Bottom Line Up Front
For all the myriad ways a scam can be dressed up and presented - from simple Nigerian Prince emails to complex investor schemes - the vast majority of them are ultimately designed to achieve only one of three goals: trick you into sending them money; trick you into sending them enough information for them to take your money; or trick you into giving them login credentials to online accounts. Knowing and understanding these goals makes it significantly easier to identify scams, and avoid falling victim to them.
Three Objectives of a Scam
For all of the different ways a scam can be presented, and for all of the different attack vectors a scammer can use, with very few exceptions they will have only one of three objectives:
- Trick you into sending them money.
- Trick you into sending them enough information that they can take your money.
- Trick you into sending them credentials to your online accounts, especially email and social media accounts.
The core objective in each of these, and even in the rare exceptions, is clear: to trick you into giving them money, or information (including usernames, passwords, and seed phrases) that they can ultimately monetize. While these goals may seem obvious, scammers often do a good job of burying their objectives within compelling narratives and setups. Let’s explore some examples.
A term that has become interchangeable with almost every crypto-related scam, “rug pull” actually has a fairly specific definition. A DeFi project can be said to have rugged if a significant majority of its underlying liquidity is removed, dropping the value by 90% or more, and in some cases making the token completely unsellable. This can be triggered in a variety of ways, and usually happen in an instant just after a project has gone live (known as a “hard rug”), or slowly over a period of weeks or months (known as a “soft rug”).
Hard rugs can be triggered in several ways. Most commonly, the liquidity for a project isn’t locked at the time a project launches, or it is only locked for a very short period of time. Locking liquidity means sending it to a smart contract for a set period, during which the dev team has no access or control over it. When the liquidity is unlocked, the dev team (or whoever has access to the particular wallet) can pull and sell the liquidity whenever they want.
Another way to trigger a hard rug is through an unlimited mint function. If the contract has a function that allows the owner to mint new coins without restriction, that can allow the owner to mint and sell trillions of tokens instantly, effectively draining the liquidity pool and bringing the value of the coin to near zero. Regardless of the mechanism used, hard rugs hit in an instant.
Soft rugs, on the other hand, slowly bleed a project out, rather than taking the funds all at once. This is far more insidious in execution, and usually involves the dev team being active in the community, encouraging people to hold (you’ll hear “diamond hands” and “paper hands” kicked around the community a lot), and promising that new developments are just around the corner. Meanwhile, behind the scenes devs are taking money that should be used for development, marketing, charity, etc, and moving them to personal wallets.
Things start off promising, with a successful launch and lofty goals on the roadmap. But as time goes on deadlines are missed, devs and core team become less active on socials, and the project slowly bleeds out.
Crypto Pump and Dump
Generally speaking pump & dumps are instances where the price of an asset rises sharply in a short period of time, sometimes within a minute or two, then drops an equal or greater amount just as quickly. So, the price pumps up quickly, then dumps down just as fast. Get it? This usually happens in one of two ways: during the launch of a token, and through market manipulating crypto pump and dump groups on Discord, Telegram, Whatsapp, or other social media platforms.
The first and most common source of pump & dumps comes from coins in presale. Either because of poor tokenomics or specific intent to scam people, there ends up being a lot of unlocked team and pre-seed tokens at launch, which are promptly sold off by those holders as soon as the coin goes live. This happens a lot with celebrities and influencers, who are often paid in the project’s token to shill it (a fact undisclosed to their followers), then sell their entire holdings as soon as the project goes live while continuing to hype it. The result is an immediate and severe drop from the launch price, with no chance of recovery.
Basically, pump groups are a group of people that coordinate on buying the same asset, at the same time, from the same exchange to spike its price up. People buy and sell within a minute or two, and (in theory) those that are quick enough on the buy/sell can make an easy 2x-5x profit or more. However, group members don’t know what coin they’ll be buying until the organizer announces it at the buy time. This is to prevent people from loading up beforehand and spoiling the pump.
The problem is, pump group organizers and insiders know what the target coin will be well in advance. This allows them to slowly accumulate the coin and put sell orders in place ahead of time. When the specified day and time come to start the pump, they are well positioned to earn profits while the regular group members are most likely to buy at inflated prices, then be left holding bags down by 50% or more.
Broadly speaking, a honeypot scam is something in which you can put money into, but can’t get your money back out of. In the crypto space, honeypots can take many forms, but generally fall into two categories: fake platforms like exchanges and investment sites, and fake assets, usually in pre-launch/ICO.
Sometimes, you may receive a random DM from someone you don’t know, congratulating you on winning a giveaway you never entered, from a crypto exchange you’ve never heard of.
If you follow their prompts, create an account on the exchange and enter the given prize code, it will appear as though the funds you “won” are in your account. However, you can’t withdraw or trade them until you “activate your wallet” by depositing a decent amount of BTC or other coins onto the exchange. This will, unsurprisingly, result in a loss of funds - users cannot remove funds from the site under any circumstances. The “winnings” are just there to bait people into sending money in.
Similarly, fake investment sites typically offer “investment packages” that promise guaranteed fixed returns based on the amount deposited and lockup time. Like the fake exchange, any funds deposited onto sites like this will be lost.
Honeypot assets are tokens or NFTs that can be purchased, but not resold. Most commonly, a honeypot asset will have a big marketing push for a week or two leading up to its presale or mint, then the social media accounts associated with the project will disappear shortly after going live. People who put money into the presale will receive their tokens, but will not be able to sell them on any DEX, making them effectively worthless. This can happen a variety of ways, including setting the sell tax set to 100%, or if the smart contract includes allowlist/banlist functions.
These functions are typically triggered minutes after launch, leading to a distinctive chart: rapid growth with zero sells for a few minutes, then an abrupt end to trading:
Fake NFT Mints
Free NFT mint offers can be legitimate, but more often than not they are a scam designed to steal your crypto assets in one way or another. If you decide to participate in a free mint, use a fresh wallet with no assets held on it, and pay close attention to the permissions requested from the minting smart contract. There are two common ways a free mint could be malicious: hidden fees, and wallet compromises.
Though less common than wallet compromises, supposedly “free” mints can sometimes contain undisclosed minting fees. The fees are usually small, .005 ETH in this example, and are designed to blend in with the gas fee so the victim doesn’t notice them:
More often though, the minting contract is designed to drain some or all of the assets in the wallet used. When you visit the minting page, there may be timers or “remaining mint” counters ticking down rapidly. These are all fake, designed to make users panic and rush into minting without stopping to think first:
Common wallets now do a good job warning when a contract is asking to set permissions to All (allowing it to drain all assets in the wallet), but contracts asking for unlimited access to specific assets, like USDT or ETH, don’t tend to raise any flags, so always be sure to check the permissions being asked before signing any transaction or message, even gasless messages.
Wallet Validation or Support
Someone reaches out via reply or DM purporting to be an admin or member of a support team for some project. They may ask if an issue you were having was resolved, or say they had a similar problem and offer to help. Sound Familiar? Well, regardless of what you say, they will find some pretext to say you need to validate or synchronize your wallet, and will send you a link to do so. The link is to a phishing site, and will most often ask you to enter your wallet seed phrase.
Sometimes, the approach is obvious: just tweet the words “Metamask” or “Trustwallet” and check your replies in a few seconds to some perfect examples:
The “support form” that each of the automated replies link to is generally a Google Form that starts with a few basic questions about the issue you’re having, then finishes with asking for your seed phrase.
Other times, the approach is more subtle, like this example where someone was impersonating an admin from a Telegram group to help with an issue posted in the general channel, then asking if I’ve taken part in the “airdrop” yet:
In this case, the fake admin said that in order to receive the airdrop, I had to “synchronize my wallet” on a third party site, which involved entering my seed phrase.
Suffice to say, NEVER, under any circumstances should you enter or give out your seed phrase to anyone or any site. The only time you need to use your seed phrase is when importing an existing wallet into a service like Metamask. For example, if you buy a new phone, you’ll need to install Metamask or Trustwallet, then use your seed phrase to import your existing wallet.