Exit scam, what we commonly call project Rug Pull. Also known vividly as "Rug Pull", it is a criminal fraud method in the Web 3.0 field.
The common practice of Rug Pull is to create false transaction volume and user numbers after creating a seemingly legitimate DeFi project to improve the reputation of the project and attract more investors into the project. After reaching a certain scale, the fraudster or team will suddenly withdraw a large amount of funds in the project and close the project, eventually causing the tokens held by investors to lose value.
While there are plenty of statistics showing the prevalence and impact of exit scams over the years, there are fewer data and reports examining their characteristics and perpetrators. And research like this could improve anti-money laundering (AML) efforts, boost consumer protection, and the integrity of the Web 3.0 marketplace as a whole.
By studying the full cycle of exit scams from start to finish, we can better dissect the structure of the scams and understand the underlying risk factors and commonalities that lead them to exist. By identifying these signals and indicators, we can adopt smarter security approaches and strategies to more effectively protect the Web 3.0 world.
CertiK conducted research on 40 Rug Pull projects to better understand the commonalities and differences that led to their eventual Liquidity removal. By identifying project characteristics and conducting qualitative and quantitative analysis, we obtained the following results.
concept definition
For the purpose of this research, we define a Rug Pull as: a project with criminal plan and purpose that actively uses marketing and hype to defraud investors and then has team member(s) siphoning their funds.
In this study, we only looked at Hard Rug Pulls, where a project's team abruptly withdrew funding from the project after receiving significant investment from its community. Soft Rug Pulls are a more subtle way for founders to achieve their fraudulent goals. Founders don’t dump their token holdings all at once, but slowly, while maintaining the illusion that they’re still investing in and supporting the project.
methodology
In this paper, a sample of 40 Hard Rug Pulls was randomly selected from all Rug Pulls occurring between 2020 and 2023 for research. The sample collected had a wide variance in the total amount stolen, ranging from approximately $3,000 to $12 million.
crime analysis
Hard Rug Pull must occur along with internal problems within the project team. It is not difficult to understand that if the team is responsible and there are no signs of Rug Pull, the incident will be considered a hacking incident.
In our research on Rug Pull, Rug Pull projects are divided into four categories: project team Rug Pull, malicious developer sabotage, project owner committing crimes, and unknown personnel or teams committing crimes. Definitions and conclusions for each category are further detailed below:
This research highlights the importance of background checks when evaluating new projects and their associated risks. Since the majority of rug pulls are made by project teams, it is critical to consider the team's motivations and their track record before investing in a project.
Rug Pull was active for an average of 93 days before the ultimate Rug Pull scam occurred. We need to be wary of newly deployed projects where developers are intentionally anonymous or completely unknown, with no commitment to transparency or decentralization.
To combat such scams, reduce risk, and help users make informed decisions, CertiK has developed the KYC badge program . The program focuses on verifying and vetting the teams behind projects, awarding badges only to those teams who agree to undergo thorough background checks. CertiK KYC helps differentiate a verified, transparent, accountable team from other projects.
the case
Case Project ①: Team Scam
CertiK investigators interviewed the project leader of an anonymous project (we will refer to this project simply as project ① in the following). During the interview with the program leader, we found several noteworthy points, including the applicant's hesitancy and difficulty recalling the names of other members of the program team. They also claim to have little knowledge of the project and its structure.
In addition, the project lead and team members had no previous experience with Web 3.0 and could not provide any explanation for the purpose of the project. They state that the goal of the project is to donate to specific charities, but they have no plans to support charitable initiatives and cannot name specific charities. The charitable statement appears to be merely a marketing ploy or even a bait to attract investors.
Three months after this initial conversation the project was Rug Pull. Our on-chain analysis shows that the project team is solely responsible for the Rug Pull incident.
Item ②: Malicious developer scam
Unlike project ① where the whole team is a scam participant, the person responsible for the scam in project ② is an anonymous developer who stole all project funds alone. The conversation between CertiK and the person in charge of project ② happened just a few days before Rug Pull.
Except for the developer, all other members of the project ② have a public relationship with the project. With the in-depth understanding of the project leader, the names and identities of all members of the team were revealed, but even the project leader himself knew nothing about the developers.
The developer is completely anonymous and uses a pseudonym, has never participated in any team-to-team voice or video calls, and has never disclosed any personal information. Because the developer claimed that he has rich experience in Web3 . A risk and a problem.
CertiK investigators noticed that Project ② actually has no other risk factors besides anonymous developers. However, the risk of anonymous developers is also crucial: because anonymous developers have many permissions on smart contracts , this greatly increases the risk of Rug Pull. A few days after this conversation with the founders, the anonymous developer Rug pulled the project.
Red light warning! Don't touch it!
Red Light Signal One: Website Registration
Of the 40 projects analyzed in this article, 37.5% (15) used Namecheap as their domain registrar. Namecheap is a domain privacy provider that lets you register domain names without any personal information. These services may use private service information and randomly generated emails in place of actual contact information associated with the domain name. Its practice of not asking for personal or identifying information to register with the site could be extremely attractive to would-be Rug Pull scammers.
It is worth noting that 4 of the 40 projects did not have an explicit website domain name or no data on the relevant website domain name. Projects registered through Namecheap and unknown projects combined accounted for 45% of the entire sample.
Additionally, none of the 4 Rug Pull incidents by malicious developers used Namecheap, further suggesting that projects that started off innocently are unlikely to intentionally use private domains in an attempt to conceal private information.
Red Light Signal Two: Project Lifespan
Another important variable to consider when researching Rug Pulls is project longevity. In the context of this study, project life is defined as the number of days from the project start date to the Rug Pull (i.e. Rug Pull time) date. The start date of the project is calculated from social media creation date, on-chain wallet creation date and website date (generally taking the average of available dates).
In our study of these 40 projects, launch dates were identified for 36 of them. The start date and Rug Pull time were collected to calculate the average and median lifespan of the projects: the projects had an average lifespan of 92 days and a median of 57 days.
While the typical lifespan of most Rug Pull projects is three months or less, it is important to note that there are outliers in the data. For example, there are four items in the sample with lifetimes of approximately 300 days or more. Although the data shows the trend and characteristics of Rug Pull, this data cannot be generalized.
Red Light Signal #3: Deceptive Tactics
CertiK conducted a content analysis of the overall sample to identify these common deceptive marketing tactics used to attract potential investors. Since the average lifespan of a Rug Pull project is only 93 days, malicious projects will focus more on “existence” after the project is established in order to obtain more funds before Rug Pull. CertiK found that projects tend to use multiple strategies in their project presentations.
Red Light Signal Four: Roadmap and Whitepaper
Of the 31 projects that could log onto the website and collect project information data, CertiK found that most of them did not provide roadmaps or Whitepaper on an ongoing basis. Even where roadmaps or Whitepaper exist, the quality can be poor (many grammatical errors, missing information) and often fraudulent information is used in these materials. Projects that are relatively mature with roadmaps and Whitepaper focus on marketing materials that promote false legitimacy.
Among these 31 projects, only 7 projects have roadmaps, and 4 projects have released Whitepaper. For those projects without roadmaps and Whitepaper, one saying is mostly used: the roadmap or Whitepaper will be released soon.
Red Light Five: Suspicious Team Introductions
Another important variable in this study was the introduction of the team in the project, and whether the team was anonymous, semi-anonymous or publicly identifiable. In our sample, we collected team profiles for 31 projects, but none of the teams were fully disclosed.
Most projects are completely anonymous, accounting for 24 out of 31 projects (77.4%). The remaining 7 projects were identified as semi-anonymous (22.6% of the sample)—with no other identifiable information other than listing the names of project team members. Photos and names used by other teams were identified as false material after confirmation by our investigators.
Additionally, we found that some Rug Pull incidents used AI-generated “team member” avatars with false names and information.
Utilize crime signature analysis, detection and prevention
CertiK identified and analyzed 7 important variables related to the characteristics and trends of Rug Pull projects. These variables share a large number of commonalities, indicating that Rug Pulls operate roughly in the same way.
However, although it has many commonalities, the Rug Pull project is also constantly updating its technology and strategies to adapt to the market and "advance with the times" in the changing environment.
Here is a summary of the above research results: Most Rug Pull projects have a short lifespan, most of them are carried out by the project team as a whole, and most of them use domain name registrars that do not retain personal information of registrants during the establishment process. Of course, some exceptions were also found in the survey, so the above characteristics can be used as a reference, but not as an absolute standard for evaluation.
Project scammers employ as many tactics as possible to lure potential investors, so it's important to do your own due diligence and refer to authoritative information from experts with Web 3.0 security expertise before investing.
Using a third-party security auditor to conduct background checks can increase the efficiency and effectiveness of security measures. CertiK's KYC team is made up of investigative experts. In addition to thorough background checks and risk assessments, CertiK maintains a unique database of Web 3.0 fraudsters and qualitative and quantitative tools through risk indicators to help detect fraud.
Rug pulls are a constant threat to the Web 3.0 ecosystem. Although we identified some high-risk factors from the 40 samples, and our KYC will help high-quality projects stand out, these threats cannot be completely eliminated.
By raising the bar for safety and transparency, CertiK hopes to provide credible proof to those projects that really have ideals, and at the same time, it hopes to help users make informed and correct decisions, and prevent more people from becoming victims of Rug Pull.
