The meme-coin craze has, perhaps unsurprisingly, led to a whole lot of scams popping up. While it might seem like these scams are just random acts by different developers, that is often not the case. In reality, a significant number of these scam tokens are the work of the same groups of people. There are even instances of developers launching several scam tokens daily, affecting thousands of people.
A notable example of such fraudulent activities was recently uncovered by Blockfence, a Web3 security firm. As it turns out, these scammers had been pulling off rug pulls and using sneaky tricks to fool traders, all the while staying under the radar of security tools. In total they managed to swipe over $32 million (around 14,000 ETH) from more than 42,000 people.
Blockfence identified over 1,300 instances of token rug pulls on the Ethereum mainnet, all following a consistent pattern:
- The scammers initially fund a new account with around 15-20 ETH
- They then proceed to create a scam token
- This token is then added to Uniswap, with the scammer conducting trades through multiple accounts. This creates the illusion of genuine buyer interest and substantial trading volume, although it is entirely fake
- Once a sufficient number of people are deceived into buying the token, attracted by its seeming popularity, the scammer makes the token untradeable and drains all the liquidity from the Uniswap pool
While this pattern of scamming might appear straightforward, especially to experienced meme-coin traders and scam detectors, it proves to be quite elusive in practice. The scammer’s token smart contract was sophisticated enough to deceive even well-established scam detection mechanisms.
In the world of meme-coin trading, a token is usually considered safe if the developer who made it locks up the liquidity and renounces ownership. Letting go of ownership means there is no one to manipulate the contract, and locking up the liquidity means the funds in Uniswap pools cannot be moved until they are unlocked. This is supposed to stop any potential manipulation from the token creator.
However, in this scam, the contract owner did lock the liquidity and renounce ownership, luring many into a false sense of security. Yet, a backdoor in the contract allowed the owner to eventually extract all the money from the liquidity pools.
Through this backdoor, the scammer updated victims’ token balances to '1', rendering it unsellable as the token was technically burned. Furthermore, the scammer inflated the token supply in their own wallet and dumped these tokens into the liquidity pool, extracting ETH from it.
Interestingly, to avoid attracting too much attention, the scammer limited their profits to 5–20 ETH from each scam. Given the daily launch of hundreds of scam tokens, this strategy proved quite effective.
The most alarming aspect is that this scam operation continues, and it is unlikely to cease unless, by some wild chance, crypto traders collectively decide to stop trading meme-coins. So, while rug-pulls are an inherent risk in meme-coin trading, traders should keep their eyes peeled. Scammers are always upping their game, so it is best to trade with a good dose of caution.
