In the world of Web3, new tokens are being launched every day. Have you ever wondered how many new tokens are created daily? And more importantly, are these tokens safe?
These questions aren’t without reason. Over the past few months, CertiK’s security team has identified a significant number of Rug Pull scams. Notably, all the tokens involved in these cases are newly minted tokens that were just added to the blockchain.
Afterward, CertiK launched a thorough investigation into these Rug Pull cases and uncovered that they were orchestrated by organized groups. These groups follow a specific scam pattern. Through a detailed examination of their methods, CertiK discovered one potential way these Rug Pull gangs promote their scams: Telegram groups. Groups like Banana Gun and Unibot use a “New Token Tracer” feature to lure users into buying scam tokens, and ultimately profit from the Rug Pull.
CertiK tracked token promotion messages in these Telegram groups from November 2023 to early August 2024, finding a total of 93,930 new tokens pushed through these channels. Of these, 46,526 tokens were connected to Rug Pull scams, accounting for a shocking 49.53%. The total amount invested by the scammers behind these tokens was 149,813.72 ETH, which resulted in a profit of 282,699.96 ETH, yielding a return of 188.7%, roughly equivalent to $800 million.
To better understand the impact of Telegram group promotions on the Ethereum mainnet, CertiK compared these figures with the overall number of new tokens issued on Ethereum during the same period. The results showed that out of the 100,260 new tokens issued, 89.99% came from Telegram group promotions. This means that, on average, 370 new tokens were issued every day—far more than expected. After continuing their investigation, CertiK found an alarming truth: at least 48,265 of these tokens were involved in Rug Pull scams, making up 48.14%. In other words, almost one in two new tokens on Ethereum is a scam.
Furthermore, CertiK discovered additional Rug Pull cases across other blockchain networks. This shows that the security situation for newly issued tokens across the entire Web3 ecosystem is far worse than anticipated. As a result, CertiK has written this research report to help raise awareness within the Web3 community, encouraging users to stay vigilant against the growing number of scams and take appropriate precautions to safeguard their assets.
Before we begin the main report, let’s first review some basic concepts.
ERC-20 tokens are currently one of the most common token standards on blockchain. It defines a set of protocols that enable tokens to interoperate between different smart contracts and decentralized applications (dApps). The ERC-20 standard specifies the basic functionalities of tokens, such as transferring, querying balances, and authorizing third parties to manage tokens. Due to this standardized protocol, developers can more easily issue and manage tokens, simplifying token creation and usage. In fact, anyone, whether an individual or an organization, can issue their own tokens based on the ERC-20 standard and raise initial funds for various financial projects through token presales. Because of the widespread application of ERC-20 tokens, they have become the foundation for many ICOs and decentralized finance (DeFi) projects.
Popular tokens like USDT, PEPE, and DOGE are all ERC-20 tokens, and users can buy these tokens through decentralized exchanges. However, some scam groups may also issue malicious ERC-20 tokens with backdoor code, list them on decentralized exchanges, and then lure users into purchasing them.
Here, we analyze a typical Rug Pull token scam to better understand how these malicious token scams operate. A Rug Pull refers to a fraudulent activity in which the project team suddenly withdraws funds or abandons the project in a decentralized finance (DeFi) initiative, causing significant losses to investors. A Rug Pull token is a token specifically created to carry out such a scam.
The tokens referred to as Rug Pull tokens in this article are sometimes called “Honey Pot tokens” or “Exit Scam tokens.” However, for the sake of consistency, we will refer to them as Rug Pull tokens throughout.
In this case, the attackers (the Rug Pull gang) deployed the TOMMI token using the Deployer address (0x4bAF). They created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI tokens, then artificially inflated the trading volume by purchasing TOMMI tokens from different addresses. This attracted users and bots to buy TOMMI tokens. Once a sufficient number of bots were tricked, the attackers executed the Rug Pull using the Rug Puller address (0x43a9). The Rug Puller dumped 38,739,354 TOMMI tokens into the liquidity pool and exchanged them for approximately 3.95 ETH. The tokens used by the Rug Puller came from malicious approval granted by the TOMMI token contract, which allowed the Rug Puller to withdraw tokens directly from the liquidity pool and carry out the scam.
The attacker recharged 2.47309009 ETH into the Token Deployer (0x4bAF) from a centralized exchange to fund the Rug Pull.
Figure 1: Deployer obtains startup funds transaction information
The Deployer creates the TOMMI token and pre-mines 100,000,000 tokens, allocating them to themselves.
Figure 2: Deployer creates TOMMI token transaction information
The Deployer uses 1.5 ETH and the pre-mined tokens to create a liquidity pool, receiving approximately 0.387 LP tokens.
Figure 3: Deployer creates liquidity pool transaction and fund flow
The Token Deployer sends all LP tokens to the 0 address for destruction. Since the TOMMI contract has no Mint function, the Token Deployer theoretically loses the ability to execute a Rug Pull. (This is one of the necessary conditions to deceive new token bots. Some bots assess the risk of Rug Pulls when entering new tokens into the pool, and the Deployer also sets the contract’s Owner to the 0 address to deceive anti-scam programs used by the bots).
Figure 4: Deployer destroys LP tokens transaction information
The attackers use several addresses to actively buy TOMMI tokens from the liquidity pool, artificially inflating the trading volume to attract more new token bots (the reason these addresses are identified as being disguised by the attackers is that the funds in these addresses come from the historical fund transfer address used by the Rug Pull gang).
Figure 5: Attacker’s other address buys TOMMI tokens transaction information and fund flow
The attackers use the Rug Puller address (0x43A9) to initiate the Rug Pull, directly withdrawing 38,739,354 TOMMI tokens from the liquidity pool and dumping them, extracting approximately 3.95 ETH.
Figure 6: Rug Pull transaction information and fund flow
The attackers send the funds from the Rug Pull to the transfer address 0xD921.
Figure 7: Rug Puller sends attack proceeds to the transit address transaction information
The transfer address 0xD921 sends the funds to the retention address 0x2836. From this, we can see that after the Rug Pull is completed, the Rug Puller sends the funds to a retention address. This address serves as a collection point for funds from many Rug Pull cases. The retention address splits most of the funds to initiate new Rug Pulls, and the remaining funds are withdrawn through centralized exchanges. We have tracked several retention addresses, with 0x2836 being one of them.
Figure 8: Transfer address fund movement information
Although the attackers tried to prove to the outside world that they could not carry out a Rug Pull by destroying the LP tokens, in reality, they left a malicious approve backdoor in the openTrading function of the TOMMI token contract. This backdoor allows the liquidity pool to approve token transfers to the Rug Puller address when the liquidity pool is created, enabling the Rug Puller address to directly withdraw tokens from the liquidity pool.
Figure 9 openTrading function in TOMMI token contract
Figure 10 onInit function in the TOMMI token contract
The implementation of the openTrading function is shown in Figure 9, and its main purpose is to create a new liquidity pool. However, the attackers call the backdoor function onInit (as shown in Figure 10), which causes uniswapV2Pair to approve token transfers to the _chefAddress for the entire token supply (type(uint256)). Here, uniswapV2Pair refers to the liquidity pool address, and _chefAddress is the Rug Puller address, which is set during contract deployment (as shown in Figure 11).
Figure 11 Constructor in TOMMI token contract
By analyzing the TOMMI case, we can summarize the following four key features:
Deployer obtains funds from centralized exchanges: The attackers first provide funding for the Deployer address through a centralized exchange.
Deployer creates liquidity pool and destroys LP tokens: After creating the Rug Pull token, the Deployer immediately establishes a liquidity pool and destroys the LP tokens, which increases the project’s credibility and attracts more investors.
Rug Puller uses large amounts of tokens to exchange for ETH in the liquidity pool: The Rug Puller uses a significant number of tokens (often far exceeding the total token supply) to exchange for ETH in the liquidity pool. In some cases, the Rug Puller also removes liquidity to withdraw ETH from the pool.
4.Rug Puller transfers the ETH obtained from the scam to a retention address: The Rug Puller moves the ETH gained from the Rug Pull to a retention address, sometimes passing through an intermediary address.
These features are commonly observed in the cases we’ve identified, highlighting that Rug Pull activities have clear patterns. Additionally, after completing the Rug Pull, the stolen funds are usually consolidated into a retention address. This suggests that these seemingly isolated Rug Pull cases might be connected to the same group or even a single fraud network.
Based on these patterns, we have developed a Rug Pull behavior profile and have begun using it to scan and detect other related cases, with the goal of profiling potential scam groups.
As previously mentioned, Rug Pull cases typically consolidate funds into fund retention addresses. Based on this pattern, we selected several highly active fund retention addresses with clear characteristics of scam tactics for in-depth analysis.
We identified 7 fund retention addresses, associated with 1,124 Rug Pull cases, successfully detected by our on-chain attack monitoring system (CertiK Alert). After executing the scam, the Rug Pull gang gathers the illicit profits into these fund retention addresses. These addresses then split the funds, using them to create new tokens for future Rug Pull scams, manipulate liquidity pools, and carry out other fraudulent activities. Additionally, some of the retained funds are cashed out through centralized exchanges or instant exchange platforms.
The data for the fund retention addresses is shown in Table 1::
By analyzing the costs and revenues of each Rug Pull scam associated with these fund retention addresses, we obtained the data presented in Table 1.
In a typical Rug Pull scam, the Rug Pull gang usually uses one address as the Deployer for the Rug Pull token and acquires the startup funds through a centralized exchange to create the Rug Pull token and its corresponding liquidity pool. Once enough users or new token bots are attracted to purchase the Rug Pull token using ETH, the Rug Pull gang will use another address as the Rug Puller to execute the scam, transferring the funds to the fund retention address.
In this process, the ETH obtained by the Deployer through exchange withdrawals or the ETH invested when creating the liquidity pool is considered the cost of the Rug Pull (the specific calculation depends on the actions of the Deployer). The ETH transferred to the fund retention address (or intermediary addresses) after the Rug Puller completes the scam is considered the revenue from the Rug Pull. The data on the income and expenses, as shown in Table 1, were calculated based on the ETH/USD price (1 ETH = 2,513.56 USD as of August 31, 2024), with real-time pricing used during data integration.
It is important to note that during the scam, the Rug Pull gang may also purchase their own created Rug Pull token using ETH, simulating normal liquidity pool activities to attract more new token bots. However, this cost is not included in the calculations, so the data in Table 1 slightly overestimates the Rug Pull gang’s actual profits. The real profits would be somewhat lower.
Figure 12: Profit share pie chart for fund retention addresses
By using the profit data from Table 1 for each address, we generated the profit share pie chart shown in Figure 12. The top three addresses with the highest profit share are 0x1607, 0xDF1a, and 0x2836. The address 0x1607 earned the most profit, about 2,668.17 ETH, which accounts for 27.7% of the total profit across all addresses.
In fact, even though the funds are eventually consolidated into different fund retention addresses, the shared features across the associated cases (such as backdoor implementations and cash-out methods) lead us to strongly suspect that these fund retention addresses may be controlled by the same fraud gang.
So, is there a connection between these fund retention addresses?
Figure 13: Fund flow diagram of fund retention addresses
A key indicator in determining if there is a relationship between fund retention addresses is to examine whether there are direct transfers between these addresses. To verify the connections between these fund retention addresses, we crawled and analyzed their historical transactions.
In most of the Rug Pull cases we analyzed, the proceeds from each scam usually flow into only one fund retention address. Therefore, it is impossible to trace the funds to link different fund retention addresses directly. To resolve this, we monitored the movement of funds between these addresses to identify any direct relationships. The results of our analysis are shown in Figure 13.
It’s important to note that 0x1d39 and 0x6348 in Figure 13 are shared Rug Pull infrastructure contract addresses. These fund retention addresses use these two contracts to split funds and send them to other addresses, where these funds are used to fake the trading volume of Rug Pull tokens.
From the direct ETH transfer relationships shown in Figure 13, we divided these fund retention addresses into 3 groups:
0xDF1a and 0xDEd0;
0x1607 and 0x4856;
0x2836, 0x0573, 0xF653 and 0x7dd9.
Within each group, there are direct transfers, but no transfers occur between the groups. This suggests that these 7 fund retention addresses can be considered as belonging to 3 separate gangs. However, all three groups use the same infrastructure contracts to split ETH for Rug Pull operations, tying them together into one organized group. Does this suggest that these fund retention addresses are actually controlled by a single fraud network?
This question is open for consideration.
As mentioned earlier, the shared infrastructure addresses are:
0x1d3970677aa2324E4822b293e500220958d493d0 and 0x634847D6b650B9f442b3B582971f859E6e65eB53.
The 0x1d39 address mainly features two functions: “multiSendETH” and “0x7a860e7e”. The primary function of multiSendETH is to split transfers. Fund retention addresses use multiSendETH to distribute some of the funds to multiple addresses, faking trading volume for Rug Pull tokens. The transaction details for this are shown in Figure 14.
This splitting operation helps the attackers simulate token activity, making the tokens appear more attractive, thereby enticing more users or new token bots to purchase. Through this method, the Rug Pull gang further enhances the deceit and complexity of their scam.
Figure 14: Transaction Information of Fund Splitting by 0x1d39
The function 0x7a860e7e is used to purchase Rug Pull tokens. After receiving the split funds, addresses disguised as normal users either interact directly with Uniswap’s router to buy Rug Pull tokens or use the 0x7a860e7e function to make these purchases, faking trading activity.
The main functions in 0x6348 are similar to those in 0x1d39, with the only difference being that the function for buying Rug Pull tokens is called 0x3f8a436c.
To better understand how the Rug Pull gang utilizes these infrastructures, we crawled and analyzed the transaction history of both 0x1d39 and 0x6348, and tracked how frequently external addresses used these functions. The results are shown in Tables 2 and 3.
From Tables 2 and 3, it is clear that the Rug Pull gang follows a clear strategy when using these infrastructure addresses. They use only a few fund retention addresses or intermediary addresses for splitting funds, but employ a large number of other addresses to fake the trading volume of Rug Pull tokens. For example, 6,224 addresses were involved in faking trading volume through 0x6348, significantly complicating the task of distinguishing between attacker and victim addresses.
It’s worth noting that the Rug Pull gang doesn’t just rely on infrastructure addresses for faking trading volume—some addresses directly swap tokens on exchanges to fake volume as well.
Additionally, we tracked the usage of these two infrastructure addresses by the 7 fund retention addresses and calculated the total ETH involved in each function. The results are shown in Tables 4 and 5.
From Tables 4 and 5, we see that the fund retention addresses used the infrastructure to split funds 3,616 times, totaling 9,369.98 ETH. Except for 0xDF1a, all the fund retention addresses only used the infrastructure for fund splitting, while the purchases of Rug Pull tokens were completed by the receiving addresses. This demonstrates the Rug Pull gang’s clear and organized approach to their scams.
0x0573 did not use infrastructure for fund splitting, and instead, the funds used to fake trading volume came from other addresses, indicating some variability in how different fund retention addresses operate.
Through analyzing the links between these fund retention addresses and their usage of infrastructure, we now have a more complete picture of how these addresses are connected. The Rug Pull gang’s operations are far more professional and organized than we initially imagined, further suggesting that a well-coordinated criminal group is behind these scams, executing them in a systematic way.
When carrying out a Rug Pull, the Rug Pull gang typically uses a new Externally Owned Account (EOA) as the Deployer to launch the Rug Pull token, with these Deployer addresses generally obtaining the initial funds via centralized exchanges (CEX) or instant exchange platforms. To gain more insight into the source of funds, we analyzed the Rug Pull cases associated with the fund retention addresses mentioned earlier, aiming to obtain more detailed information about how the scam funds are sourced.
Table 6 shows the distribution of the Deployer’s source of funds labels for each fund retention address connected to the Rug Pull cases.
Looking at the data in Table 6, we can see that the majority of funds for the Rug Pull token deployer in these Rug Pull cases come from centralized exchanges (CEX). Of the 1,124 Rug Pull cases we analyzed, 1,069 (95.11%) had funds originating from centralized exchange hot wallets. This means that for most of these Rug Pull cases, we can trace the specific account holders by examining the KYC information and withdrawal histories from the centralized exchanges, which can provide crucial clues to solving the case.Further investigation revealed that these Rug Pull gangs often obtain funds from multiple exchange hot wallets, and the frequency and distribution of usage across these wallets are roughly equal. This suggests that the Rug Pull gang intentionally increases the independence of each Rug Pull case’s fund flow, making it harder to trace, and complicating any investigative efforts.
Through a detailed analysis of the fund retention addresses and Rug Pull cases, we have developed a profile of these Rug Pull gangs: they are highly trained, with clear roles and responsibilities, well-planned, and highly organized. These characteristics highlight the high level of professionalism and the systemic nature of their fraudulent operations.
Given the level of organization behind these gangs, we began to question: how do these Rug Pull gangs get users to find and buy their Rug Pull tokens? To answer this, we focused on victim addresses in these Rug Pull cases and began investigating how these gangs lure users into participating in their scams.
By analyzing fund associations, we compiled a list of Rug Pull gang addresses, which we maintain as a blacklist. We then extracted the victim addresses from the transaction.
After analyzing these victim addresses, we obtained the related victim address information tied to the fund retention addresses (Table 7) and their contract interaction data (Table 8).
From the data in Table 7, we can see that, on average, there are 26.82 victim addresses per Rug Pull case in the Rug Pull cases captured by our on-chain monitoring system (CertiK Alert). This number is higher than we initially expected, indicating that the impact of these Rug Pull cases is greater than we originally thought.
In Table 8, we can observe that, among the contract interactions for victim addresses purchasing Rug Pull tokens, in addition to more conventional purchase methods through platforms like Uniswap and MetaMask Swap, 30.40% of the Rug Pull tokens were bought through well-known on-chain sniper bot platforms like Maestro and Banana Gun.
This finding highlights that on-chain sniper bots could be an important promotional channel for the Rug Pull gang. These sniper bots allow the Rug Pull gang to quickly attract participants, particularly those focused on new token investments. As a result, we have turned our attention to these on-chain sniper bots to better understand their role in Rug Pull scams and how they contribute to the promotion of these fraudulent schemes.
We conducted research into the current Web3 new token ecosystem, examined the operation models of on-chain sniper bots, and combined some social engineering techniques to identify two potential Rug Pull gang advertising channels: Twitter and Telegram groups.
It is crucial to note that these Twitter accounts and Telegram groups were not specifically created by the Rug Pull gang, but instead are basic components of the new token ecosystem. They are operated and maintained by third-party entities such as on-chain sniper bot teams or professional new token investment groups, with the purpose of promoting newly launched tokens to investors. These groups have become natural advertising avenues for the Rug Pull gang, who use them to attract users to buy malicious tokens, thus carrying out their scams.
Figure 15 TOMMI token Twitter advertisement
Figure 15 shows a Twitter ad for the TOMMI token. As we can see, the Rug Pull gang used Dexed.com’s new token promotion service to publicize their Rug Pull token, attracting a wider audience of potential victims. During our investigation, we found that many Rug Pull tokens had ads appearing on Twitter, typically from Twitter accounts operated by different third-party organizations.
Figure 16: Banana Gun New Token Promotion Group
Figure 16 illustrates a Telegram group run by the on-chain sniper bot team Banana Gun, which is dedicated to promoting newly launched tokens. This group not only shares basic information about new tokens but also provides users with easy access to purchase them. After setting up the Banana Gun Sniper Bot, users can quickly purchase a token by clicking the “Snipe” button (highlighted in red in Figure 16) next to the token promotion in the group.
We manually sampled the tokens promoted in this group and discovered that a large proportion of them were actually Rug Pull tokens. This finding strengthens our belief that Telegram groups are likely a key advertising channel for the Rug Pull gang.
The next question is: what percentage of the new tokens promoted by third-party organizations are Rug Pull tokens? How large is the scale of these Rug Pull gangs? To answer these questions, we decided to conduct a systematic scan and analysis of the new token data being promoted in Telegram groups, in order to uncover the scale of the associated risks and the extent of the fraudulent activity.
To assess the proportion of Rug Pull tokens among the newly promoted tokens in Telegram groups, we crawled the data of newly launched Ethereum tokens pushed by Banana Gun, Unibot, and other third-party token message groups between October 2023 and August 2024 using Telegram’s API. We found that during this period, these groups pushed a total of 93,930 tokens.
Based on our analysis of Rug Pull cases, Rug Pull gangs typically create liquidity pools for Rug Pull tokens in Uniswap V2 and inject ETH. Once users or new token bots buy the Rug Pull tokens, the attackers profit by dumping or removing liquidity, usually completing the process within 24 hours.
Therefore, we created the following detection rules for Rug Pull tokens and applied them to scan the 93,930 tokens to determine the proportion of Rug Pull tokens among the new tokens promoted in Telegram groups:
No transfers in the last 24 hours for the target token: Rug Pull tokens usually stop having activity after the dump;
Liquidity pool exists between target token and ETH in Uniswap V2: Rug Pull gangs create liquidity pools between the token and ETH in Uniswap V2;
Total transfer events since token creation do not exceed 1,000: Rug Pull tokens typically have fewer transactions, so the number of transfers is relatively small;
Large liquidity withdrawals or dumps are present in the last 5 transactions: Rug Pull tokens typically end with large liquidity withdrawals or dumps.
We applied these rules to the tokens promoted in Telegram groups, and the results are shown in Table 10.
As shown in Table 9, out of the 93,930 tokens promoted in Telegram groups, 46,526 were identified as Rug Pull tokens, making up 49.53% of the total. This means nearly half of the tokens promoted in Telegram groups are Rug Pull tokens.
Considering that some project teams may also withdraw liquidity after a project fails, this behavior should not be automatically classified as Rug Pull fraud. Therefore, we considered the potential impact of false positives on the analysis. Although Rule 3 helps filter most similar cases, some misjudgment could still occur.
To better understand the impact of false positives, we analyzed the active time of the 46,526 Rug Pull tokens and the results are shown in Table 10. By analyzing active times, we can better distinguish between genuine Rug Pull behavior and liquidity withdrawals due to project failure, allowing for a more accurate assessment of the true scale of Rug Pull activities.
Through analyzing the active times, we found that 41,801 Rug Pull tokens had an active time (from token creation to the final Rug Pull) of less than 72 hours, accounting for 89.84%. In normal cases, 72 hours would not be enough to determine if a project has failed, so we consider Rug Pull behavior with an active time under 72 hours as abnormal withdrawal behavior, not typical of legitimate project teams.
Therefore, even in the worst-case scenario, the remaining 4,725 Rug Pull tokens with an active time greater than 72 hours do not fit the definition of Rug Pull fraud in this paper. However, our analysis still has significant value, as 89.84% of the cases align with expectations. Moreover, the 72-hour threshold is still relatively conservative, as in actual sampling, many tokens with an active time greater than 72 hours still fall into the Rug Pull fraud category.
Interestingly, 25,622 tokens had an active time of less than 3 hours, accounting for 55.07%. This shows that Rug Pull gangs are operating at very high efficiency, with a “short and quick” approach and extremely high capital turnover rates.
We also evaluated the cash-out methods and contract call patterns for the 46,526 Rug Pull tokens to confirm the tendencies of the Rug Pull gangs.
The evaluation of cash-out methods mainly focused on how the Rug Pull gangs extracted ETH from liquidity pools. The main methods are:
Dumping tokens: The Rug Pull gang uses tokens obtained through pre-allocation or backdoor code to redeem all ETH in the liquidity pool.
Removing liquidity: The Rug Pull gang removes all of their own funds added to the liquidity pool.
The evaluation of contract call patterns looked at which target contract objects the Rug Pull gangs interacted with during the Rug Pull process. The main objects are:
Decentralized exchange router contracts: Used to directly manipulate liquidity.
Custom attack contracts: Self-built contracts used for executing complex fraudulent operations.
By evaluating the cash-out methods and contract call patterns, we can further understand the Rug Pull gang’s modus operandi and characteristics, which will help us better prevent and identify similar scams.
The relevant evaluation data for cash-out methods is shown in Table 11.
From the evaluation data, we can see that the number of cases where the Rug Pull gang used liquidity removal for cashing out is 32,131, accounting for 69.06%. This indicates that these Rug Pull gangs prefer liquidity removal for cashing out, possibly because it is simpler and more direct, without the need for complex contract creation or additional steps. In contrast, cashing out by dumping tokens requires the Rug Pull gang to set up a backdoor in the token’s contract code, allowing them to acquire tokens needed for the dump at zero cost. This process is more complex and riskier, so there are fewer cases involving it.
The relevant evaluation data for contract call patterns is shown in Table 12.
From Table 12, we can clearly see that the Rug Pull gangs prefer to use the Uniswap router contract to execute Rug Pull operations, having done so 40,887 times, accounting for 76.35% of all operations. The total number of Rug Pull executions is 53,552, which is higher than the number of Rug Pull tokens (46,526). This suggests that in some cases, the Rug Pull gang executes multiple Rug Pull operations, possibly to maximize profits or cash out in batches targeting different victims.
Next, we performed a statistical analysis on the cost and revenue data for the 46,526 Rug Pull tokens. It should be noted that we consider the ETH obtained by the Rug Pull gang from centralized exchanges or instant exchange services before deploying the token as the cost, and the ETH recovered at the final Rug Pull as the revenue for statistical purposes. The actual cost data may be higher, as we have not accounted for ETH invested by Rug Pull gangs to fake liquidity pool transactions.
The cost and revenue data are shown in Table 13.
In the statistical analysis of the 46,526 Rug Pull tokens, the total final profit is 282,699.96 ETH, with a profit margin of 188.70%, equivalent to approximately $800 million. Although the actual profit may be slightly lower than the above figures, the overall scale of funds remains extremely impressive, demonstrating that these Rug Pull gangs have generated substantial profits through fraud.
Based on the analysis of the entire token data from Telegram groups, the Ethereum ecosystem is already flooded with a large number of Rug Pull tokens. However, we still need to confirm an important question: do these tokens promoted in Telegram groups represent all the tokens launched on the Ethereum mainnet? If not, what proportion of the tokens launched on Ethereum mainnet do they account for? \
Answering this question will give us a comprehensive understanding of the current Ethereum token ecosystem. Therefore, we have started to conduct an in-depth analysis of Ethereum mainnet tokens to assess the coverage of tokens pushed in Telegram groups. This analysis will allow us to further clarify the severity of the Rug Pull issue within the broader Ethereum ecosystem and the influence of Telegram groups in token promotion.
We crawled the block data from the RPC nodes for the same period (October 2023 to August 2024) as the analysis of Telegram group tokens. From these blocks, we retrieved newly deployed tokens (excluding proxy-deployed tokens, as there are very few Rug Pull cases involving them). We captured a total of 154,500 tokens, with 54,240 of them being Uniswap V2 liquidity pool (LP) tokens, which are excluded from the scope of this paper.
After filtering out the LP tokens, we ended up with 100,260 tokens. The relevant information is shown in Table 14.
We applied our Rug Pull detection rules to these 100,260 tokens, and the results are shown in Table 15.
Out of the 100,260 tokens detected, we identified 48,265 Rug Pull tokens, which account for 48.14% of the total—this is nearly identical to the proportion of Rug Pull tokens in the Telegram group-pushed tokens.
To further analyze the overlap between the tokens pushed in Telegram groups and those deployed on the Ethereum mainnet, we compared the data for both sets of tokens. The results are shown in Table 16.
From Table 16, we can see that the overlap between the Telegram group-pushed tokens and the Ethereum mainnet tokens contains 90,228 tokens, accounting for 89.99% of the mainnet tokens. There are 3,703 tokens promoted in Telegram groups that are not found on the mainnet. These tokens are proxy-deployed and weren’t included in our mainnet token capture.
There are 10,032 tokens on the mainnet that weren’t pushed in Telegram groups, likely because they were filtered out by the promotion rules due to insufficient appeal or failure to meet certain criteria.
We then performed Rug Pull detection on the 3,703 proxy-deployed tokens and found only 10 Rug Pull tokens. This indicates that proxy-deployed tokens have little impact on the Rug Pull detection results in Telegram groups, and the detection results are highly consistent with those of the mainnet tokens.
The 10 proxy-deployed Rug Pull token addresses are listed in Table 17. If you’re interested, you can explore these addresses in more detail. We won’t go into this further here.
This analysis confirms that the Rug Pull token proportion in the Telegram group-pushed tokens closely matches that on the Ethereum mainnet, further highlighting the importance and influence of these promotional channels in the current Rug Pull ecosystem.
Now we can answer the question, that is, do the tokens pushed in the Telegram group cover all the tokens launched on the Ethereum mainnet, and if not, what proportion do they account for?
The answer is that the tokens pushed by the Telegram group account for about 90% of the main network, and its Rug Pull test results are highly consistent with the Rug Pull test results of the main network tokens. Therefore, the previous Rug Pull detection and data analysis of tokens pushed by Telegram groups can basically reflect the current status of the token ecology of the Ethereum main network.
As mentioned earlier, the Rug Pull tokens on the Ethereum mainnet account for approximately 48.14%, but we are also interested in the remaining 51.86% of non-Rug Pull tokens. Even excluding Rug Pull tokens, there are still 51,995 tokens in an unknown state, which is far more than we would expect for a reasonable number of tokens. Therefore, we made statistics on the time from creation to the final cessation of activity for all tokens on the main network, and the results are shown in Table 18.
According to data from Table 18, when we examine the entire Ethereum mainnet, there are 78,018 tokens that exist for less than 72 hours, which represents 77.82% of the total. This figure significantly exceeds the number of Rug Pull tokens we have identified, suggesting that our detection rules do not encompass all instances of Rug Pulls. Indeed, our random sampling tests have revealed some Rug Pull tokens that initially went undetected. Additionally, this might indicate the presence of other types of fraud, such as phishing attacks or Ponzi schemes, which require further investigation.
Moreover, there are 22,242 tokens with lifecycles exceeding 72 hours. These tokens, however, are not the primary focus of our study, implying that additional details remain to be uncovered. Among these, some tokens may belong to projects that failed or had a user base but lacked sustained developmental support. The narratives and reasons behind these tokens could uncover intricate market dynamics.
The token ecosystem on the Ethereum mainnet is considerably more complex than anticipated, filled with both short-lived and enduring projects, alongside ever-present risks of fraudulent activities. The primary aim of this paper is to draw attention to these issues, with the hope that it will make people aware of the ongoing secretive activities of criminals. By sharing this analysis, we aim to spark further interest and research into these matters, ultimately improving the security of the entire blockchain ecosystem.
The fact that Rug Pull tokens constitute 48.14% of all new tokens issued on the Ethereum mainnet is alarmingly significant. This ratio suggests that for every two tokens launched on Ethereum, one is likely a fraud, reflecting the chaotic and disordered state of the Ethereum ecosystem to some extent. However, the real concerns extend beyond just the Ethereum token ecosystem. We have observed that the number of Rug Pull cases on other blockchain networks surpasses those on Ethereum, indicating that the token ecosystems on these networks also warrant thorough investigation.
Despite the high proportion of Rug Pull tokens, approximately 140 new tokens are still launched daily on Ethereum, far exceeding what might be considered a normal range. What undisclosed secrets might these other, non-fraudulent tokens hold? These are crucial questions that merit deep contemplation and further research.
Additionally, this paper highlights several key issues that require more exploration:
Identifying Rug Pull Gangs: With the large volume of Rug Pull cases detected, how can we effectively identify the number of distinct Rug Pull gangs behind these cases, and determine if there are connections between them? Analyzing financial flows and shared addresses could be crucial.
Distinguishing Victims from Attackers: Differentiating between victims and attackers is essential for identifying fraud. However, the line between victim and attacker addresses can often be blurred, raising the need for more precise methods.
Advancing Rug Pull Detection: Current Rug Pull detection primarily relies on post-event analysis. Could we develop methods for real-time or even preemptive detection to identify potential Rug Pull risks in active tokens sooner? This capability could help mitigate losses and facilitate timely interventions.
Profit Strategies of Rug Pull Gangs: What are the conditions under which Rug Pull gangs decide to cash out? Understanding their profit strategies could help predict and prevent Rug Pull incidents.
Exploring Other Promotional Channels: While Twitter and Telegram are known channels for promoting fraudulent tokens, are other platforms also being exploited? The potential risks associated with forums, other social media, and advertising platforms also deserve scrutiny.
These are complex issues that require further discussion and research, which we leave for ongoing study and debate. The rapid development of the Web3 ecosystem demands not only technological advancements but also broader monitoring and deeper research to address evolving risks and challenges.
Given the prevalence of scams in the token launch ecosystem, Web3 investors need to be exceedingly cautious. As Rug Pull gangs and anti-fraud teams enhance their tactics, it becomes increasingly challenging for investors to identify fraudulent tokens or projects.
For investors interested in the new token market, our security experts suggest the following:
Use Reputable Centralized Exchanges: Prefer buying new tokens through well-known centralized exchanges, which typically have stricter project screenings and offer higher security.
Verify Official Sources on Decentralized Exchanges: Ensure the tokens are purchased from official contract addresses and avoid tokens promoted through unofficial or suspicious channels.
Research the Project’s Website and Community: Lack of an official website or active community often signals higher risk. Be particularly cautious of tokens promoted through third-party Twitter and Telegram groups, which may not have undergone security verification.
Check the Token’s Creation Time: Avoid tokens that were created less than three days ago as Rug Pull tokens often have a very short active period.
Utilize Third-Party Security Services: If possible, use token scanning services offered by third-party security organizations to assess the safety of target tokens.
Aside from the Rug Pull fraud rings that are the focus of this paper, an increasing number of similar criminals are exploiting the infrastructure and mechanisms of various sectors or platforms within the Web3 industry for illegal profits, significantly worsening the security situation of the current Web3 ecosystem. We need to start paying attention to issues that are often overlooked to prevent criminals from finding opportunities.
As previously mentioned, the flow of funds from Rug Pull schemes eventually passes through major exchanges, but we believe that the flow of funds associated with Rug Pull scams is just the tip of the iceberg. The scale of malicious funds passing through exchanges may be far beyond our imagination. Therefore, we strongly urge major exchanges to implement stricter regulatory measures against these malicious flows, actively combat illegal and fraudulent activities, and ensure the safety of users’ funds.
Providers of services like project promotion and on-chain sniper bots, whose infrastructure has indeed become a tool for fraud gangs to profit, are also of concern. Hence, we call on all third-party service providers to enhance the security review of their products or content to prevent misuse by criminals.
Furthermore, we call on all victims, including MEV arbitrageurs and ordinary users, to actively use security scanning tools to assess unknown projects before investing, refer to the project ratings of authoritative security organizations, and actively disclose the malicious actions of criminals to expose unlawful phenomena in the industry.
As a professional security team, we also urge all security practitioners to proactively discover, identify, and combat illegal activities, be vocal in their efforts, and safeguard the financial safety of users.
In the Web3 domain, users, project developers, exchanges, MEV arbitrageurs, and other third-party service providers all play a crucial role. We hope every participant can contribute to the sustainable development of the Web3 ecosystem and work together to create a safer, more transparent blockchain environment.
In the world of Web3, new tokens are being launched every day. Have you ever wondered how many new tokens are created daily? And more importantly, are these tokens safe?
These questions aren’t without reason. Over the past few months, CertiK’s security team has identified a significant number of Rug Pull scams. Notably, all the tokens involved in these cases are newly minted tokens that were just added to the blockchain.
Afterward, CertiK launched a thorough investigation into these Rug Pull cases and uncovered that they were orchestrated by organized groups. These groups follow a specific scam pattern. Through a detailed examination of their methods, CertiK discovered one potential way these Rug Pull gangs promote their scams: Telegram groups. Groups like Banana Gun and Unibot use a “New Token Tracer” feature to lure users into buying scam tokens, and ultimately profit from the Rug Pull.
CertiK tracked token promotion messages in these Telegram groups from November 2023 to early August 2024, finding a total of 93,930 new tokens pushed through these channels. Of these, 46,526 tokens were connected to Rug Pull scams, accounting for a shocking 49.53%. The total amount invested by the scammers behind these tokens was 149,813.72 ETH, which resulted in a profit of 282,699.96 ETH, yielding a return of 188.7%, roughly equivalent to $800 million.
To better understand the impact of Telegram group promotions on the Ethereum mainnet, CertiK compared these figures with the overall number of new tokens issued on Ethereum during the same period. The results showed that out of the 100,260 new tokens issued, 89.99% came from Telegram group promotions. This means that, on average, 370 new tokens were issued every day—far more than expected. After continuing their investigation, CertiK found an alarming truth: at least 48,265 of these tokens were involved in Rug Pull scams, making up 48.14%. In other words, almost one in two new tokens on Ethereum is a scam.
Furthermore, CertiK discovered additional Rug Pull cases across other blockchain networks. This shows that the security situation for newly issued tokens across the entire Web3 ecosystem is far worse than anticipated. As a result, CertiK has written this research report to help raise awareness within the Web3 community, encouraging users to stay vigilant against the growing number of scams and take appropriate precautions to safeguard their assets.
Before we begin the main report, let’s first review some basic concepts.
ERC-20 tokens are currently one of the most common token standards on blockchain. It defines a set of protocols that enable tokens to interoperate between different smart contracts and decentralized applications (dApps). The ERC-20 standard specifies the basic functionalities of tokens, such as transferring, querying balances, and authorizing third parties to manage tokens. Due to this standardized protocol, developers can more easily issue and manage tokens, simplifying token creation and usage. In fact, anyone, whether an individual or an organization, can issue their own tokens based on the ERC-20 standard and raise initial funds for various financial projects through token presales. Because of the widespread application of ERC-20 tokens, they have become the foundation for many ICOs and decentralized finance (DeFi) projects.
Popular tokens like USDT, PEPE, and DOGE are all ERC-20 tokens, and users can buy these tokens through decentralized exchanges. However, some scam groups may also issue malicious ERC-20 tokens with backdoor code, list them on decentralized exchanges, and then lure users into purchasing them.
Here, we analyze a typical Rug Pull token scam to better understand how these malicious token scams operate. A Rug Pull refers to a fraudulent activity in which the project team suddenly withdraws funds or abandons the project in a decentralized finance (DeFi) initiative, causing significant losses to investors. A Rug Pull token is a token specifically created to carry out such a scam.
The tokens referred to as Rug Pull tokens in this article are sometimes called “Honey Pot tokens” or “Exit Scam tokens.” However, for the sake of consistency, we will refer to them as Rug Pull tokens throughout.
In this case, the attackers (the Rug Pull gang) deployed the TOMMI token using the Deployer address (0x4bAF). They created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI tokens, then artificially inflated the trading volume by purchasing TOMMI tokens from different addresses. This attracted users and bots to buy TOMMI tokens. Once a sufficient number of bots were tricked, the attackers executed the Rug Pull using the Rug Puller address (0x43a9). The Rug Puller dumped 38,739,354 TOMMI tokens into the liquidity pool and exchanged them for approximately 3.95 ETH. The tokens used by the Rug Puller came from malicious approval granted by the TOMMI token contract, which allowed the Rug Puller to withdraw tokens directly from the liquidity pool and carry out the scam.
The attacker recharged 2.47309009 ETH into the Token Deployer (0x4bAF) from a centralized exchange to fund the Rug Pull.
Figure 1: Deployer obtains startup funds transaction information
The Deployer creates the TOMMI token and pre-mines 100,000,000 tokens, allocating them to themselves.
Figure 2: Deployer creates TOMMI token transaction information
The Deployer uses 1.5 ETH and the pre-mined tokens to create a liquidity pool, receiving approximately 0.387 LP tokens.
Figure 3: Deployer creates liquidity pool transaction and fund flow
The Token Deployer sends all LP tokens to the 0 address for destruction. Since the TOMMI contract has no Mint function, the Token Deployer theoretically loses the ability to execute a Rug Pull. (This is one of the necessary conditions to deceive new token bots. Some bots assess the risk of Rug Pulls when entering new tokens into the pool, and the Deployer also sets the contract’s Owner to the 0 address to deceive anti-scam programs used by the bots).
Figure 4: Deployer destroys LP tokens transaction information
The attackers use several addresses to actively buy TOMMI tokens from the liquidity pool, artificially inflating the trading volume to attract more new token bots (the reason these addresses are identified as being disguised by the attackers is that the funds in these addresses come from the historical fund transfer address used by the Rug Pull gang).
Figure 5: Attacker’s other address buys TOMMI tokens transaction information and fund flow
The attackers use the Rug Puller address (0x43A9) to initiate the Rug Pull, directly withdrawing 38,739,354 TOMMI tokens from the liquidity pool and dumping them, extracting approximately 3.95 ETH.
Figure 6: Rug Pull transaction information and fund flow
The attackers send the funds from the Rug Pull to the transfer address 0xD921.
Figure 7: Rug Puller sends attack proceeds to the transit address transaction information
The transfer address 0xD921 sends the funds to the retention address 0x2836. From this, we can see that after the Rug Pull is completed, the Rug Puller sends the funds to a retention address. This address serves as a collection point for funds from many Rug Pull cases. The retention address splits most of the funds to initiate new Rug Pulls, and the remaining funds are withdrawn through centralized exchanges. We have tracked several retention addresses, with 0x2836 being one of them.
Figure 8: Transfer address fund movement information
Although the attackers tried to prove to the outside world that they could not carry out a Rug Pull by destroying the LP tokens, in reality, they left a malicious approve backdoor in the openTrading function of the TOMMI token contract. This backdoor allows the liquidity pool to approve token transfers to the Rug Puller address when the liquidity pool is created, enabling the Rug Puller address to directly withdraw tokens from the liquidity pool.
Figure 9 openTrading function in TOMMI token contract
Figure 10 onInit function in the TOMMI token contract
The implementation of the openTrading function is shown in Figure 9, and its main purpose is to create a new liquidity pool. However, the attackers call the backdoor function onInit (as shown in Figure 10), which causes uniswapV2Pair to approve token transfers to the _chefAddress for the entire token supply (type(uint256)). Here, uniswapV2Pair refers to the liquidity pool address, and _chefAddress is the Rug Puller address, which is set during contract deployment (as shown in Figure 11).
Figure 11 Constructor in TOMMI token contract
By analyzing the TOMMI case, we can summarize the following four key features:
Deployer obtains funds from centralized exchanges: The attackers first provide funding for the Deployer address through a centralized exchange.
Deployer creates liquidity pool and destroys LP tokens: After creating the Rug Pull token, the Deployer immediately establishes a liquidity pool and destroys the LP tokens, which increases the project’s credibility and attracts more investors.
Rug Puller uses large amounts of tokens to exchange for ETH in the liquidity pool: The Rug Puller uses a significant number of tokens (often far exceeding the total token supply) to exchange for ETH in the liquidity pool. In some cases, the Rug Puller also removes liquidity to withdraw ETH from the pool.
4.Rug Puller transfers the ETH obtained from the scam to a retention address: The Rug Puller moves the ETH gained from the Rug Pull to a retention address, sometimes passing through an intermediary address.
These features are commonly observed in the cases we’ve identified, highlighting that Rug Pull activities have clear patterns. Additionally, after completing the Rug Pull, the stolen funds are usually consolidated into a retention address. This suggests that these seemingly isolated Rug Pull cases might be connected to the same group or even a single fraud network.
Based on these patterns, we have developed a Rug Pull behavior profile and have begun using it to scan and detect other related cases, with the goal of profiling potential scam groups.
As previously mentioned, Rug Pull cases typically consolidate funds into fund retention addresses. Based on this pattern, we selected several highly active fund retention addresses with clear characteristics of scam tactics for in-depth analysis.
We identified 7 fund retention addresses, associated with 1,124 Rug Pull cases, successfully detected by our on-chain attack monitoring system (CertiK Alert). After executing the scam, the Rug Pull gang gathers the illicit profits into these fund retention addresses. These addresses then split the funds, using them to create new tokens for future Rug Pull scams, manipulate liquidity pools, and carry out other fraudulent activities. Additionally, some of the retained funds are cashed out through centralized exchanges or instant exchange platforms.
The data for the fund retention addresses is shown in Table 1::
By analyzing the costs and revenues of each Rug Pull scam associated with these fund retention addresses, we obtained the data presented in Table 1.
In a typical Rug Pull scam, the Rug Pull gang usually uses one address as the Deployer for the Rug Pull token and acquires the startup funds through a centralized exchange to create the Rug Pull token and its corresponding liquidity pool. Once enough users or new token bots are attracted to purchase the Rug Pull token using ETH, the Rug Pull gang will use another address as the Rug Puller to execute the scam, transferring the funds to the fund retention address.
In this process, the ETH obtained by the Deployer through exchange withdrawals or the ETH invested when creating the liquidity pool is considered the cost of the Rug Pull (the specific calculation depends on the actions of the Deployer). The ETH transferred to the fund retention address (or intermediary addresses) after the Rug Puller completes the scam is considered the revenue from the Rug Pull. The data on the income and expenses, as shown in Table 1, were calculated based on the ETH/USD price (1 ETH = 2,513.56 USD as of August 31, 2024), with real-time pricing used during data integration.
It is important to note that during the scam, the Rug Pull gang may also purchase their own created Rug Pull token using ETH, simulating normal liquidity pool activities to attract more new token bots. However, this cost is not included in the calculations, so the data in Table 1 slightly overestimates the Rug Pull gang’s actual profits. The real profits would be somewhat lower.
Figure 12: Profit share pie chart for fund retention addresses
By using the profit data from Table 1 for each address, we generated the profit share pie chart shown in Figure 12. The top three addresses with the highest profit share are 0x1607, 0xDF1a, and 0x2836. The address 0x1607 earned the most profit, about 2,668.17 ETH, which accounts for 27.7% of the total profit across all addresses.
In fact, even though the funds are eventually consolidated into different fund retention addresses, the shared features across the associated cases (such as backdoor implementations and cash-out methods) lead us to strongly suspect that these fund retention addresses may be controlled by the same fraud gang.
So, is there a connection between these fund retention addresses?
Figure 13: Fund flow diagram of fund retention addresses
A key indicator in determining if there is a relationship between fund retention addresses is to examine whether there are direct transfers between these addresses. To verify the connections between these fund retention addresses, we crawled and analyzed their historical transactions.
In most of the Rug Pull cases we analyzed, the proceeds from each scam usually flow into only one fund retention address. Therefore, it is impossible to trace the funds to link different fund retention addresses directly. To resolve this, we monitored the movement of funds between these addresses to identify any direct relationships. The results of our analysis are shown in Figure 13.
It’s important to note that 0x1d39 and 0x6348 in Figure 13 are shared Rug Pull infrastructure contract addresses. These fund retention addresses use these two contracts to split funds and send them to other addresses, where these funds are used to fake the trading volume of Rug Pull tokens.
From the direct ETH transfer relationships shown in Figure 13, we divided these fund retention addresses into 3 groups:
0xDF1a and 0xDEd0;
0x1607 and 0x4856;
0x2836, 0x0573, 0xF653 and 0x7dd9.
Within each group, there are direct transfers, but no transfers occur between the groups. This suggests that these 7 fund retention addresses can be considered as belonging to 3 separate gangs. However, all three groups use the same infrastructure contracts to split ETH for Rug Pull operations, tying them together into one organized group. Does this suggest that these fund retention addresses are actually controlled by a single fraud network?
This question is open for consideration.
As mentioned earlier, the shared infrastructure addresses are:
0x1d3970677aa2324E4822b293e500220958d493d0 and 0x634847D6b650B9f442b3B582971f859E6e65eB53.
The 0x1d39 address mainly features two functions: “multiSendETH” and “0x7a860e7e”. The primary function of multiSendETH is to split transfers. Fund retention addresses use multiSendETH to distribute some of the funds to multiple addresses, faking trading volume for Rug Pull tokens. The transaction details for this are shown in Figure 14.
This splitting operation helps the attackers simulate token activity, making the tokens appear more attractive, thereby enticing more users or new token bots to purchase. Through this method, the Rug Pull gang further enhances the deceit and complexity of their scam.
Figure 14: Transaction Information of Fund Splitting by 0x1d39
The function 0x7a860e7e is used to purchase Rug Pull tokens. After receiving the split funds, addresses disguised as normal users either interact directly with Uniswap’s router to buy Rug Pull tokens or use the 0x7a860e7e function to make these purchases, faking trading activity.
The main functions in 0x6348 are similar to those in 0x1d39, with the only difference being that the function for buying Rug Pull tokens is called 0x3f8a436c.
To better understand how the Rug Pull gang utilizes these infrastructures, we crawled and analyzed the transaction history of both 0x1d39 and 0x6348, and tracked how frequently external addresses used these functions. The results are shown in Tables 2 and 3.
From Tables 2 and 3, it is clear that the Rug Pull gang follows a clear strategy when using these infrastructure addresses. They use only a few fund retention addresses or intermediary addresses for splitting funds, but employ a large number of other addresses to fake the trading volume of Rug Pull tokens. For example, 6,224 addresses were involved in faking trading volume through 0x6348, significantly complicating the task of distinguishing between attacker and victim addresses.
It’s worth noting that the Rug Pull gang doesn’t just rely on infrastructure addresses for faking trading volume—some addresses directly swap tokens on exchanges to fake volume as well.
Additionally, we tracked the usage of these two infrastructure addresses by the 7 fund retention addresses and calculated the total ETH involved in each function. The results are shown in Tables 4 and 5.
From Tables 4 and 5, we see that the fund retention addresses used the infrastructure to split funds 3,616 times, totaling 9,369.98 ETH. Except for 0xDF1a, all the fund retention addresses only used the infrastructure for fund splitting, while the purchases of Rug Pull tokens were completed by the receiving addresses. This demonstrates the Rug Pull gang’s clear and organized approach to their scams.
0x0573 did not use infrastructure for fund splitting, and instead, the funds used to fake trading volume came from other addresses, indicating some variability in how different fund retention addresses operate.
Through analyzing the links between these fund retention addresses and their usage of infrastructure, we now have a more complete picture of how these addresses are connected. The Rug Pull gang’s operations are far more professional and organized than we initially imagined, further suggesting that a well-coordinated criminal group is behind these scams, executing them in a systematic way.
When carrying out a Rug Pull, the Rug Pull gang typically uses a new Externally Owned Account (EOA) as the Deployer to launch the Rug Pull token, with these Deployer addresses generally obtaining the initial funds via centralized exchanges (CEX) or instant exchange platforms. To gain more insight into the source of funds, we analyzed the Rug Pull cases associated with the fund retention addresses mentioned earlier, aiming to obtain more detailed information about how the scam funds are sourced.
Table 6 shows the distribution of the Deployer’s source of funds labels for each fund retention address connected to the Rug Pull cases.
Looking at the data in Table 6, we can see that the majority of funds for the Rug Pull token deployer in these Rug Pull cases come from centralized exchanges (CEX). Of the 1,124 Rug Pull cases we analyzed, 1,069 (95.11%) had funds originating from centralized exchange hot wallets. This means that for most of these Rug Pull cases, we can trace the specific account holders by examining the KYC information and withdrawal histories from the centralized exchanges, which can provide crucial clues to solving the case.Further investigation revealed that these Rug Pull gangs often obtain funds from multiple exchange hot wallets, and the frequency and distribution of usage across these wallets are roughly equal. This suggests that the Rug Pull gang intentionally increases the independence of each Rug Pull case’s fund flow, making it harder to trace, and complicating any investigative efforts.
Through a detailed analysis of the fund retention addresses and Rug Pull cases, we have developed a profile of these Rug Pull gangs: they are highly trained, with clear roles and responsibilities, well-planned, and highly organized. These characteristics highlight the high level of professionalism and the systemic nature of their fraudulent operations.
Given the level of organization behind these gangs, we began to question: how do these Rug Pull gangs get users to find and buy their Rug Pull tokens? To answer this, we focused on victim addresses in these Rug Pull cases and began investigating how these gangs lure users into participating in their scams.
By analyzing fund associations, we compiled a list of Rug Pull gang addresses, which we maintain as a blacklist. We then extracted the victim addresses from the transaction.
After analyzing these victim addresses, we obtained the related victim address information tied to the fund retention addresses (Table 7) and their contract interaction data (Table 8).
From the data in Table 7, we can see that, on average, there are 26.82 victim addresses per Rug Pull case in the Rug Pull cases captured by our on-chain monitoring system (CertiK Alert). This number is higher than we initially expected, indicating that the impact of these Rug Pull cases is greater than we originally thought.
In Table 8, we can observe that, among the contract interactions for victim addresses purchasing Rug Pull tokens, in addition to more conventional purchase methods through platforms like Uniswap and MetaMask Swap, 30.40% of the Rug Pull tokens were bought through well-known on-chain sniper bot platforms like Maestro and Banana Gun.
This finding highlights that on-chain sniper bots could be an important promotional channel for the Rug Pull gang. These sniper bots allow the Rug Pull gang to quickly attract participants, particularly those focused on new token investments. As a result, we have turned our attention to these on-chain sniper bots to better understand their role in Rug Pull scams and how they contribute to the promotion of these fraudulent schemes.
We conducted research into the current Web3 new token ecosystem, examined the operation models of on-chain sniper bots, and combined some social engineering techniques to identify two potential Rug Pull gang advertising channels: Twitter and Telegram groups.
It is crucial to note that these Twitter accounts and Telegram groups were not specifically created by the Rug Pull gang, but instead are basic components of the new token ecosystem. They are operated and maintained by third-party entities such as on-chain sniper bot teams or professional new token investment groups, with the purpose of promoting newly launched tokens to investors. These groups have become natural advertising avenues for the Rug Pull gang, who use them to attract users to buy malicious tokens, thus carrying out their scams.
Figure 15 TOMMI token Twitter advertisement
Figure 15 shows a Twitter ad for the TOMMI token. As we can see, the Rug Pull gang used Dexed.com’s new token promotion service to publicize their Rug Pull token, attracting a wider audience of potential victims. During our investigation, we found that many Rug Pull tokens had ads appearing on Twitter, typically from Twitter accounts operated by different third-party organizations.
Figure 16: Banana Gun New Token Promotion Group
Figure 16 illustrates a Telegram group run by the on-chain sniper bot team Banana Gun, which is dedicated to promoting newly launched tokens. This group not only shares basic information about new tokens but also provides users with easy access to purchase them. After setting up the Banana Gun Sniper Bot, users can quickly purchase a token by clicking the “Snipe” button (highlighted in red in Figure 16) next to the token promotion in the group.
We manually sampled the tokens promoted in this group and discovered that a large proportion of them were actually Rug Pull tokens. This finding strengthens our belief that Telegram groups are likely a key advertising channel for the Rug Pull gang.
The next question is: what percentage of the new tokens promoted by third-party organizations are Rug Pull tokens? How large is the scale of these Rug Pull gangs? To answer these questions, we decided to conduct a systematic scan and analysis of the new token data being promoted in Telegram groups, in order to uncover the scale of the associated risks and the extent of the fraudulent activity.
To assess the proportion of Rug Pull tokens among the newly promoted tokens in Telegram groups, we crawled the data of newly launched Ethereum tokens pushed by Banana Gun, Unibot, and other third-party token message groups between October 2023 and August 2024 using Telegram’s API. We found that during this period, these groups pushed a total of 93,930 tokens.
Based on our analysis of Rug Pull cases, Rug Pull gangs typically create liquidity pools for Rug Pull tokens in Uniswap V2 and inject ETH. Once users or new token bots buy the Rug Pull tokens, the attackers profit by dumping or removing liquidity, usually completing the process within 24 hours.
Therefore, we created the following detection rules for Rug Pull tokens and applied them to scan the 93,930 tokens to determine the proportion of Rug Pull tokens among the new tokens promoted in Telegram groups:
No transfers in the last 24 hours for the target token: Rug Pull tokens usually stop having activity after the dump;
Liquidity pool exists between target token and ETH in Uniswap V2: Rug Pull gangs create liquidity pools between the token and ETH in Uniswap V2;
Total transfer events since token creation do not exceed 1,000: Rug Pull tokens typically have fewer transactions, so the number of transfers is relatively small;
Large liquidity withdrawals or dumps are present in the last 5 transactions: Rug Pull tokens typically end with large liquidity withdrawals or dumps.
We applied these rules to the tokens promoted in Telegram groups, and the results are shown in Table 10.
As shown in Table 9, out of the 93,930 tokens promoted in Telegram groups, 46,526 were identified as Rug Pull tokens, making up 49.53% of the total. This means nearly half of the tokens promoted in Telegram groups are Rug Pull tokens.
Considering that some project teams may also withdraw liquidity after a project fails, this behavior should not be automatically classified as Rug Pull fraud. Therefore, we considered the potential impact of false positives on the analysis. Although Rule 3 helps filter most similar cases, some misjudgment could still occur.
To better understand the impact of false positives, we analyzed the active time of the 46,526 Rug Pull tokens and the results are shown in Table 10. By analyzing active times, we can better distinguish between genuine Rug Pull behavior and liquidity withdrawals due to project failure, allowing for a more accurate assessment of the true scale of Rug Pull activities.
Through analyzing the active times, we found that 41,801 Rug Pull tokens had an active time (from token creation to the final Rug Pull) of less than 72 hours, accounting for 89.84%. In normal cases, 72 hours would not be enough to determine if a project has failed, so we consider Rug Pull behavior with an active time under 72 hours as abnormal withdrawal behavior, not typical of legitimate project teams.
Therefore, even in the worst-case scenario, the remaining 4,725 Rug Pull tokens with an active time greater than 72 hours do not fit the definition of Rug Pull fraud in this paper. However, our analysis still has significant value, as 89.84% of the cases align with expectations. Moreover, the 72-hour threshold is still relatively conservative, as in actual sampling, many tokens with an active time greater than 72 hours still fall into the Rug Pull fraud category.
Interestingly, 25,622 tokens had an active time of less than 3 hours, accounting for 55.07%. This shows that Rug Pull gangs are operating at very high efficiency, with a “short and quick” approach and extremely high capital turnover rates.
We also evaluated the cash-out methods and contract call patterns for the 46,526 Rug Pull tokens to confirm the tendencies of the Rug Pull gangs.
The evaluation of cash-out methods mainly focused on how the Rug Pull gangs extracted ETH from liquidity pools. The main methods are:
Dumping tokens: The Rug Pull gang uses tokens obtained through pre-allocation or backdoor code to redeem all ETH in the liquidity pool.
Removing liquidity: The Rug Pull gang removes all of their own funds added to the liquidity pool.
The evaluation of contract call patterns looked at which target contract objects the Rug Pull gangs interacted with during the Rug Pull process. The main objects are:
Decentralized exchange router contracts: Used to directly manipulate liquidity.
Custom attack contracts: Self-built contracts used for executing complex fraudulent operations.
By evaluating the cash-out methods and contract call patterns, we can further understand the Rug Pull gang’s modus operandi and characteristics, which will help us better prevent and identify similar scams.
The relevant evaluation data for cash-out methods is shown in Table 11.
From the evaluation data, we can see that the number of cases where the Rug Pull gang used liquidity removal for cashing out is 32,131, accounting for 69.06%. This indicates that these Rug Pull gangs prefer liquidity removal for cashing out, possibly because it is simpler and more direct, without the need for complex contract creation or additional steps. In contrast, cashing out by dumping tokens requires the Rug Pull gang to set up a backdoor in the token’s contract code, allowing them to acquire tokens needed for the dump at zero cost. This process is more complex and riskier, so there are fewer cases involving it.
The relevant evaluation data for contract call patterns is shown in Table 12.
From Table 12, we can clearly see that the Rug Pull gangs prefer to use the Uniswap router contract to execute Rug Pull operations, having done so 40,887 times, accounting for 76.35% of all operations. The total number of Rug Pull executions is 53,552, which is higher than the number of Rug Pull tokens (46,526). This suggests that in some cases, the Rug Pull gang executes multiple Rug Pull operations, possibly to maximize profits or cash out in batches targeting different victims.
Next, we performed a statistical analysis on the cost and revenue data for the 46,526 Rug Pull tokens. It should be noted that we consider the ETH obtained by the Rug Pull gang from centralized exchanges or instant exchange services before deploying the token as the cost, and the ETH recovered at the final Rug Pull as the revenue for statistical purposes. The actual cost data may be higher, as we have not accounted for ETH invested by Rug Pull gangs to fake liquidity pool transactions.
The cost and revenue data are shown in Table 13.
In the statistical analysis of the 46,526 Rug Pull tokens, the total final profit is 282,699.96 ETH, with a profit margin of 188.70%, equivalent to approximately $800 million. Although the actual profit may be slightly lower than the above figures, the overall scale of funds remains extremely impressive, demonstrating that these Rug Pull gangs have generated substantial profits through fraud.
Based on the analysis of the entire token data from Telegram groups, the Ethereum ecosystem is already flooded with a large number of Rug Pull tokens. However, we still need to confirm an important question: do these tokens promoted in Telegram groups represent all the tokens launched on the Ethereum mainnet? If not, what proportion of the tokens launched on Ethereum mainnet do they account for? \
Answering this question will give us a comprehensive understanding of the current Ethereum token ecosystem. Therefore, we have started to conduct an in-depth analysis of Ethereum mainnet tokens to assess the coverage of tokens pushed in Telegram groups. This analysis will allow us to further clarify the severity of the Rug Pull issue within the broader Ethereum ecosystem and the influence of Telegram groups in token promotion.
We crawled the block data from the RPC nodes for the same period (October 2023 to August 2024) as the analysis of Telegram group tokens. From these blocks, we retrieved newly deployed tokens (excluding proxy-deployed tokens, as there are very few Rug Pull cases involving them). We captured a total of 154,500 tokens, with 54,240 of them being Uniswap V2 liquidity pool (LP) tokens, which are excluded from the scope of this paper.
After filtering out the LP tokens, we ended up with 100,260 tokens. The relevant information is shown in Table 14.
We applied our Rug Pull detection rules to these 100,260 tokens, and the results are shown in Table 15.
Out of the 100,260 tokens detected, we identified 48,265 Rug Pull tokens, which account for 48.14% of the total—this is nearly identical to the proportion of Rug Pull tokens in the Telegram group-pushed tokens.
To further analyze the overlap between the tokens pushed in Telegram groups and those deployed on the Ethereum mainnet, we compared the data for both sets of tokens. The results are shown in Table 16.
From Table 16, we can see that the overlap between the Telegram group-pushed tokens and the Ethereum mainnet tokens contains 90,228 tokens, accounting for 89.99% of the mainnet tokens. There are 3,703 tokens promoted in Telegram groups that are not found on the mainnet. These tokens are proxy-deployed and weren’t included in our mainnet token capture.
There are 10,032 tokens on the mainnet that weren’t pushed in Telegram groups, likely because they were filtered out by the promotion rules due to insufficient appeal or failure to meet certain criteria.
We then performed Rug Pull detection on the 3,703 proxy-deployed tokens and found only 10 Rug Pull tokens. This indicates that proxy-deployed tokens have little impact on the Rug Pull detection results in Telegram groups, and the detection results are highly consistent with those of the mainnet tokens.
The 10 proxy-deployed Rug Pull token addresses are listed in Table 17. If you’re interested, you can explore these addresses in more detail. We won’t go into this further here.
This analysis confirms that the Rug Pull token proportion in the Telegram group-pushed tokens closely matches that on the Ethereum mainnet, further highlighting the importance and influence of these promotional channels in the current Rug Pull ecosystem.
Now we can answer the question, that is, do the tokens pushed in the Telegram group cover all the tokens launched on the Ethereum mainnet, and if not, what proportion do they account for?
The answer is that the tokens pushed by the Telegram group account for about 90% of the main network, and its Rug Pull test results are highly consistent with the Rug Pull test results of the main network tokens. Therefore, the previous Rug Pull detection and data analysis of tokens pushed by Telegram groups can basically reflect the current status of the token ecology of the Ethereum main network.
As mentioned earlier, the Rug Pull tokens on the Ethereum mainnet account for approximately 48.14%, but we are also interested in the remaining 51.86% of non-Rug Pull tokens. Even excluding Rug Pull tokens, there are still 51,995 tokens in an unknown state, which is far more than we would expect for a reasonable number of tokens. Therefore, we made statistics on the time from creation to the final cessation of activity for all tokens on the main network, and the results are shown in Table 18.
According to data from Table 18, when we examine the entire Ethereum mainnet, there are 78,018 tokens that exist for less than 72 hours, which represents 77.82% of the total. This figure significantly exceeds the number of Rug Pull tokens we have identified, suggesting that our detection rules do not encompass all instances of Rug Pulls. Indeed, our random sampling tests have revealed some Rug Pull tokens that initially went undetected. Additionally, this might indicate the presence of other types of fraud, such as phishing attacks or Ponzi schemes, which require further investigation.
Moreover, there are 22,242 tokens with lifecycles exceeding 72 hours. These tokens, however, are not the primary focus of our study, implying that additional details remain to be uncovered. Among these, some tokens may belong to projects that failed or had a user base but lacked sustained developmental support. The narratives and reasons behind these tokens could uncover intricate market dynamics.
The token ecosystem on the Ethereum mainnet is considerably more complex than anticipated, filled with both short-lived and enduring projects, alongside ever-present risks of fraudulent activities. The primary aim of this paper is to draw attention to these issues, with the hope that it will make people aware of the ongoing secretive activities of criminals. By sharing this analysis, we aim to spark further interest and research into these matters, ultimately improving the security of the entire blockchain ecosystem.
The fact that Rug Pull tokens constitute 48.14% of all new tokens issued on the Ethereum mainnet is alarmingly significant. This ratio suggests that for every two tokens launched on Ethereum, one is likely a fraud, reflecting the chaotic and disordered state of the Ethereum ecosystem to some extent. However, the real concerns extend beyond just the Ethereum token ecosystem. We have observed that the number of Rug Pull cases on other blockchain networks surpasses those on Ethereum, indicating that the token ecosystems on these networks also warrant thorough investigation.
Despite the high proportion of Rug Pull tokens, approximately 140 new tokens are still launched daily on Ethereum, far exceeding what might be considered a normal range. What undisclosed secrets might these other, non-fraudulent tokens hold? These are crucial questions that merit deep contemplation and further research.
Additionally, this paper highlights several key issues that require more exploration:
Identifying Rug Pull Gangs: With the large volume of Rug Pull cases detected, how can we effectively identify the number of distinct Rug Pull gangs behind these cases, and determine if there are connections between them? Analyzing financial flows and shared addresses could be crucial.
Distinguishing Victims from Attackers: Differentiating between victims and attackers is essential for identifying fraud. However, the line between victim and attacker addresses can often be blurred, raising the need for more precise methods.
Advancing Rug Pull Detection: Current Rug Pull detection primarily relies on post-event analysis. Could we develop methods for real-time or even preemptive detection to identify potential Rug Pull risks in active tokens sooner? This capability could help mitigate losses and facilitate timely interventions.
Profit Strategies of Rug Pull Gangs: What are the conditions under which Rug Pull gangs decide to cash out? Understanding their profit strategies could help predict and prevent Rug Pull incidents.
Exploring Other Promotional Channels: While Twitter and Telegram are known channels for promoting fraudulent tokens, are other platforms also being exploited? The potential risks associated with forums, other social media, and advertising platforms also deserve scrutiny.
These are complex issues that require further discussion and research, which we leave for ongoing study and debate. The rapid development of the Web3 ecosystem demands not only technological advancements but also broader monitoring and deeper research to address evolving risks and challenges.
Given the prevalence of scams in the token launch ecosystem, Web3 investors need to be exceedingly cautious. As Rug Pull gangs and anti-fraud teams enhance their tactics, it becomes increasingly challenging for investors to identify fraudulent tokens or projects.
For investors interested in the new token market, our security experts suggest the following:
Use Reputable Centralized Exchanges: Prefer buying new tokens through well-known centralized exchanges, which typically have stricter project screenings and offer higher security.
Verify Official Sources on Decentralized Exchanges: Ensure the tokens are purchased from official contract addresses and avoid tokens promoted through unofficial or suspicious channels.
Research the Project’s Website and Community: Lack of an official website or active community often signals higher risk. Be particularly cautious of tokens promoted through third-party Twitter and Telegram groups, which may not have undergone security verification.
Check the Token’s Creation Time: Avoid tokens that were created less than three days ago as Rug Pull tokens often have a very short active period.
Utilize Third-Party Security Services: If possible, use token scanning services offered by third-party security organizations to assess the safety of target tokens.
Aside from the Rug Pull fraud rings that are the focus of this paper, an increasing number of similar criminals are exploiting the infrastructure and mechanisms of various sectors or platforms within the Web3 industry for illegal profits, significantly worsening the security situation of the current Web3 ecosystem. We need to start paying attention to issues that are often overlooked to prevent criminals from finding opportunities.
As previously mentioned, the flow of funds from Rug Pull schemes eventually passes through major exchanges, but we believe that the flow of funds associated with Rug Pull scams is just the tip of the iceberg. The scale of malicious funds passing through exchanges may be far beyond our imagination. Therefore, we strongly urge major exchanges to implement stricter regulatory measures against these malicious flows, actively combat illegal and fraudulent activities, and ensure the safety of users’ funds.
Providers of services like project promotion and on-chain sniper bots, whose infrastructure has indeed become a tool for fraud gangs to profit, are also of concern. Hence, we call on all third-party service providers to enhance the security review of their products or content to prevent misuse by criminals.
Furthermore, we call on all victims, including MEV arbitrageurs and ordinary users, to actively use security scanning tools to assess unknown projects before investing, refer to the project ratings of authoritative security organizations, and actively disclose the malicious actions of criminals to expose unlawful phenomena in the industry.
As a professional security team, we also urge all security practitioners to proactively discover, identify, and combat illegal activities, be vocal in their efforts, and safeguard the financial safety of users.
In the Web3 domain, users, project developers, exchanges, MEV arbitrageurs, and other third-party service providers all play a crucial role. We hope every participant can contribute to the sustainable development of the Web3 ecosystem and work together to create a safer, more transparent blockchain environment.