Broadly speaking, a honeypot scam is something in which you can put money into, but can’t get your money back out of. In the crypto space, honeypots can take many forms, but generally fall into two categories: fake platforms, and fake assets. In this article, the question of what a honeypot scam is and how to spot it will be discussed.
What is a crypto honeypot scam?
When it comes to honeypot scams, fake platforms are pretty straight forward. Scammers will set up websites that look and function like a centralized exchange or investment site, in hopes of tricking people into depositing money into their “accounts”. These sites often have scrolling price trackers, supposed testimonials and partnerships, and other elements to make the site look legitimate. Depositing money onto one of these platforms is essentially transferring funds directly into the scammer's wallet - no real services will be available on the site, and your money will be unrecoverable.
Fake assets, on the other hand, are a little trickier. Honeypot assets are tokens or NFTs that can be purchased, but not resold. Most commonly, a honeypot asset will have a big marketing push for a week or two leading up to its presale or mint, then the social media accounts associated with the project will disappear shortly after going live. People who put money into the presale will receive their tokens, but will not be able to sell them on any DEX, making them effectively worthless. This can happen a variety of ways, including having the sell tax set to 100%, or if the smart contract includes a allowlist/banlist function.
How can you spot a honeypot?
Fake platforms have a number of red flags to look out for, including:
- It was sent to you via an unsolicited DM from a stranger.
- The site was launched within the last week or two (this can be checked via ICANN lookup).
- The site promises guaranteed returns on your investment with zero risk.
- Investment or staking sites are offering unreasonably high returns (if it’s too good to be true…).
- Many of the options, buttons, tabs, etc on the site are non-functional.
- Claims about partnerships, audits, insurance, or investment activities cannot be verified.
- The platform has no social media presence.
- Wording on the site has numerous spelling and grammatical errors.
Fake assets can be harder to spot, but there are still some common red flags:
- They were shilled to you via unsolicited DM from a stranger.
- The contract address is difficult to find.
- Social media accounts are only a week or two old, but already have thousands of followers.
- Telegram channel has thousands of members, but very few people actually chatting or doing more than posting memes.
- Project roadmap is unreasonably ambitious (for example, promising a P2E game, metaverse, staking, and NFT collection within the first quarter or two).
- Claims of a contract audit can’t be verified, or the audit they make available is fake.
- Presale has an extremely low softcap, and high (or non-existent) hardcap.
- The wallet that created the smart contract was freshly funded from an exchange or Tornado Cash.
Additionally, tools like TokenSniffer, Scamsniper, Honeypot.is, and RugScreen can all scan a smart contract for any malicious functions that would allow the contract owner to turn the project into a honeypot. These functions include a sell tax that can be set to 100%, a banlist function that can specify only certain wallets that are allowed to sell (usually just the dev wallet), or a function that disallows transfers.
Here is also an example of when we spotted a honeypot scam, played along, and dug deep into how these work:
The Takeaway: Staying safe from honeypot scam contracts
Whether it’s a fake platform or fake asset, honeypots rely on instilling trust in the victims. Every aspect - the people advertising it, the content of the site, the social media posts - is designed to make the project look as legitimate and safe as possible. Accordingly, investors should never take things at face value. Verify all claims of audits or partnerships, and scan the contracts to see if a honeypot is possible. If it IS possible, consider whether or not you actually trust the team to not do it.