The term “rug pull” evokes slapstick hijinks from Saturday morning cartoons, but for cryptocurrency investors, rug pulls are anything but comic relief.
What Is a Rug Pull?
“A rug pull, taken from the expression ‘pulling the rug out,’ is a common type of crypto scam where fraudulent developers lure investors into what appears to be a lucrative new project, then disappear with the funds, leaving the investors with a worthless asset,” explained Brittany Allen, a trust and safety architect at Sift, a company that specializes in online fraud prevention.
A cybersecurity expert with more than a dozen years’ experience combating e-commerce marketplace fraud, Allen explained how rug pull schemes have migrated to Web3, acclimating to decentralized finance platforms.
“While this type of scam isn’t unique to the crypto space, crypto has become a popular target among fraudsters because of the vulnerabilities — particularly lack of consumer education — they have learned to exploit,” she said. “Cryptocurrency is attractive to cybercriminals because transactions are fast and irreversible… With no legal or regulatory oversight, rug pulls leave scammed investors with little recourse to trace or recover stolen funds.”
What Is a Rug Pull?
In cryptocurrency, a rug pull is when project developers abruptly and deliberately abandon a startup once they’ve secured the trust (read: tokenized funds) of their investors. These bad actors essentially take the money and run, leaving behind a worthless asset of their making.
Typically, a rug pull begins with the creation of a new cryptocurrency token that gets listed on a decentralized exchange and paired with a coin from a leading platform, such as Ethereum. Fraudsters then utilize the marketing powers of social media, launching a buzz-worthy, hype-filled promotional campaign across a myriad of channels to bait a community of investors. These scams often dangle empty promises of too-good-to-be-true yields or assign membership in the likes of a Ponzi scheme. With enough traction, a platform’s reach increases alongside its token’s value. Once the price peaks, the core development team dumps its share of the tokens, making its way out with the treasury of investor funds.
Executing a rug pull often involves exploiting a blockchain’s smart contract functionality. Here, developers may exploit self-executing programs responsible for transaction verification by using nefarious code, literally writing traps into a project’s programming.
Gauging by the impact of investment fraud, rug pulls are quite common. Over the course of 2021, scammers rug pulled a total of $2.8 billion, or $7 million per day, according to blockchain analysis firm Chainalysis.
Adding distrust in a market already plagued by volatility, con artists are part of what categorizes crypto — and the DeFi ecosystem at large — as a digital Wild West.
What Does a Rug Pull Scheme Look Like?
“The defining feature of a rug pull is the decision by the developers to abandon the project and take the funds while the investors still believe that the developers are working hard to make the project succeed,” said Ruadhan O, a software engineer and the lead developer of multi-token crypto project Seasonal Tokens, who, like many crypto founders, uses a pseudonym due to security concerns. (For example: A manager at a crypto firm was abducted and held for ransom in 2017.)
Rug pulls are decked out in bells and whistles — a trail of social media hype and fancy graphics designed to bamboozle inexperienced investors, without any real follow-through when it comes to innovation.
“Sometimes this has been planned from the beginning of a project, and sometimes the developers become convinced at a later stage that a project will fail.”
This list of red flags begins with unknown or anonymous project leaders, a barren, low-quality website and a guarantee of high returns. Lofty goals to be completed in an unreasonably short timeframe may decorate a startup’s homepage, accompanied by suspicious social media activity, littered with buzzwords and a desperate sense of urgency.
While both a rug pull and a failed project arrive at the same destination, the routes are decidedly different. Developers of an honest startup will put investor funds toward a company’s growth in accordance with its white paper, a document that outlines the procedure and purpose of a project, providing updates to investors every step of the way. Despite a team’s best enterprising efforts, many projects fail without dishonest intervention. The latest numbers from the U.S. Labor Statistics have it that only 80 percent of new businesses outlive their first year. Within five years, the survival rate for startups halves.
In contrast to a project that simply tanked, a rug pull doesn’t set out to create anything. Its inherent purpose is to fool investors for profit.
“Developers consciously decide to abandon a project before the investors understand what’s happening,” Ruadhan O said. “Sometimes this has been planned from the beginning of a project, and sometimes the developers become convinced at a later stage that a project will fail despite previous honest attempts to make it succeed.”
Most Successful Rug Pulls in Crypto History:
- OneCoin: A crypto-ponzi scheme allegedly duped more than three million of its members out of $4 billion from 2014 to 2016 fronted by Bulgaria-based company OneCoin. To date, it is the largest amount stolen in crypto history. The person allegedly tied to the theft earned a spot on the FBI’s Ten Most Wanted Fugitive List after her disappearance in 2017, BBC reported.
- Africrypt: A $3.6 billion attack took down South African crypto investment platform Africrypt in 2021. Founding brothers Raees and Ameer Cajee have denied any involvement after fleeing to the UK, according to Bloomberg.
- GainBitcoin: After convincing investors they would receive monthly returns on their Bitcoin tokens, creators behind Indian-based company GainBitcoin allegedly ran with an estimated 385,000 to 600,000 bitcoin, or $3 billion to $4.7 billion at the time of theft. Over 200 victims have teamed up in a Bitcoin Legal Defense lawsuit against the release of the accused, Ajay Bhardwaj, according to Delhi-based media outlet Inc 42.
- BitConnect: Now defunct England-based lending platform BitConnect promised investors guaranteed returns despite volatility in the market. Instead, founder Satish Kumbhani was allegedly paying off early investors with the money that came in from later investors, ultimately benefiting from $2.4 billion in global profit. CNN reported that Kumbhani could be facing up to 70 years in prison.
- PlusToken: Over the course of a year, creator Bo Chen and his team allegedly siphoned $2.25 billion worth from primarily South Korean and Chinese investors in their global wallet and exchange platform. A court sentenced its top operators to serve 11 years in jail and pay nearly $1 million in fines, according to CoinGeek.
Source: Comparitech
Types of Rug Pulls
Rug pulls come in two main varieties: hard and soft. As the name implies, a hard rug pull occurs suddenly, without signs of warning. The numbers crash to zero and all tokens immediately lose their value, letting investors know that they’ve been defrauded and that the creators have deserted the project. Alternatively, developers might want to drag their plans out for a bit. In a soft pull, developers play the long game, selling a phony public image dedicated to a project’s enduring success along with their share of the coins.
Regardless of the pace of a hustle, rug pulls span three categories: liquidity stealing, limiting sell orders and dumping.
Liquidity Stealing
The most common of exit schemes, liquidity stealing, is when token creators extract all of the coins invested, or pooled, into a project. DeFi trading platforms require a collection of crypto tokens in order to facilitate actions such as trades, exchanges or loans, which are successfully secured via smart contracts. This safeguard is easily breached however when the developers who designed the security system did so with malicious intent, allowing them privileged access to the locked funds upon exit. Fully compromised, the native token loses its value, crashing to zero.
Limiting Sell Orders
A more covert tactic involves blocking or limiting a users’ ability to sell coins on a trading platform, which can be manipulated at any point in time. Once an exchange has attracted a substantial amount of traffic, backend fraudsters may amend a project’s code to only grant traders the ability to buy into a platform. Meanwhile, selling of the native token is disabled — either partially or entirely — across all but malicious accounts, effectively pouring money into the wallets of corrupt developers. Rug pull tactics that specifically manipulate smart contract technology to funnel money one way are virtual traps known as honeypots.
Whether scammers choose to cap sale amounts or rewrite code that wholly reconfigures a native token’s viability, the end goal will always be to run with the highest amount possible.
Dumping
Also known as “pump-and-dump” schemes, these rug pulls operate off of fabricated public hype, often fueled by social media. Their aim is to lure swaths of eager crypto investors, enlisted to balloon the value of a shiny new token tied to a trending, up-and-coming project. At the optimal time, developers unload their shares and jump ship, plummeting the token’s value for remaining investors caught off guard.
How to Avoid Rug Pulls
Charlton Haupt went “all in” on crypto in 2017 after reading Bitcoin’s white paper, quickly progressing from an investor to a trader shortly thereafter. Now serving as CEO to his own Web3 startup, Bad Astro Society, an NFT project paving a path to launch its 10,000 members into space, Haupt humbly looks back on his early crypto career fumbles as essential learning curves. He, too, fell victim to rug pulls — more than he’d like to count.
“Each time a project turned out to be a rug pull, I was thankful that I only put in what I was willing to have go to zero,” he said. In that same year Haupt entered the crypto space, crowdfunding promotions known as initial coin offerings boomed during an era he lovingly dubbed “the ICO craze of 2017.”
“Each time a project turned out to be a rug pull, I was thankful that I only put in what I was willing to have go to zero.”
One happened so fast it was obvious that the founders just took the money and ran, he said. Another was a slow rug pull, which became evident over time as the team breadcrumbed communication until finally it hit a full stop. In fear of missing out, Haupt kept investing. The next time it wasn’t a rug pull, but rather a startup en route to collapse. Still, he counted his blessings — at least, in this case, the team stayed transparent and kept its community privy as the ship sank.
“I still have a few tokens from projects that I [bought] into when I first started trading that have since gone to zero,” he said. “I still look at them in my wallet from time to time as a reminder to be patient and do my due diligence.”
Onward and upward, Haupt did what he had to do — the same he’d preach to any crypto enthusiast aspiring to build a robust portfolio:
“Shake it off, learn from your mistakes and you'll make it back,” he advised. “Over time, I have done just that.”
Expert Tips
As rug pulls, honeypots and countless other schemes plundered the 2017-2018 bull market, the term “crowdfunding” — which once spurred excitement for eager crypto investors — has since developed a bad reputation sealed in skepticism.
Software engineer and project coordinator Claudiu Minea hopes to change that with a company he co-founded, SeedOn, a crowdfunding platform that employs an intensive validation process in its alternative approach to conventional methods. Here are Minea’s top tips:
- Invest in projects that have had their code audited by certified companies. Before handing over any money, it’s important to vet the team behind a project in order to evaluate that they are even qualified to fulfill the company’s vision.
- Only consider projects that have the liquidity locked for a certain period of time. When liquidity is locked, it renounces the ownership of tokens in the liquidity pool for a fixed amount of time. Without ownership, developers cannot retrieve the pooled funds, instilling investor confidence as it closes the opportunity for developers’ to escape with their money.
- Always question a company’s intentions. Make sure that what the company sets out to achieve is feasible and try to invest in startups that provide utility tokens for an instant return on investment.
- Verify that the team behind the project is actively engaged with its platform’s community. This should include consistent updates sharing the project’s progress in a transparent manner. Results should reflect a trajectory as outlined in its white paper.