What Is a Honeypot Crypto Scam? Ethereum Smart Contract Guide
Picture a shop. A small one. It takes your money, hands you a receipt, smiles. Then it quietly locks the exit. Everything on the shelves is yours, technically. You just cannot leave with any of it. That is a honeypot crypto scam in one image. And in 2025, tens of thousands of these deceptive setups were live on-chain at any given moment, scattered across decentralized exchanges, tucked inside malicious smart contract code that nobody reads.
Maybe you have not heard the term before. Fine. Once you learn it you will spot it everywhere. The token that pumps 400% on a random Wednesday with 2,000 buyers and zero sellers. The wallet someone DMs you about with "can you help me move this money out?" The coin a celebrity just tweeted about 10 seconds before the chart goes vertical. Some of those are honeypots. Some are not. The goal of this guide is to teach you how to tell, without needing a developer background.
Scale check first. Chainalysis's 2026 Crypto Crime Report says illicit crypto addresses took in $154 billion in 2025, up 162% year over year. The FBI's 2025 Internet Crime Report put crypto fraud at $11.366 billion, $7.2 billion of that from investment scams. Honeypots are a real slice of both numbers. On Ethereum, Base, and BNB Chain they are a daily fixture. So let me walk you through where the trap actually lives, and what basic due diligence keeps you out of it.
What is a honeypot in crypto? A beginner's look
A honeypot is any crypto trap that looks like a normal opportunity but is engineered so you cannot get your money out. The name comes from the idea of something sweet left in the open to attract flies. In crypto, the sweet thing is usually a hot token, a wallet that appears to contain free funds, or a website promising oversized returns.
Here is the important distinction. A honeypot does not steal your coins by hacking you. It does not drain your wallet from the outside. It lets you, with your own hands, send a certain amount of cryptocurrency to the contract that has no exit path. Once the money lands, the scammer controls it. You do not.
A typical on-chain honeypot looks like this: a new token appears on Uniswap or PancakeSwap, or another decentralized finance venue that promises to decentralize token trading. The chart shows it climbing. People buy the token. You buy tokens too. Your wallet now shows a balance. You try to sell. The transaction reverts, fails, or completes with a 100% high sell fee that leaves you with nothing. Your balance is still there. It just cannot move. You are left with worthless tokens and waiting for a door that will never open, making it difficult to even classify as a hack because no exploit occurred against you directly.
Where the term honeypot came from
The word is older than crypto. Much older. "Honeypot" shows up by name in Clifford Stoll's 1989 book The Cuckoo's Egg. Stoll was a sysadmin at Berkeley Lab. He noticed a 75-cent accounting error, tugged on it, and ended up chasing a KGB-affiliated hacker across military networks. The fake files he set up to keep the hacker busy? Those were the first honeypots. Good guy tech.
Crypto took the word and flipped the target. Forty years later, the honey is pointed at regular crypto users. Not intruders. You are the fly now. Same trap structure, opposite morality. When someone in crypto says "that token is a honeypot," they mean the code is rigged against whoever buys it, usually through hidden restrictions buried in the contract logic nobody reads.
How a honeypot scam works step by step
Most honeypot scams follow the same script. Once you have seen it once, you spot new variants in minutes.
It starts with a scammer writing a smart contract. On the surface, it looks like a standard token. Buy function works. Deploy it on Ethereum, Base, BNB Chain, or Solana. All normal so far.
Then the trap. Somewhere in the sell logic, a restriction. Could be a blacklist that silently adds every new buyer. Could be a 100% sell tax. Could be a function only the owner is allowed to call. Could be a separate helper contract that actually controls transfers. Buyers can send tokens in, only the scammer can send them out. Same result, many forms.
Next comes the staging. Scammer seeds a liquidity pool on a decentralized exchange. Token looks tradable. They wash trade with their own wallets and a third wallet or two to paint a chart that looks alive. Green candles, rising volume. Telegram starts filling with "how do I buy" questions.
Then promotion, across social media platforms. Sometimes paid influencers. Sometimes an impersonated known project. Sometimes a news event, the way $SQUID rode Netflix's Squid Game hype in 2021. Telegram, X, TikTok. Always with urgency: "only 1000 wallets can mint," "token launches in 2 hours," "price already up 300%."
The final act is always the same. Victims try to sell. Those sell transactions revert, fail, or route everything to the scammer's wallet. By the time the Telegram chat figures it out, the scammer has drained the pool or moved the funds out to a third contract. The dead contract sits on-chain forever, a monument to the trap.
Types of honeypots you will actually meet
Honeypots come in more flavors than most beginners expect. These are the main types of honeypots people run into in 2025.
- Smart contract can't-sell traps. The contract rejects any sell transaction from an address that is not whitelisted. You see your tokens in your wallet and you will never move them.
- Hidden blacklist traps. Every new buyer gets silently added to a blacklist at purchase time. Buying works; selling fails forever after.
- 100% sell-tax traps. The contract routes 100% of any sell to a "treasury" wallet (the scammer). You technically sell, but you receive zero.
- Liquidity traps. The liquidity pool is single-sided or controlled by the deployer. Sell orders fail because there is nothing on the other side of the book, or the scammer yanks liquidity at will.
- Owner-function traps. Hidden owner-only functions let the scammer pause trading, mint unlimited supply, or change taxes after launch. Even a "fair launch" can become a honeypot an hour later.
- Wallet / "free ETH" traps. Not a token at all. A scammer posts a wallet with tokens visible on-chain and shares the seed phrase. When you try to move the tokens out, you need gas. You send gas. A sweeper bot sweeps it immediately. You get nothing. MetaMask specifically warns about this variant.
- Fake Etherscan "support" traps. Someone replies to your Etherscan comment offering help. They tell you to send a small amount of ETH to a "reversal" contract. That contract is another honeypot that keeps your ETH.
Solidus Labs has catalogued 98,442 on-chain honeypot contracts alone, split across external-contract, liquidity-block, and blocklist variants. Token Sniffer tracks more than 47.9 million tokens across 15 chains, and flags over six million of them as scams. The numbers are not small.
Smart contract honeypots and the sell-tax trick
Of all the flavors, smart-contract honeypots on Ethereum-style chains are the most common. Ethereum smart contracts and their clones on the Ethereum blockchain power most of these traps, and the pattern also illustrates why "the code is public" is not the safety shield many beginners think it is.
A honeypot smart contract looks boring from the outside. It inherits from the standard OpenZeppelin ERC-20 library. It has a name, a symbol, and a supply. If you view its smart contract code on a block explorer like Etherscan or BscScan, you may see hundreds of lines. Most of them are harmless. The trap is usually hiding inside the `_transfer` function, or in a separate suspicious smart module the main token calls through a helper address.
The most elegant version is the sell-tax trick. The contract has a variable called `sellTax`. At launch, it is 5%, which is normal. Ten minutes after launch, the owner calls `setSellTax(100)`. Now every sell sends every token to the treasury. Buying still works, because buys go through a different function. Unless you understand what you are reading in the code, you can stare at the contract and not see the trap, since from the outside it looks like any other Web3 ERC-20 token.
This is why reading smart contract code yourself is unreliable as a beginner. You need either a simulation (run a test sell and see if it succeeds) or a tool that already knows these patterns. Honeypot.is, Token Sniffer, De.Fi Scanner, QuillCheck, and GoPlus Security all run some form of this analysis. None is foolproof. Honeypot creators in 2025 use upgradeable proxy contracts and time-delayed triggers specifically to defeat static scanners, so any attempt to exploit a fresh contract needs more than one tool.
Wallet honeypots: the seed phrase trap
The wallet variant is worth a separate explanation because it does not involve any token contract at all. MetaMask publishes a formal warning about it, so do Trezor and Ledger.
The setup looks innocent. A stranger on Telegram, Discord, or Twitter claims they are new to crypto and cannot figure out how to move funds out of a wallet. They share the seed phrase (yes, really) and explain that the wallet is "locked" because it has tokens in it but no gas. They ask if you can help and offer to split whatever is inside.
You load the wallet in MetaMask. You see a real balance: some USDT, maybe some random tokens. You try to send the USDT to yourself. You cannot, because the wallet has zero ETH for gas. So you send a little ETH from your own wallet to cover the transaction fee.
The moment the ETH arrives, a sweeper bot, programmed to watch that address, moves every incoming wei to the scammer's real wallet. Your gas is gone. The tokens you thought you were helping to rescue were never retrievable in the first place. They were either locked by contract restrictions, or they are USDT frozen by Tether because the address was already flagged.
The rule that prevents this one is very simple: never, ever trust a wallet whose seed phrase somebody else gave you. If they actually owned it, they would send the funds themselves. This trap is one of the simplest ways scammers use to steal gas from beginners, and it is designed to trap anyone new enough to think "free money" is ever actually free.
Famous honeypot scams: SQUID, HAWK, LIBRA
Real cases help this make sense.
SQUID (November 1, 2021). This is the textbook beginner example. The token rode the popularity of Netflix's Squid Game. Buying worked and looked explosive. The price climbed from about $0.01 to roughly $2,861, a rise so dramatic the Washington Post and BBC covered it. Holders tried to sell. They could not. Developers then drained roughly $3.38 million from the liquidity pool and disappeared. The token crashed more than 99.99% in under five minutes. Pure honeypot, pure exit scam.
HAWK (December 4, 2024). Not a classic smart-contract honeypot, but fits the same mental model. Launched by Haliey "Hawk Tuah" Welch, the token hit a $500 million market cap the day of launch. On-chain analysis by Halborn showed 96% of the supply was held in insider wallets. When insiders dumped, the price fell more than 95% the same day. Buyers were left with tokens that technically still trade and are technically still worthless.
LIBRA (February 14, 2025). Argentine President Javier Milei posted about the token minutes after launch. The price ran from near-zero to $5.20 in 40 minutes. Insiders held 70% of supply and dumped into the retail flood. Roughly $251 million was lost. The case is now a federal investigation and one of the clearest examples of how political endorsement plus fast liquidity plus insider supply produces a honeypot-like outcome even without custom contract traps.
Dechat (February 26, 2024). One investigator traced about $3.2 million stolen across nine linked honeypot contracts by a single attacker that used Dechat's compromised social channels to distribute the malicious link. A reminder that even real projects can accidentally promote a honeypot if their accounts are hijacked.
Honeypot vs. rug pull vs. other crypto scams
Beginners often use these terms interchangeably. They are different traps. Honeypot scams in crypto specifically focus on blocking exits; the other categories work differently, though all scams operate on the same basic emotional lever of urgency and hype.
| Scam type | What happens | Detectable before buying? |
|---|---|---|
| Honeypot (smart contract) | Contract blocks sells by design from day one | Yes, simulate a sell |
| Rug pull | Team raises funds or seeds liquidity, then yanks it later | Partially, watch LP lock status and team transparency |
| Pump-and-dump | Insider wallets dump on retail after a hype wave | Hard, requires on-chain supply analysis |
| Phishing | Malicious link harvests your private key or seed phrase | Yes, URL inspection, hardware wallet, no seed sharing |
| Fake exchange | Website accepts deposits but blocks withdrawals | Yes, registered entity, age of domain, community reviews |
| Wallet sweeper | Scammer gives you a seed phrase; gas you deposit is stolen | Yes, never use a wallet whose seed phrase someone else provided |
The honeypot is the one where the trap is baked into the code before you even arrive. Rug pulls require the team to do something afterward. Honeypots work automatically, which is why they scale so easily; once deployed, the scammer barely has to show up.
How honeypot scam work changes with meme coins
Meme coins, especially on Solana, are where honeypot-adjacent tactics have exploded. A Solidus Labs report covering January 2024 through March 2025 flagged 98.6% of all Pump.fun tokens as pump-and-dumps or rug pulls. Pump.fun alone has minted more than 11.9 million tokens and regularly accounts for roughly 71% of all Solana token launches in a given day. These scams involve the same social engineering levers as classic honeypots, repackaged for meme-coin audiences. The fear of missing out does the rest of the work.
The reason is structural. Pump.fun lets anyone create a token in seconds with almost no capital. Launch a token, buy the first few hundred dollars yourself, hype it on X, and wait. If buyers arrive, dump. If they do not, you abandon the token and move on. Multiply that across a million wallets and you get an ecosystem where buying any new meme coin is closer to pulling a slot machine arm than investing.
Not every meme coin is a honeypot in the pure "can't sell" sense. But the cost structure rewards volume over quality. That same Solidus Labs research found that 93% of 388,000 Raydium liquidity pools they analyzed exhibited soft rug-pull behavior. Of roughly 7 million Solana meme tokens with any trading history, only about 97,000 ever retained liquidity above $1,000. Numbers like that should reframe your risk assumptions.
Smart contract audits and honeypot detection
Contract audits are the boring adult in the room. A proper smart contract audit by a firm like Halborn, CertiK, PeckShield, Trail of Bits, or SlowMist reads the code line by line, simulates edge cases, and certifies (or fails) the contract. Audits do not guarantee safety, but these contract audits filter out the crudest honeypots quickly.
For a beginner looking at a fresh token, the practical question is not "did it have an audit" but "did it have an audit from a reputable firm, and did the audit cover the current contract version." A lot of sketchy tokens list "audit" in their marketing and link to a PDF from a firm nobody has heard of, or a real audit done on an older version of the code.
For tokens without audits, which is most of them, the next best layer is automated honeypot detection. Free tools worth knowing:
| Tool | What it does | Works on |
|---|---|---|
| Honeypot.is | Simulates buy and sell, flags if sell reverts | Ethereum, BNB Chain, Base |
| Token Sniffer | Code-pattern scan + owner-function flags + risk score | 15 chains, 47.9M tokens monitored |
| De.Fi Scanner | Static analysis + simulation | Ethereum, BSC, Polygon, Base, Solana |
| QuillCheck | Code review plus real-time alerts | Ethereum, BSC, Polygon, Arbitrum |
| GoPlus Security API | Used by Alchemy, 1inch, wallets; live honeypot flags | Multi-chain |
| Etherscan comments | Community warnings from earlier victims like Etherscan or BscScan users | Ethereum, Base, BSC |
Always run a token through at least two tools, not just one. No single scanner catches every variant, and honeypot authors keep adjusting to stay ahead of whatever checker became popular last month.
Red flags that point to a honeypot
You do not need to read Solidity to spot most honeypots. Here are the warning signs that should slow you down before you buy.
- The token was created less than 24 hours ago and has fewer than 500 holders. Early tokens are disproportionately honeypots. Checking the token's transaction history on Etherscan before buying is a basic habit that catches many of them.
- The holder list shows a single wallet owning more than 20% of supply, or two or three wallets holding more than 60% between them. That is your pump-and-dump signature.
- The liquidity is not locked, or the lock expires in days rather than months. Check on Unicrypt or Team Finance.
- Promises of high returns that sound too good to be true: "100x by Friday," "guaranteed 10x next week," "only 1000 wallets can mint." This is a major red flag. Urgency is the scammer's oxygen.
- No auditable team or legitimacy signals. A random Discord mod, anonymous deployer, and no LinkedIn profiles. Not automatically a scam, but worth a dramatic pause.
- Contract holds "mint," "pause," "blacklist," or "setFee" owner-only functions without a timelock. Even without malicious intent, one compromised key can deceive buyers later.
- Telegram channel has thousands of members but conversations feel scripted. Bot farms often echo identical promises across accounts. Look for repeated phrasing.
- The token chart shows a lot of buys and almost no sells. Real tokens have both. The absence of sells is frequently the clearest tell you are looking at a honeypot in real time, since the scam blocks users from selling by design.
These warning signs help you identify potential honeypot tokens and avoid falling victim when a new coin trends.
Most buyers lose money on honeypots not because the signs were invisible but because FOMO overrode the gut. When the scammer can sell and nobody else can, fast decisions always go to the scammer.
If you fell into a crypto honeypot: what to do
The honest first sentence here: your recovery odds are grim. For pure smart-contract honeypots, recovery is effectively zero because these scams are designed to prevent any trace of normal refund. For broader rug pulls, SlowMist's 2024 report showed only 8.25% of $2.013 billion across all security incidents was ever returned. Pure honeypot recovery is below even that number.
Still, there are practical steps worth taking.
Stop interacting with the contract. Do not sign any more transactions related to it, even ones that claim to "unlock" your tokens. Those are almost always follow-up scams.
Revoke every token approval you have granted. Use Revoke.cash or Etherscan's Token Approval Checker to find any contract that still has permission to spend tokens from your wallet. Revoke them.
Document everything. Save the contract address, transaction hashes, the website or Telegram where you found the token, any messages you received. Screenshots matter.
File reports. The FBI IC3 takes crypto fraud complaints in the U.S. The FTC accepts scam reports at reportfraud.ftc.gov. In the UK, Action Fraud. Each country has its own body. Also report the token itself on Etherscan or BscScan so other users see a warning, and on Token Sniffer if it is not already listed. Most cryptocurrency exchanges will also flag the address on request if the stolen funds were eventually moved to their platform.
Do not hire a recovery service that messages you on Telegram, Twitter, Instagram, or email. This is the follow-up scam category and it is enormous. Legitimate recovery, when it happens, is run by law enforcement and professional blockchain forensics firms (Chainalysis, TRM Labs, Elliptic), and those firms do not advertise in your DMs.
Share the contract address publicly. If a token is a confirmed honeypot, making that information visible saves the next person.
