenges of blockchain technology. Through our innovative products, ArgusAlert and VulcanShield, we ensure real-time protection against potential threats and swift responses. Our expert team excels in everything from smart contract audits to cryptocurrency tracing, making us the preferred partner for any organization looking to safeguard their digital assets in the decentralized space.

Follow us @TenArmorAlert to receive our latest Web3 security alerts promptly.

Welcome to Contact Us:

X | Telegram | Medium

About GoPlus

GoPlus, as the first on-chain security protection network, aims to provide every user with the most user-friendly, all-around on-chain security to ensure the security of every user's transaction and assets.

On the security service architecture, it is mainly divided into GoPlus APP directly facing C-end users (web end and browser plug-in products) and GoPlus Intelligence indirectly serving C-end users (through B-end integration or access), covering the most extensive Web3 user base and various transaction scenarios, dedicated to building an open, user-driven on-chain security protection network:

On the one hand, any project can independently provide on-chain security protection to users by accessing GoPlus. On the other hand, GoPlus also allows developers to fully leverage their strengths, deploying innovative security products to the GoPlus Security Market. Users can independently choose and configure convenient, personalized security services, thus building an open, decentralized security ecosystem through developer-user collaboration.

Currently, GoPlus has become the preferred security partner of Web3 Builders, and its on-chain security services are widely adopted and integrated by Trust Wallet, CoinMarketCap, OKX, Bybit, DexScreener, SushiSwap, with an average of over 34 million daily calls and over 4 billion cumulative calls, covering over 90% of users' on-chain transactions. Its open security application platform has also served more than 12 million on-chain users.

Our Community:

X | Discord | Medium

This article is a user submission and does not represent the views of BlockBeats