You find a token early. The chart looks perfect — steady climb, growing volume, an active Telegram group. The team is anonymous but responsive. The website is polished. The narrative is compelling: a new utility, a groundbreaking partnership, a meme with momentum.

You buy. The price goes up. You tell yourself you will take profits at the next resistance level.

The next morning, the chart is a vertical line — straight down. The liquidity is gone. The Telegram group is deleted. The website returns a 404. The token you hold is worth exactly zero, and there is no one to contact, no support desk, no recourse.

You were rugged.

This is the most common form of crypto fraud. Unlike flash loan attacks or reentrancy attacks, which exploit smart contract vulnerabilities, rug pulls do not require a code bug. They exploit trust. The developers do not need to hack anything — they built the system, and they built it with an exit door only they can open.

BLUF: A rug pull happens when token creators intentionally drain value from their own project after attracting enough buyers. The three most common methods are: (1) liquidity pulls — developers remove the tokens they deposited into a DEX liquidity pool, making the token untradeable; (2) hidden mint functions — the smart contract contains secret code that lets developers create unlimited tokens and dump them; (3) sell restrictions — the contract allows buying but blocks selling, trapping buyers while the team cashes out. The defense is on-chain: check if liquidity is locked or burned, read the contract source code, and verify there are no hidden mint or pause functions before buying.

How Rug Pulls Work

To understand rug pulls, you need to understand how new tokens are created and traded on decentralized exchanges.

The Lifecycle of a New Token

When someone launches a token on Ethereum, Solana, or another chain, the process typically goes like this:

  1. Deploy the token contract — a smart contract that defines the token’s supply, name, and rules
  2. Create a liquidity pool — deposit the new token plus a paired asset (ETH, USDC, SOL) into a DEX pool so the token can be traded
  3. Marketing — promote the token on social media, Telegram, Discord to attract buyers
  4. Trading begins — users buy the token, the price rises as demand increases

At this point, the token has value because the liquidity pool allows it to be bought and sold. Buyers trust that the pool will remain liquid — that they can sell when they want to.

A rug pull happens at step 4 or later, when the developers intentionally break the system they created to extract value before abandoning it.

The Three Types of Rug Pulls

Type 1: Liquidity Pulls (The Classic Rug)

This is the original rug pull. The developers create a token, add liquidity to a DEX pool, market it, wait for the price to rise as buyers come in — and then withdraw all the paired assets (ETH, USDC) from the pool.

Here is the sequence:

  1. Developers create Token X and deposit 100 million Token X + 50 ETH into a Uniswap pool. Initial price: small.
  2. Buyers purchase Token X with ETH. The pool now has fewer Token X and more ETH — say 80 million Token X and 100 ETH. The price of Token X has risen.
  3. Developers withdraw their liquidity — they remove the LP tokens they hold, pulling out the 100 ETH (and some Token X).
  4. The pool is now nearly empty. Token X is effectively untradeable — there is no liquidity to sell into. The price crashes to zero. Buyers are left holding worthless tokens.

The developers walk away with ~100 ETH (minus the 50 they initially deposited) — a profit of ~50 ETH extracted directly from buyers’ purchases.

How to detect it: Check whether the liquidity pool tokens are locked or burned. Reputable projects use time-locked liquidity — the LP tokens are sent to a smart contract that prevents withdrawal for a set period (months or years). Some projects go further and burn the LP tokens entirely, making withdrawal permanently impossible. If liquidity is not locked or burned, the team can pull it at any time.

Tools like Token Sniffer, GoPlus Security API, and DexScreener display whether liquidity is locked and for how long. If the lock duration is less than a few months, or if there is no lock at all, the risk of a liquidity pull is high.

Type 2: Hidden Mint Functions (The Stealth Rug)

This type is harder to detect because the developers do not withdraw liquidity — they create new tokens out of thin air and sell them into the pool, draining the paired assets.

The token contract appears normal on the surface. But hidden in the code is a function that allows the owner to mint unlimited additional tokens. The function may be obfuscated — called something innocuous like updateSupply() or wrapped in modifier logic that makes it non-obvious.

Here is the sequence:

  1. Developers deploy Token X with a total supply of 1 billion tokens. The contract has a hidden mint function callable only by the owner.
  2. Liquidity is added. Buyers purchase Token X. The price rises.
  3. At the peak, the developer calls the mint function — creating 5 billion new tokens out of nothing.
  4. The developer dumps these 5 billion tokens into the liquidity pool, selling them for ETH. The enormous sell pressure crashes the price by 80-99%.
  5. The developer withdraws the ETH and disappears.

Buyers see the chart implode but the liquidity pool still exists — it was not a liquidity pull. The token is technically still tradeable, but the price is near zero because the supply was inflated 5x overnight.

How to detect it: Read the contract source code. If the contract is not verified on Etherscan or the block explorer, do not buy — period. If it is verified, look for any function that calls mint() or modifies _totalSupply. Use automated tools like Token Sniffer or GoPlus, which flag contracts with mint capabilities. A legitimate token should have its total supply fixed at deployment with no owner-controlled mint function.

Type 3: Sell Restrictions (The Honeypot Rug)

This is the cruelest type because everything looks perfect until the moment you try to exit.

The token contract is designed so that buying works normally but selling is blocked or severely restricted. Buyers see the price rising on the chart, their portfolio value increasing, and they believe they are making money. But when they try to sell, the transaction reverts — silently failing or returning an error.

The mechanism is usually a modifier on the transfer() function that checks whether the sender is the owner. If not, the transfer is blocked. Variations include:

  • Complete sell block — no one except the owner can sell
  • Progressive sell tax — each sale is taxed at 50%, 80%, or 99%, effectively stealing the proceeds
  • Cooldown traps — after buying, you must wait hours or days before selling, during which the price is manipulated down
  • Whale limits — sell amounts are capped so low that exiting a meaningful position takes weeks, during which the team dumps their tokens

This type overlaps with honeypot scams. The defining feature is that the contract code actively prevents exits while the team extracts value through their own unrestricted selling.

How to detect it: This is the hardest to detect from the chart alone — the chart shows successful buys (which inflate the price) but no sells (because sells revert). The result is a chart that only goes up, which is itself a red flag. Use a honeypot checker (Token Sniffer, Honeypot.is, GoPlus) which simulates a buy-then-sell transaction and reports whether selling would succeed. If the checker reports “cannot sell” or “HONEYPOT,” do not buy under any circumstances.

Real-World Cases

Rug pulls have cost crypto users billions of dollars. Some notable examples:

Squid Game Token (2021): A token themed around the popular Netflix show. The price went from $0.01 to over $2,800 in a week. Then the developers pulled liquidity and the price dropped to $0.0007 in five minutes. Buyers could not sell during the run-up — the contract had a sell restriction. Estimated losses: over $3 million.

AnubisDAO (2021): A meme token that raised ~$60 million in ETH through an initial liquidity offering. Less than 24 hours after launch, the liquidity was drained and the funds disappeared. The developers were anonymous. No recovery.

Meerkat Finance (2021): A DeFi project on BNB Chain that claimed to be hacked for $31 million. Investigation suggested it was an inside job — the “hack” was the team draining their own protocol.

Iceberg Token (various): Dozens of low-cap tokens launched daily on chains like Base, Solana, and BNB Chain follow the same pattern: launch, pump, rug, repeat. Chainalysis estimates that rug pulls accounted for 37% of all crypto scam revenue in 2022 — the single largest category.

How to Protect Yourself

1. Verify Liquidity Is Locked or Burned

Before buying any token, check the liquidity status:

  • Token Sniffer (tokensniffer.com) — automated contract audit + liquidity lock status
  • DexScreener (dexscreener.com) — shows LP token holder and lock info
  • GoPlus Security API — programmatic check for liquidity locks, mint functions, and sell restrictions

If liquidity is unlocked or the lock expires in days rather than months, treat it as a high-risk token.

2. Read the Contract Source Code

If the contract is verified on Etherscan or the relevant explorer, read it. You do not need to be a Solidity expert to spot red flags:

  • Search for mint( — if present and callable by the owner, the supply is not fixed
  • Search for pause or blacklist — if the owner can pause transfers or blacklist addresses, they can trap your funds
  • Check the transfer function — if it has conditional logic that restricts who can send tokens, it may be a honeypot

3. Check Holder Distribution

If one or two addresses hold 50%+ of the total supply, those holders can dump at any time and crash the price. Use Etherscan or DexScreener to check the top holders. A healthy token has a distributed holder base with no single address controlling a dominant share.

Be especially wary of “team” or “marketing” wallets holding large allocations — these are pre-allocated dump reserves.

4. Use Honeypot Checkers

Before buying, run the token through a honeypot checker:

  • Honeypot.is — simulates a buy-then-sell and reports whether selling works
  • Token Sniffer — automated security score with specific risk flags
  • GoPlus Token Security API — checks 30+ risk signals including honeypot, mint, and proxy patterns

If any checker flags the token as a honeypot or reports that selling is not possible, do not buy.

5. Evaluate the Project Fundamentals

On-chain signals are necessary but not sufficient. Also evaluate:

  • Team identity — anonymous teams carry inherent risk. This does not mean every anonymous project is a scam, but it removes accountability
  • Audit status — has the contract been audited by a reputable firm (CertiK, Hacken, Trail of Bits)? An audit is not a guarantee, but the absence of one is a red flag for projects claiming to manage significant funds
  • GitHub activity — is there actual code being developed, or is the “project” just a token and a website?
  • Community age and quality — a Telegram group created last week with 10,000 members all posting rocket emojis is not organic

6. Use On-Chain Analysis Tools

The risk intelligence API at Onchain Diary can check token safety signals — including honeypot detection, holder concentration, liquidity lock status, and contract verification — before you buy. For a deeper guide, read our token safety checklist and how to spot wallet drainers.

The Psychology of Rug Pulls

Rug pulls succeed not because the technology is complex — it is usually simple — but because they exploit specific psychological patterns:

FOMO (Fear of Missing Out): The token is rising fast. Other people seem to be making money. You feel that every minute you wait costs you gains. This urgency is designed — it prevents you from doing due diligence.

Social proof: The Telegram group has thousands of members. The chart only goes up. The narrative is compelling. But none of this is real evidence of legitimacy — it is theater designed to create trust where none is earned.

Sunk cost fallacy: Once you have bought, you are reluctant to sell at a loss. You hold through the warning signs because admitting you were wrong feels worse than losing the money.

Authority bias: A polished website, professional graphics, and confident communication create an illusion of competence that has nothing to do with whether the team is honest.

The single most effective defense against rug pulls is slowing down. The urgency is manufactured. If you cannot wait 24 hours to research a token before buying, you are the target audience for rug pulls.

Rug Pulls vs. Legitimate Project Failures

Not every token that goes to zero is a rug pull. Legitimate projects fail — the team tries, the product does not find traction, the token loses value. This is risk, not fraud.

The distinction matters:

SignalRug PullLegitimate Failure
Liquidity removed suddenlyYes — team pulls itNo — liquidity remains
Anonymous team disappearsYes — deletes all tracesTeam is identifiable, communicates
Contract had hidden functionsYes — mint/honeypot/sell blockContract was clean, audited
Communication before collapseHype and reassuranceHonest updates about challenges
Funds traceableOften mixed via mixersFunds used for development

If a project fails honestly, you lose money but you were not defrauded. If a project was designed to fail from the start — with hidden functions, unlocked liquidity, and a team planning to exit — you were stolen from.

What to Do If You Are Rugged

If you realize you have been rugged:

  1. Stop buying immediately — do not attempt to “average down” on a token that is being drained
  2. Check if selling is possible — try a small sell. If it reverts, you are in a honeypot and further action will not help
  3. Document everything — contract address, transaction hashes, Telegram screenshots, team handles. This evidence may be useful for law enforcement
  4. Report it — submit the contract address to Chainabuse, the FTC (if US-based), and relevant blockchain analytics firms
  5. Warn others — post the contract address in relevant communities to prevent further victims
  6. Track the funds — use a block explorer to follow where the stolen ETH went. If funds pass through a mixer, recovery is unlikely. If they reach a centralized exchange, there may be a path to freezing

Recovery from rug pulls is rare but not impossible. Law enforcement has successfully recovered funds in several high-profile cases when stolen assets reached regulated exchanges.

The Broader Landscape

Rug pulls are part of a broader category of crypto fraud that includes phishing attacks, address poisoning, wallet drainers, and MEV extraction. What makes rug pulls unique is that the attacker is the project creator — the person you trusted by buying their token.

The structural solution is better infrastructure: token launchpads that enforce liquidity locks, DEX interfaces that display risk scores prominently, and regulatory frameworks that create accountability for token issuers. Until then, individual vigilance remains the primary defense.

For more on protecting yourself on-chain, read our guides on how to verify a token before buying, spotting rug pulls and honeypots, and DeFi protocol red flags.


On-chain analysis helps you understand risk, not eliminate it. Always verify contract security, liquidity status, and holder distribution before buying any token — especially new or low-cap tokens.