Rug pulls in crypto: how DeFi scams work and how to spot them before you lose money
I remember scrolling through crypto Twitter on a random Tuesday in April 2025 and watching Mantra's chart collapse in real time. Seventeen wallets had dumped 43.6 million OM tokens onto exchanges in the hours before, and by the time most holders noticed, the price had already cratered 94%, vaporizing $5.5 billion in what played out like a car accident in slow motion that everyone could see but nobody could swerve away from. The Mantra team blamed forced liquidations; on-chain analysts pointed out that seventeen wallets don't coordinate $227 million in exchange deposits by coincidence. I'll leave you to draw your own conclusions from that set of facts.
The part that stung the Mantra community hardest is that none of this looked like a scam when they were putting money in. This was a real-world asset platform with real partnerships and a token listed on major exchanges, not some anonymous dog coin that launched on a Sunday night. And that's precisely the problem with rug pulls in crypto: the ones that cause the most damage are the ones that looked legitimate right up until the moment they weren't. The dangerous ones never come wearing a sign that says "I'm about to steal your money."
I got into crypto in 2017, and since then I've personally watched this pattern chew through people's savings more times than I'd like to count. The hype machine spins up, the chart goes vertical, nobody wants to ask awkward questions about the tokenomics because the price keeps climbing and questioning the project feels like questioning free money. Then one morning you wake up, check the chart, and realize the team dumped everything while you were sleeping. The group chat is dead. Nobody's talking. I wrote this because too many people I know personally have been on the wrong end of a rug, and in almost every case the warning signs were there, just buried under hype and jargon that nobody bothered to translate into plain language.
How crypto rug pulls actually work
If someone in a crypto group chat tells you "I got rugged last night," they're saying the team behind a token or protocol they put money into packed up and left with everything. The expression borrowed from the old idiom about yanking a carpet out from under someone who's standing on it: one second the ground is there, the next second you're on your back staring at the ceiling trying to figure out what just happened to your ETH.
Once you've watched enough of these unfold, the playbook stops being surprising and starts being maddening because it barely changes and people keep falling for it anyway.
A team puts together something that looks legit: a professional website with a countdown timer, a whitepaper packed with jargon about "revolutionizing DeFi," a roadmap that stretches into 2028, maybe even a working testnet demo that took one developer a weekend to slap together. Might be a governance token for a "DeFi protocol," might be a 10,000-piece NFT collection with a game attached, might be some exotic yield farming contraption that nobody fully understands. Doesn't really matter what flavor they pick; the underlying mechanics are copy-pasted from the same playbook every time.
Marketing comes next and it comes hard. You'll see the project appear in crypto Twitter threads from accounts that didn't exist last month, in Telegram groups where "community managers" pump hype around the clock, in Discord servers where mods ban anyone who asks why the contract hasn't been audited. YouTube creators who'd shill a cardboard box for the right fee start posting videos about how "this one could 100x easy." The core message never changes: "you're still early," because inducing FOMO in people who watched their friend make money on Solana is the best sales tactic in all of crypto and the scammers know it.
Money pours in. People swap their hard-earned ETH or BNB for the new token on decentralized exchanges, filling up the liquidity pool. The chart goes up because buy pressure is high and nobody's selling yet. At this point, honestly, the project can look identical to something real. Plenty of legitimate ventures had ugly early days too, and the scammer is banking on that ambiguity to keep you from squinting too hard at the contract code.
Then it ends, usually fast. The team calls a drain function on the liquidity pool, or they market-sell their entire token allocation in the span of a few minutes, or a kill switch in the smart contract activates and your sell button stops working. Whichever method they pick, the result is your tokens going from "up 300%" to worthless in the time it takes to refresh the page.
After the pull, traces start vanishing. Social accounts get nuked. The Discord becomes a ghost town. The website either goes dark or, in the case of Defi100, gets replaced with a taunting message that literally said "We scammed you." Stolen funds get laundered through Tornado Cash or bounced across five chains to scramble the trail. On-chain forensics can sometimes track where the money went, but actually recovering it is a different story and one that almost never has a happy ending.
The whole cycle can take months (for elaborate schemes) or hours (for quick memecoin rugs). In 2024, Comparitech recorded approximately 92 confirmed rug pulls with $126 million stolen. In 2025, the numbers exploded: DappRadar estimated nearly $6 billion in rug pull losses, though 92% of that came from the Mantra incident alone.
Types of rug pulls: hard pulls, soft pulls, and everything between
Rug pulls come in different flavors, and the differences matter because they change how early you can spot what's happening and whether you have any chance of getting out before the damage is done.
Hard rug pulls
With a hard rug pull, the intent was criminal from the very first line of code. Nobody on the team ever planned to ship a product. They built a smart contract with a hidden backdoor, wrapped it in a marketing campaign, waited for the pool to get fat, and drained it. The project was a trap from day one, and the only question was when they'd spring it.
Common hard pull tactics:
Liquidity theft. This is the classic. A developer creates a token, pairs it with ETH or BNB in a liquidity pool on a decentralized exchange like Uniswap or PancakeSwap. Investors buy in, the pool grows, and then the developer calls a function in the contract that withdraws all the liquidity. Your tokens are still in your wallet, but they're now worth zero because there's nothing to trade them against.
Sell restrictions. The smart contract is written so that only the creator's wallet can sell. Everyone else can buy but not sell. The price goes up because there's only buy pressure. Then the creator dumps everything. You're left holding tokens you literally cannot get rid of. This is sometimes called a "honeypot" scam.
Hidden mint functions. The contract contains a function that lets the owner create unlimited new tokens. They mint a massive amount, dump it on the market, and crash the price. From the outside it looks like normal selling, but it's actually inflation fraud coded into the contract.
Soft rug pulls
Soft rug pulls are sneakier and, honestly, they're the ones that mess with your head the most. The project might have started with real intentions, or at least with no overtly malicious code. There's no hidden drain function, no honeypot, no kill switch. What happens instead is that the team gradually loses interest (or never had it), quietly sells off their token holdings over weeks or months, stops answering community questions, and eventually disappears from the group chat one by one.
Your portfolio doesn't crash overnight. It bleeds. Slowly. By the time you realize the last commit to the GitHub repo was four months ago and the "lead developer" hasn't posted since August, the team has already unloaded most of their bags at prices you'll never see again. What makes soft rugs especially nasty is the ambiguity: was it a scam, or did the project just fail? Plenty of honest teams run out of money or motivation. The scammers hide behind that plausible deniability.
Pump-and-dump schemes fall into this category. The team hypes the token, the price goes up, insiders sell at the top, and latecomers eat the loss. It's unethical and probably illegal if the token qualifies as a security, but prosecutors have a harder time with it because there's no malicious code to point to. No backdoor in the contract. No hidden function. Just people selling what they owned, which in most legal systems isn't automatically a crime even when it feels like one.
The Hawk Tuah memecoin from December 2024 is a perfect example. The creators held 70% of the supply, the market cap hit $500 million on hype alone, and then the insiders sold, causing the price to inflate and then collapse from $500 million to $50 million in hours. Was it a rug pull? A pump and dump? A terrible investment that people should have seen coming? Depends who you ask. Legally, it's a mess. Morally, most people agree the insiders knew exactly what they were doing.
Memecoins have become the primary vehicle for rug pulls in 2026. According to CoinLaw data, roughly 80% of rug pulls now involve memecoins, tokens with no utility beyond speculation and community hype. The low barrier to launch (you can create a token in minutes on platforms like Pump.fun on Solana) means thousands of potential rugs go live every week. Chainalysis estimates that approximately 95% of token pools launched on PancakeSwap end up as rug pulls. Let that number sink in.
| Type | Speed | How it works | Detectable? |
|---|---|---|---|
| Liquidity theft | Instant | Developer drains the pool | Yes (check if liquidity is locked) |
| Honeypot/sell block | Gradual | Only creator can sell | Yes (test sell on DEX screener) |
| Hidden mint | Fast | Creator mints and dumps | Yes (read contract for mint functions) |
| Pump and dump | Days to weeks | Hype then sell holdings | Harder (looks like normal trading) |
| Slow abandonment | Weeks to months | Team stops delivering | Hardest (resembles a failed project) |
The biggest rug pull examples that cost investors billions
The numbers below aren't theoretical. Each row in this table represents real people who woke up to empty wallets.
| Project | Year | Amount stolen | What happened |
|---|---|---|---|
| OneCoin | 2014-2017 | $4 billion | Ponzi scheme, founder Ruja Ignatova vanished, still on FBI most wanted |
| Thodex | 2021 | $2.7 billion | Turkish exchange, founder fled, sentenced to 11,196 years |
| Mantra (OM) | 2025 | $5.5 billion (disputed) | 17 wallets moved tokens pre-crash, 94% price drop |
| AnubisDAO | 2021 | $60 million | No website, raised funds, drained pool in 20 hours |
| Squid Game token | 2021 | $3.38 million | Price surged 23,000,000%, honeypot prevented selling |
| Frosties NFT | 2022 | $1.1 million | Founders charged with fraud and money laundering |
| Hawk Tuah (HAWK) | 2024 | $87 million (creator profit) | Celebrity memecoin, creators held 70%, dumped at peak |
| Baller Ape Club | 2022 | $2.6 million | NFT scam, funds laundered through chain-hopping |
OneCoin deserves its own paragraph because it's the most destructive rug pull in crypto history and it wasn't even a real cryptocurrency. There was no blockchain. No mining. No nodes. Ruja Ignatova sold $4 billion worth of "educational packages" through a multi-level marketing structure that recruited victims to recruit more victims. She disappeared in October 2017 and remains one of the FBI's ten most wanted fugitives. The BBC produced a full podcast series about her called "The Missing Cryptoqueen." Her brother was arrested and later convicted, but Ruja herself has never been found.
How to spot a rug pull before it happens: the red flag checklist
This is where the article earns its keep. I'm going to list eight warning signs, and if you spot three or more of them in a project you're looking at, close the tab and move on. Seriously.
The first thing I check is the team. Anonymity in crypto isn't inherently bad; Satoshi never revealed themselves. But there's a canyon of difference between a pseudonymous founder with years of on-chain history and a "team" with zero LinkedIn presence, no GitHub commits, and headshots that look like they came from thispersondoesnotexist.com. If you can't find a single verifiable human behind the project, your risk just multiplied.
Second: has the smart contract been audited? I don't mean "audited by our friends." I mean a published report from CertiK, Hacken, Trail of Bits, or another firm you can actually Google and verify exists. No audit means nobody independent checked whether the contract can drain your deposits. One more thing: even if there IS an audit, check whether the contract is upgradeable through a proxy pattern. If the developers can swap in new code after the audit, the audit only covers the version the auditor reviewed, not whatever they deploy next Tuesday.
Third: liquidity locks. Pull up GeckoTerminal or DEXTools and look at whether the liquidity pool is locked in a time-locked contract. If it's unlocked, the developer can drain it this second. Locks shorter than 30 days are a joke. Real projects lock for 6-12 months at minimum. And here's a detail people miss: a lock with a known expiry just means the rug pull is scheduled. Mark your calendar.
Fourth: wallet concentration. Open the token's page on Etherscan or Solscan and scroll to the holders list. If the top 10 wallets control more than 50% of the supply and those wallets aren't clearly labeled as the liquidity pool, team vesting, or treasury, any one of them can nuke the price by selling. That's not a risk; it's a certainty waiting for a trigger.
Fifth: what are they promising? If you see "100x guaranteed" or "sustainable 1000% APY" or "this is the next Bitcoin," run. Projects that focus their marketing on how rich you'll get instead of what they're actually building are either delusional or predatory, and neither option ends well for you.
Sixth: look at the marketing itself. Is the Telegram group full of real conversations, or is it bot-farmed accounts posting rocket emojis? Is the Discord active with technical discussion, or is every channel just "wen moon?" Are the influencer endorsements organic or obviously paid? When the marketing spend clearly dwarfs the engineering effort, you're looking at a sales operation, not a technology project.
Seventh: does a working product exist? Not a roadmap. Not a pitch deck. Not a whitepaper with fancy diagrams. An actual product that someone can use right now. If the team is asking for your money before they've shipped anything functional, the risk of you funding their exit rather than their vision goes way up.
Eighth and last: FOMO pressure. "Only 2 hours left on the whitelist." "Price doubles after this round." "If you don't ape in now, you'll regret it forever." Every one of these lines is engineered to make you act before you think, which is exactly what a scammer needs. Real opportunities don't have countdown timers. If someone is rushing you, they have a reason, and that reason is not your benefit.
Tools that help you avoid getting rugged
You don't have to evaluate everything manually. Several free tools exist:
| Tool | What it does | URL |
|---|---|---|
| Token Sniffer | Scans token contracts for scam patterns | tokensniffer.com |
| GeckoTerminal | Shows liquidity, holders, lock status | geckoterminal.com |
| DEXTools | Real-time token analysis, audit scores | dextools.io |
| RugDoc | DeFi project risk reviews | rugdoc.io |
| GoPlus Security | Token security detection API | gopluslabs.io |
| Etherscan/BscScan | Read contracts, check holder distribution | etherscan.io |
Before buying any new token, run it through Token Sniffer at minimum. It takes 30 seconds and catches most honeypots and mint-function scams automatically. For deeper analysis, read the actual contract on Etherscan. If the contract isn't verified (source code not published), don't buy it. Period.
I want to be realistic about something, though. These tools catch the lazy scammers. A well-funded team that hires decent Solidity developers can write a contract that passes automated scanners and still has a rug pull mechanism buried in the logic. No tool is a substitute for understanding what you're buying. If you can't read a smart contract yourself, at least stick to projects that have been audited by firms you can verify, and understand that even audited projects have been rugged (the auditor reviews a snapshot, not every future action by the team).
The single best defense isn't any tool. It's position sizing. Don't put money into a new token that you can't afford to lose completely. If you treat every unproven project as a potential rug, you'll size your bets small enough that getting rugged hurts your pride more than your portfolio.
Are rug pulls illegal?
Short answer: hard rug pulls are illegal basically everywhere. Embedding a drain function in a smart contract to steal people's deposits is fraud, full stop. The Frosties NFT founders are facing federal wire fraud charges in the US. Turkey sentenced Thodex's founder to 11,196 years in prison, which is either impressive or absurd depending on your feelings about the Turkish legal system.
Soft rug pulls are where it gets legally complicated. If you created a token, hyped it up, and then sold your bags when the price peaked, did you commit a crime or did you just sell your own property? The answer depends on whether the token counts as a security under the law in your country. The SEC has been pushing hard to classify more tokens as securities, which would make pump-and-dump exits clearly prosecutable. But they haven't won every case, and enforcement is a patchwork across jurisdictions.
Here's the part that actually matters to victims, though: even when a rug pull is obviously criminal, getting your money back is nearly impossible in practice. The stolen crypto gets routed through Tornado Cash, bridged across chains, and mixed until the trail goes cold. Chainalysis and other blockchain forensics firms can sometimes trace the flow, and they've helped law enforcement in some high-profile cases. But for the average person who lost $5,000 on a memecoin that went to zero, nobody is investigating your case. The money is gone. That's the brutal truth of self-custody: the same system that protects you from banks also means there's no bank to call when you get robbed.
