In-depth investigation of Rug Pull cases, revealing the chaos in the Ethereum token ecosystem

Author: CertiK

Introduction

In the Web3 world, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued every day? Are these new tokens safe?

These questions are not unfounded. Over the past few months, the CertiK security team has captured a large number of Rug Pull transaction cases. Notably, all the tokens involved in these cases are newly launched tokens on the blockchain.

Subsequently, CertiK conducted an in-depth investigation into these Rug Pull cases and discovered the existence of organized criminal groups behind them, summarizing the patterned characteristics of these scams. By analyzing the methods used by these groups, CertiK identified a possible promotional channel for Rug Pull scams: Telegram groups. These groups utilize features like "New Token Tracer" in platforms such as Banana Gun and Unibot to attract users to purchase scam tokens and ultimately profit through Rug Pulls.

CertiK compiled the token push information from these Telegram groups from November 2023 to early August 2024, finding a total of 93,930 new tokens pushed, of which 46,526 tokens were involved in Rug Pulls, accounting for a staggering 49.53%. Statistics show that the total investment cost behind these Rug Pull tokens was 149,813.72 ETH, with a profit of 282,699.96 ETH at a return rate of up to 188.7%, equivalent to about $800 million.

To assess the proportion of new tokens pushed by Telegram groups in the Ethereum mainnet, CertiK compiled data on new tokens issued on the Ethereum mainnet during the same period. The data shows that a total of 100,260 new tokens were issued, with tokens pushed through Telegram groups accounting for 89.99% of the mainnet. On average, about 370 new tokens are born each day, far exceeding reasonable expectations. After continuous in-depth investigation, we found a disturbing truth—at least 48,265 tokens are involved in Rug Pull scams, accounting for 48.14%. In other words, nearly one in every two new tokens on the Ethereum mainnet is involved in scams.

Additionally, CertiK has discovered more Rug Pull cases on other blockchain networks. This indicates that the security situation of the entire Web3 new token ecosystem is far more severe than expected, not just limited to the Ethereum mainnet. Therefore, CertiK has written this research report in hopes of helping all Web3 members enhance their awareness of prevention, remain vigilant against the endless stream of scams, and take necessary precautions to protect their asset security.

ERC-20 Tokens

Before officially starting this report, let's first understand some basic concepts.

ERC-20 tokens are one of the most common token standards on the blockchain today. It defines a set of specifications that allow tokens to interoperate across different smart contracts and decentralized applications (dApps). The ERC-20 standard specifies the basic functions of tokens, such as transferring, querying balances, and authorizing third parties to manage tokens. Due to this standardized protocol, developers can more easily issue and manage tokens, simplifying the creation and use of tokens. In fact, any individual or organization can issue their own tokens based on the ERC-20 standard and raise startup funds for various financial projects through token presales. Because of the widespread use of ERC-20 tokens, it has become the foundation for many ICOs and decentralized finance projects.

Familiar tokens like USDT, PEPE, and DOGE are all ERC-20 tokens, which users can purchase through decentralized exchanges. However, some scam groups may also issue malicious ERC-20 tokens with backdoor codes, list them on decentralized exchanges, and then entice users to purchase them.

Typical Scam Cases of Rug Pull Tokens

Here, we will use a scam case involving a Rug Pull token to gain a deeper understanding of the operational model of malicious token scams. First, it is important to clarify that a Rug Pull refers to a fraudulent act where the project team suddenly withdraws funds or abandons the project in decentralized finance projects, causing significant losses for investors. Rug Pull tokens are specifically issued to carry out such fraudulent activities.

The Rug Pull tokens mentioned in this article are sometimes referred to as "Honey Pot" tokens or "Exit Scam" tokens, but we will uniformly refer to them as Rug Pull tokens in the following text.

· Case Study

The attacker (Rug Pull group) deployed the TOMMI token using the Deployer address (0x4bAF), then created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI tokens, actively purchasing TOMMI tokens from other addresses to fake the trading volume of the liquidity pool to attract users and on-chain new token bots to buy TOMMI tokens. After a certain number of new token bots were deceived, the attacker executed the Rug Pull using the Rug Puller address (0x43a9), where the Rug Puller dumped 38,739,354 TOMMI tokens into the liquidity pool, exchanging them for about 3.95 ETH. The tokens of the Rug Puller originated from malicious approval granted by the TOMMI token contract, which allowed the Rug Puller to directly withdraw TOMMI tokens from the liquidity pool and then execute the Rug Pull.

· Related Addresses

• Deployer: 0x4bAFd8c32D9a8585af0bb6872482a76150F528b7
• TOMMI Token: 0xe52bDD1fc98cD6c0cd544c0187129c20D4545C7F
• Rug Puller: 0x43A905f4BF396269e5C559a01C691dF5CbD25a2b
• User disguised as Rug Puller (one of them): 0x4027F4daBFBB616A8dCb19bb225B3cF17879c9A8
• Rug Pull fund transfer address: 0x1d3970677aa2324E4822b293e500220958d493d0
• Rug Pull fund retention address: 0x28367D2656434b928a6799E0B091045e2ee84722

· Related Transactions

• Deployer obtains startup funds from a centralized exchange: 0x428262fb31b1378ea872a59528d3277a292efe7528d9ffa2bd926f8bd4129457
• Deploying TOMMI token: 0xf0389c0fa44f74bca24bc9d53710b21f1c4c8c5fba5b2ebf5a8adfa9b2d851f8
• Creating liquidity pool: 0x59bb8b69ca3fe2b3bb52825c7a96bf5f92c4dc2a8b9af3a2f1dddda0a79ee78c
• Fund transfer address sends funds to disguised user (one of them): 0x972942e97e4952382d4604227ce7b849b9360ba5213f2de6edabb35ebbd20eff
• Disguised user purchases tokens (one of them): 0x814247c4f4362dc15e75c0167efaec8e3a5001ddbda6bc4ace6bd7c451a0b231
• Rug Pull: 0xfc2a8e4f192397471ae0eae826dac580d03bcdfcb929c7423e174d1919e1ba9c
• Rug Puller sends the proceeds to the transfer address: 0xf1e789f32b19089ccf3d0b9f7f4779eb00e724bb779d691f19a4a19d6fd15523
• Transfer address sends funds to the fund retention address: 0xb78cba313021ab060bd1c8b024198a2e5e1abc458ef9070c0d11688506b7e8d7

· Rug Pull Process

1. Prepare attack funds.

The attacker deposits 2.47309009 ETH into the Token Deployer (0x4bAF) through a centralized exchange as startup funds for the Rug Pull.

Figure 1 Transaction information of Deployer obtaining startup funds from the exchange

2. Deploy the backdoored Rug Pull token.

The Deployer creates the TOMMI token, pre-mining 100,000,000 tokens and allocating them to itself.

Figure 2 Transaction information of Deployer creating TOMMI token

3. Create the initial liquidity pool.

The Deployer creates a liquidity pool with 1.5 ETH and all pre-mined tokens, obtaining about 0.387 LP tokens.

Figure 3 Transaction flow of Deployer creating liquidity pool

4. Destroy all pre-mined token supply.

The Token Deployer sends all LP tokens to the zero address for destruction. Since the TOMMI contract does not have a Mint function, the Token Deployer has theoretically lost the ability to execute a Rug Pull at this point. (This is also one of the necessary conditions to attract new token bots, as some new token bots will assess whether the newly added tokens in the pool have Rug Pull risks. The Deployer also sets the contract's Owner to the zero address to deceive the anti-fraud programs of new token bots).

Figure 4 Transaction information of Deployer destroying LP tokens

5. Fake trading volume.

The attacker actively purchases TOMMI tokens from the liquidity pool using multiple addresses, inflating the trading volume of the pool to further attract new token bots (the basis for determining that these addresses are disguised by the attacker: the funds in the related addresses come from the historical fund transfer addresses of the Rug Pull group).

Figure 5 Transaction information and fund flow of attacker purchasing TOMMI tokens from other addresses

6. The attacker initiates the Rug Pull through the Rug Puller address (0x43A9), directly transferring 38,739,354 tokens from the liquidity pool through the token's backdoor, and then dumps these tokens to extract about 3.95 ETH.

Figure 6 Rug Pull transaction information and fund flow

7. The attacker sends the proceeds from the Rug Pull to the transfer address 0xD921.

Figure 7 Transaction information of Rug Puller sending attack proceeds to the transfer address

8. The transfer address 0xD921 sends the funds to the fund retention address 0x2836. From here, we can see that after the Rug Pull is completed, the Rug Puller sends the funds to a certain fund retention address. The fund retention address is where we have monitored a large number of Rug Pull cases' funds being consolidated, and it will split most of the received funds to start a new round of Rug Pulls, while a small portion of the funds will be withdrawn through centralized exchanges. We have identified several fund retention addresses, with 0x2836 being one of them.

Figure 8 Fund transfer information of the transfer address

· Rug Pull Code Backdoor

Although the attacker has attempted to prove to the outside world that they cannot execute a Rug Pull by destroying LP tokens, in reality, the attacker left a malicious approve backdoor in the openTrading function of the TOMMI token contract. This backdoor grants the liquidity pool approval to transfer tokens to the Rug Puller address when creating the liquidity pool, allowing the Rug Puller address to directly withdraw tokens from the liquidity pool.

Figure 9 openTrading function in the TOMMI token contract

Figure 10 onInit function in the TOMMI token contract

The implementation of the openTrading function is shown in Figure 9, and its main function is to create a new liquidity pool. However, the attacker called the backdoor function onInit (shown in Figure 10) within this function, allowing uniswapV2Pair to approve the transfer of an amount of type(uint256) tokens to the _chefAddress address. Here, uniswapV2Pair is the liquidity pool address, and _chefAddress is the Rug Puller address specified during contract deployment (shown in Figure 11).

Figure 11 Constructor of the TOMMI token contract

· Patterned Modus Operandi

By analyzing the TOMMI case, we can summarize the following four characteristics:

1. The Deployer obtains funds through centralized exchanges: The attacker first provides a source of funds for the deployer address (Deployer) through centralized exchanges.

2. The Deployer creates a liquidity pool and destroys LP tokens: After creating the Rug Pull token, the deployer immediately creates a liquidity pool for it and destroys the LP tokens to increase the project's credibility and attract more investors.

3. The Rug Puller exchanges a large number of tokens for ETH in the liquidity pool: The Rug Pull address (Rug Puller) uses a large number of tokens (usually far exceeding the total token supply) to exchange for ETH in the liquidity pool. In other cases, the Rug Puller has also removed liquidity to obtain ETH from the pool.

4. The Rug Puller transfers the ETH obtained from the Rug Pull to the fund retention address: The Rug Puller transfers the obtained ETH to the fund retention address, sometimes through an intermediary address.

These characteristics are commonly found in the cases we have captured, indicating that Rug Pull behavior has distinct patterned features. Furthermore, after completing a Rug Pull, funds are typically consolidated into a single fund retention address, suggesting that these seemingly independent Rug Pull cases may involve the same group or even the same scam organization.

Based on these characteristics, we extracted a behavioral pattern of Rug Pulls and used this pattern to scan the monitored cases to construct a possible profile of the scam groups.

Rug Pull Criminal Groups

· Mining Fund Retention Addresses

As mentioned earlier, Rug Pull cases typically consolidate funds into fund retention addresses at the end. Based on this pattern, we selected several highly active fund retention addresses with distinct characteristics associated with their related cases for in-depth analysis.

A total of 7 fund retention addresses came into our view, which are associated with 1,124 Rug Pull cases successfully captured by our on-chain attack monitoring system (CertiK Alert). After successfully executing the scam, the Rug Pull group consolidates the illegal profits into these fund retention addresses. These fund retention addresses will split the accumulated funds for creating new tokens, manipulating liquidity pools, and other activities for future Rug Pull scams. Additionally, a small portion of the accumulated funds is cashed out through centralized exchanges or flash exchange platforms.

The statistical data on the funds in the fund retention addresses is shown in Table 1:

By calculating the costs and revenues of all Rug Pull scams associated with each fund retention address, we obtained the data in Table 1.

In a complete Rug Pull scam, the Rug Pull group typically uses one address as the deployer of the Rug Pull token (Deployer) and withdraws startup funds from centralized exchanges to create the Rug Pull token and the corresponding liquidity pool. Once a sufficient number of users or new token bots purchase the Rug Pull token using ETH, the Rug Pull group operates using another address as the Rug Puller, transferring the obtained funds to the fund retention address.

In this process, we consider the ETH obtained by the Deployer from the exchange or the ETH invested by the Deployer when creating the liquidity pool as the cost of the Rug Pull (how to calculate this depends on the Deployer's behavior). The ETH transferred to the fund retention address (or other transfer addresses) by the Rug Puller after completing the Rug Pull is considered the revenue from that Rug Pull, resulting in the data on income and expenditure in Table 1, where the USD profit conversion uses the ETH/USD price (1 ETH = 2,513.56 USD, with the price obtained on August 31, 2024) calculated at the real-time price during data integration.

It should be noted that when executing the scam, the Rug Pull group will also actively use ETH to purchase the Rug Pull tokens they created to simulate normal liquidity pool activity, thereby attracting new token bots to buy. However, this part of the cost is not included in the calculation, so the data in Table 1 overestimates the actual profit of the Rug Pull group, and the real profit is likely lower.

Figure 12 Profit distribution pie chart of fund retention addresses

Using the profit data from each address in Table 1 to generate a profit distribution pie chart, as shown in Figure 12. The top three addresses in terms of profit distribution are 0x1607, 0xDF1a, and 0x2836. The address 0x1607 has the highest profit, approximately 2,668.17 ETH, accounting for 27.7% of the total profits from all addresses.

In reality, even if the final funds are consolidated into different fund retention addresses, due to the numerous commonalities between the cases associated with these addresses (such as the implementation methods of Rug Pull backdoors, cash-out paths, etc.), we still highly suspect that these fund retention addresses may belong to the same group.

So, is it possible that there is some connection between these fund retention addresses?

· Mining Connections Between Fund Retention Addresses

Figure 13 Fund flow diagram of fund retention addresses

An important indicator to determine whether there is a connection between fund retention addresses is to check for direct transfer relationships between these addresses. To verify the connections between fund retention addresses, we crawled and analyzed the historical transaction records of these addresses.

In most of the cases we analyzed in the past, the profits from each Rug Pull scam would ultimately flow to a single fund retention address, making it impossible to trace different fund retention addresses by tracking the flow of profit funds. Therefore, we need to detect the fund flow situation between these fund retention addresses to obtain direct connections between them, and the detection results are shown in Figure 13.

It should be noted that the addresses 0x1d39 and 0x6348 in Figure 13 are the shared Rug Pull infrastructure contract addresses of each fund retention address. The fund retention addresses use these two contracts to split funds and send them to other addresses, while the addresses receiving the split funds use these funds to fake the trading volume of Rug Pull tokens.

Based on the direct transfer relationships of ETH in Figure 13, we can categorize these fund retention addresses into three address sets:

1. 0xDF1a and 0xDEd0;

2. 0x1607 and 0x4856;

3. 0x2836, 0x0573, 0xF653, and 0x7dd9.

There are direct transfer relationships within each address set, but there are no direct transfer actions between the sets. Therefore, it seems that these 7 fund retention addresses can be divided into three different groups. However, these three address sets all use the same infrastructure contracts to split ETH for subsequent Rug Pull operations, which connects the seemingly loose three address sets into a whole. Thus, does this imply that these fund retention addresses actually belong to the same group?

This question will not be discussed in depth here; readers can ponder the possibilities themselves.

· Mining Shared Infrastructure

The previously mentioned shared infrastructure addresses of fund retention addresses mainly include two:

0x1d3970677aa2324E4822b293e500220958d493d0 and 0x634847D6b650B9f442b3B582971f859E6e65eB53.

Among them, the infrastructure address 0x1d39 mainly contains two functional functions: "multiSendETH" and "0x7a860e7e". The main function of "multiSendETH" is to perform split transfers, and fund retention addresses use the "Multi Send ETH" function of 0x1d39 to split part of the funds to multiple addresses to fake the trading volume of Rug Pull tokens, as shown in the transaction information in Figure 14.

This splitting operation helps attackers fake the activity of tokens, making these tokens appear more attractive, thereby enticing more users or new token bots to purchase. Through this technique, the Rug Pull group can further increase the deception and complexity of the scam.

Figure 14 Transaction information of fund retention addresses splitting funds through 0x1d39

The function "0x7a860e7e" is used to purchase Rug Pull tokens. Other addresses disguised as ordinary users, after receiving the split funds from the fund retention addresses, either interact directly with Uniswap's Router to purchase Rug Pull tokens or use the "0x7a860e7e" function of 0x1d39 to buy Rug Pull tokens to fake active trading volume.

The main functional functions of the infrastructure address 0x6348 are similar to those of 0x1d39, except that the function name for purchasing Rug Pull tokens is changed to "0x3f8a436c", which will not be elaborated further here.

To further understand how the Rug Pull group uses these infrastructures, we crawled and analyzed the transaction history of 0x1d39 and 0x6348, counting the frequency of external addresses using the two functional functions in 0x1d39 and 0x6348, with the results shown in Tables 2 and 3.

From the data in Tables 2 and 3, it can be seen that the Rug Pull group has distinct characteristics in using the infrastructure addresses: they only use a small number of fund retention addresses or transfer addresses to split funds, but use a large number of other addresses to fake the trading volume of Rug Pull tokens. For example, the number of addresses faking trading volume through address 0x6348 even reaches as high as 6,224. Such a large number of addresses significantly increases the difficulty of distinguishing attacker addresses from victim addresses.

It is particularly noteworthy that the Rug Pull group’s method of faking trading volume is not limited to using these infrastructure addresses; some addresses also directly exchange tokens through exchanges for trading volume faking.

Additionally, we also counted the usage of the two functional functions in 0x1d39 and 0x6348 by the seven fund retention addresses mentioned earlier, as well as the amount of ETH involved in each function, resulting in the data in Tables 4 and 5.

From the data in Tables 4 and 5, it can be seen that the fund retention addresses have split funds a total of 3,616 times, with a total amount reaching 9,369.98 ETH. Furthermore, except for address 0xDF1a, all fund retention addresses only performed split transfers through the infrastructure, while the operation of purchasing Rug Pull tokens was completed by the addresses receiving these split funds. This indicates that the Rug Pull groups have a clear mindset and division of labor in their operations.

Address 0x0573 did not split funds through the infrastructure; instead, the funds used to fake trading volume in its associated Rug Pull cases came from other addresses, indicating that different fund retention addresses exhibit some differentiation in their operational styles.

By analyzing the fund connections between different fund retention addresses and their usage of infrastructure, we gained a more comprehensive understanding of the connections between these fund retention addresses. The operational methods of these Rug Pull groups are more professional and standardized than we imagined, further indicating that there are criminal organizations meticulously planning and executing everything behind these systematic scams.

· Mining Sources of Operational Funds

When executing a Rug Pull, the Rug Pull group typically uses a new external account address (EOA) as the Deployer to deploy the Rug Pull token, and these Deployer addresses usually obtain startup funds through centralized exchanges or flash exchange platforms. To this end, we conducted a source analysis of the funds associated with the Rug Pull cases linked to the previously mentioned fund retention addresses, aiming to grasp more detailed information about the sources of operational funds.

Table 6 shows the distribution of the number of funding source labels for Deployer funds associated with Rug Pull cases in each fund retention address.

From the data in Table 6, it can be seen that in the Rug Pull cases associated with each fund retention address, the Deployer funds for Rug Pull tokens mostly come from centralized exchanges (CEX). In all 1,124 Rug Pull cases we analyzed, the number of cases where funds came from centralized exchange hot wallets reached 1,069, accounting for as high as 95.11%. This means that for the vast majority of Rug Pull cases, we can trace back to specific account holders through the KYC information and withdrawal history of centralized exchange accounts, thus obtaining key clues for solving the cases.

As we delved deeper, we found that these Rug Pull groups often obtain operational funds simultaneously from multiple centralized exchange hot wallets, and the usage levels (usage frequency, proportion) of each wallet are roughly similar. This indicates that the Rug Pull groups intentionally increase the independence of each Rug Pull case in terms of fund flow to make it more difficult for outsiders to trace their origins, thereby increasing the complexity of tracking.

Through detailed analysis of these fund retention addresses and Rug Pull cases, we can draw a profile of these Rug Pull groups: they are well-trained, have clear divisions of labor, and are premeditated and organized. These characteristics demonstrate the high level of professionalism of the group and the systematic nature of their fraudulent activities.

Faced with such a tightly organized group of criminals, we cannot help but wonder and be curious about their promotional channels: how do these Rug Pull groups let users discover and purchase these Rug Pull tokens? To answer this question, we began to focus on the victim addresses in these Rug Pull cases and attempted to reveal how these groups entice users to participate in their scams.

· Mining Victim Addresses

Through the analysis of fund connections, we maintained a list of addresses belonging to Rug Pull groups and used it as a blacklist to filter out victim addresses from the liquidity pool transaction records corresponding to the Rug Pull tokens.

After analyzing these victim addresses, we obtained information about victim addresses associated with fund retention addresses (Table 7) and the contract call situation of victim addresses (Table 8).

From the data in Table 7, it can be seen that in the Rug Pull cases captured by our on-chain monitoring system (CertiK Alert), the average number of victim addresses per case is 26.82. This number is actually higher than our initial expectations, indicating that the harm caused by these Rug Pull cases is greater than we previously imagined.

From the data in Table 8, it can be seen that among the contract calls of victim addresses purchasing Rug Pull tokens, in addition to more conventional purchasing methods through Uniswap and MetaMask Swap, 30.40% of Rug Pull tokens were purchased through well-known on-chain sniper bot platforms such as Maestro and Banana Gun.

This finding reminds us that on-chain sniper bots may be one of the important promotional channels for Rug Pull groups. Through these sniper bots, Rug Pull groups can quickly attract participants, especially those focused on new token launches. Therefore, we concentrated our attention on these on-chain sniper bots to further understand their role and promotional mechanisms in Rug Pull scams.

Promotional Channels for Rug Pull Tokens

We researched the current new token launch ecosystem in Web3, studied the operational models of on-chain sniper bots, and combined certain social engineering techniques to ultimately identify two possible advertising channels for Rug Pull groups: Twitter and Telegram groups.

It is important to emphasize that these Twitter and Telegram groups are not specifically created by Rug Pull groups but exist as fundamental components of the new token launch ecosystem. They are maintained by third-party organizations such as on-chain sniper bot operating teams or professional new token teams, specifically pushing newly launched tokens to new token participants. These groups have become natural advertising channels for Rug Pull groups, attracting users to purchase malicious tokens through the promotion of new tokens, thereby executing scams.

· Twitter Advertising

Figure 15 Twitter advertisement for TOMMI token

Figure 15 shows the advertisement for the TOMMI token on Twitter mentioned earlier. It can be seen that the Rug Pull group utilized Dexed.com’s new token push service to expose its Rug Pull token to the outside world, attracting more victims. In actual research, we found that a considerable number of Rug Pull tokens can be found advertised on Twitter, and these advertisements often come from different third-party organizations' Twitter accounts.

· Telegram Group Advertising

Figure 16 Banana Gun new token push group

Figure 16 shows a Telegram group maintained by the on-chain sniper bot team Banana Gun, specifically for pushing newly launched tokens. This group not only pushes basic information about new tokens but also provides users with convenient purchase entrances. When users configure the basic settings of the Banana Gun Sniper Bot, they can quickly purchase the token by clicking the "Snipe" button corresponding to the token push information in the group (as highlighted in the red box in Figure 16).

We manually sampled the tokens pushed in this group and found that a significant proportion of them were Rug Pull tokens. This finding further deepened our suspicion that Telegram groups are likely an important advertising channel for Rug Pull groups.

Now the question is, what proportion of the new tokens pushed by third-party organizations are actually Rug Pull tokens? How large is the scale of these Rug Pull groups? To clarify these issues, we decided to conduct a systematic scan and analysis of the new token data pushed in Telegram groups to reveal the risk scale and impact of the fraudulent behavior behind it.

Analysis of the Ethereum Token Ecosystem

· Analyzing Tokens Pushed in Telegram Groups

To study the proportion of Rug Pull tokens among the new tokens pushed in these Telegram groups, we crawled the new Ethereum token information pushed by Banana Gun, Unibot, and other third-party token message groups from October 2023 to August 2024 using the Telegram API, finding that during this period, these groups pushed a total of 93,930 tokens.

Based on our analysis of Rug Pull cases, Rug Pull groups typically create liquidity pools for Rug Pull tokens in Uniswap V2 and invest a certain amount of ETH. Once users or new token bots purchase Rug Pull tokens in that pool, the attackers profit by dumping or removing liquidity. The entire process usually concludes within 24 hours.

Therefore, we summarized the following detection rules for Rug Pull tokens and used these rules to scan the 93,930 tokens to determine the proportion of Rug Pull tokens among the new tokens pushed in these Telegram groups:

1. The target token has no transfer activity in the last 24 hours: Rug Pull tokens typically have no activity after the dumping is completed;

2. There exists a liquidity pool for the target token and ETH in Uniswap V2: Rug Pull groups create liquidity pools for tokens and ETH in Uniswap V2;

3. The total number of Transfer events for the token from its creation to the detection time does not exceed 1,000: Rug Pull tokens generally have low trading volumes, so the number of transfers is relatively small;

4. Among the last 5 transactions involving the token, there are large liquidity pool withdrawals or dumping actions: Rug Pull tokens will perform large liquidity withdrawals or dumping operations at the end of the scam.

Using these rules to detect the tokens pushed in Telegram groups, the results are shown in Table 10.

As shown in Table 9, among the 93,930 tokens pushed in Telegram groups, a total of 46,526 were detected as Rug Pull tokens, accounting for as high as 49.53%. This means that nearly half of the tokens pushed in Telegram groups are Rug Pull tokens.

Considering that some project teams may also withdraw liquidity after project failure, this behavior should not be simply classified as the Rug Pull fraud mentioned in this article. Therefore, we need to consider the potential impact of such cases of false positives on the analysis results of this article. Although our detection rule number 3 can filter out the vast majority of similar situations, there may still be misjudgments.

To better understand the impact of these potential false positives, we statistically analyzed the active time of the 46,526 tokens detected as Rug Pulls, with the results shown in Table 10. By analyzing the active time of these tokens, we can further distinguish between genuine Rug Pull behaviors and liquidity withdrawal behaviors due to project failure, thus allowing for a more accurate assessment of the actual scale of Rug Pulls.

Through the statistical analysis of active time, we found that 41,801 Rug Pull tokens had an active time (from token creation to the last execution of the Rug Pull) of less than 72 hours, accounting for 89.84%. Under normal circumstances, 72 hours is not enough time to determine whether a project has failed, so this article considers that Rug Pull behaviors with an active time of less than 72 hours are not normal project fund withdrawal behaviors.

Thus, even in the least ideal scenario, the remaining 4,725 Rug Pull tokens with an active time greater than 72 hours do not belong to the Rug Pull fraud cases defined in this article, and our analysis still holds high reference value, as 89.84% of the cases meet expectations. In reality, the 72-hour time setting is still relatively conservative, as in actual sampling detection, a considerable portion of tokens with an active time greater than 72 hours still fall within the scope of Rug Pull fraud mentioned in this article.

It is worth mentioning that the number of tokens with an active time of less than 3 hours is 25,622, accounting for 55.07%. This indicates that Rug Pull groups are cycling through scams with very high efficiency, and their operational style tends to be "quick and short," with extremely high capital turnover rates.

We also evaluated the cash-out methods and contract call methods of these 46,526 Rug Pull token cases to confirm the operational tendencies of these Rug Pull groups.

The evaluation of cash-out methods mainly involves counting the number of cases corresponding to various methods used by Rug Pull groups to obtain ETH from liquidity pools. The main methods are:

1. Dumping: Rug Pull groups use tokens obtained through pre-allocation or code backdoors to exchange all ETH in the liquidity pool.

2. Removing liquidity: Rug Pull groups withdraw all the funds they originally added to the liquidity pool.

The evaluation of contract call methods involves examining the target contract objects called by Rug Pull groups when executing the Rug Pull. The main objects are:

1. Decentralized exchange Router contracts: Used for direct manipulation of liquidity.

2. Custom attack contracts created by Rug Pull groups: Custom contracts used to execute complex fraudulent operations.

By evaluating cash-out methods and contract call methods, we can further understand the operational patterns and characteristics of Rug Pull groups, thus better preventing and identifying similar fraudulent behaviors.

The relevant evaluation data for cash-out methods is shown in Table 11.

From the evaluation data, it can be seen that the number of cases where Rug Pull groups cash out by removing liquidity is 32,131, accounting for as high as 69.06%. This indicates that these Rug Pull groups prefer to cash out by removing liquidity, possibly because this method is simpler and more direct, requiring no complex contract writing or additional operations. In contrast, cashing out by dumping requires Rug Pull groups to pre-set backdoors in the token's contract code, allowing them to obtain the tokens needed for dumping at zero cost, making this operational process more cumbersome and potentially increasing risks; therefore, the number of cases choosing this method is relatively small.

The relevant evaluation data for contract call methods is shown in Table 12.

From the data in Table 12, it is clear that Rug Pull groups prefer to execute Rug Pull operations through Uniswap's Router contracts, with a total of 40,887 executions, accounting for 76.35% of the total execution count. The total number of Rug Pull executions is 53,552, which is higher than the number of Rug Pull tokens (46,526), indicating that in some cases, Rug Pull groups may execute multiple Rug Pull operations, possibly to maximize profits or to cash out in batches targeting different victims.

Next, we conducted a statistical analysis of the cost and revenue data for the 46,526 Rug Pull tokens. It should be noted that we consider the ETH obtained by Rug Pull groups from centralized exchanges or flash exchange services before deploying tokens as costs, while the ETH recovered during the final Rug Pull is considered revenue for related statistics. Since we did not account for the ETH invested by some Rug Pull groups when faking liquidity pool trading volumes, the actual cost data may be higher.

The cost and revenue data is shown in Table 13.

In the statistics of these 46,526 Rug Pull tokens, the total profit was 282,699.96 ETH, with a profit margin of 188.70%, equivalent to about $800 million. Although the actual profit may be slightly lower than the above data, the overall scale of funds remains astonishing, demonstrating that these Rug Pull groups have obtained huge profits through scams.

From the analysis of the token data in the entire Telegram group, the current Ethereum ecosystem is already flooded with a large number of Rug Pull tokens. However, we still need to confirm an important question: do the tokens pushed in these Telegram groups cover all tokens launched on the Ethereum mainnet? If not, what proportion do they occupy in the tokens launched on the Ethereum mainnet?

Answering this question will provide us with a comprehensive understanding of the current Ethereum token ecosystem. Therefore, we began to conduct an in-depth analysis of the tokens on the Ethereum mainnet to determine the coverage of tokens pushed by Telegram groups in the overall mainnet tokens. Through this analysis, we can further clarify the severity of the Rug Pull issue in the entire Ethereum ecosystem and the influence of these Telegram groups in token promotion and pushing.

· Analyzing Tokens Issued on the Ethereum Mainnet

We crawled the block data for the same time period (October 2023 to August 2024) as the analysis of Telegram group token information through RPC nodes, obtaining newly deployed tokens from these blocks (excluding tokens that implement business logic through proxies, as there are very few Rug Pull cases involving tokens deployed through proxies). The final number of captured tokens was 154,500, of which the number of Uniswap V2 liquidity pool (LP) tokens was 54,240, and LP tokens are not within the scope of this observation.

Therefore, we filtered out LP tokens, resulting in a final token count of 100,260. Relevant information is shown in Table 14.

We conducted Rug Pull rule detection on these 100,260 tokens, with the results shown in Table 15.

In the 100,260 tokens subjected to Rug Pull detection, we found that 48,265 tokens were Rug Pull tokens, accounting for 48.14% of the total. This proportion is roughly comparable to the proportion of Rug Pull tokens among the tokens pushed in Telegram groups.

To further analyze the inclusion relationship between the tokens pushed in Telegram groups and all tokens launched on the Ethereum mainnet, we conducted a detailed comparison of the information from these two groups of tokens, with the results shown in Table 16.

From the data in Table 16, it can be seen that there are 90,228 tokens in the intersection between the tokens pushed in Telegram groups and the tokens captured on the mainnet, accounting for 89.99% of the mainnet tokens. There are 3,703 tokens in the Telegram groups that are not included in the tokens captured on the mainnet, and through sampling detection, we found that these tokens are all tokens that implement contract proxies, which we did not include when capturing mainnet tokens.

As for the 10,032 tokens on the mainnet that were not pushed by Telegram groups, the reason may be that these tokens were filtered out by the pushing rules of Telegram groups, possibly due to a lack of sufficient attractiveness or not meeting certain pushing standards.

To further analyze, we separately conducted Rug Pull detection on these 3,703 tokens that implemented contract proxies and found only 10 Rug Pull tokens. Therefore, these contract proxy tokens are unlikely to cause much interference with the Rug Pull detection results of tokens pushed in Telegram groups, indicating that the Rug Pull detection results of tokens pushed in Telegram groups and mainnet tokens are highly consistent.

The addresses of these 10 Rug Pull tokens that implemented proxies are listed in Table 17, and if interested, readers can check the relevant details of these addresses; this article will not elaborate further.

Through this analysis, we confirmed that the tokens pushed in Telegram groups have a high overlap in the proportion of Rug Pull tokens with the mainnet tokens, further validating the importance and influence of these promotional channels in the current Rug Pull ecosystem.

Now we can answer the question of whether the tokens pushed in Telegram groups cover all tokens launched on the Ethereum mainnet, and if not, what proportion they occupy.

The answer is that the tokens pushed in Telegram groups account for about 90% of the mainnet, and their Rug Pull detection results are highly consistent with the Rug Pull detection results of mainnet tokens. Therefore, the previous Rug Pull detection and data analysis of tokens pushed in Telegram groups can essentially reflect the current state of the Ethereum mainnet token ecosystem.

As mentioned earlier, the proportion of Rug Pull tokens on the Ethereum mainnet is about 48.14%, but we are also interested in the remaining 51.86% of non-Rug Pull tokens. Even excluding Rug Pull tokens, there are still about 51,995 tokens in an unknown state, and this number far exceeds our reasonable expectations for the number of tokens. Therefore, we conducted a statistical analysis of the time from creation to the last activity of all tokens on the mainnet, with the results shown in Table 18.

From the data in Table 18, we can see that when we expand our view to the entire Ethereum mainnet, the number of tokens with a lifecycle of less than 72 hours reaches 78,018, accounting for 77.82% of the total. This number is significantly higher than the number of Rug Pull tokens we detected, indicating that the Rug Pull detection rules mentioned in this article do not fully cover all Rug Pull cases. In fact, through sampling detection, we indeed found some Rug Pull tokens that were not detected. At the same time, this may also imply that there are other forms of scams that have not been covered, such as phishing attacks, Ponzi schemes, etc., which still require further exploration.

Moreover, the number of tokens with a lifecycle greater than 72 hours also reaches 22,242. However, this portion of tokens is not the focus of this article, so there may still be other details waiting to be discovered. Perhaps some of these tokens represent failed projects, or projects with a certain user base that failed to receive long-term support, and the stories and reasons behind these tokens may hide more complex market dynamics.

The Ethereum mainnet token ecosystem is far more complex than we initially imagined, with various short-term and long-term projects intertwined, and potential fraudulent behaviors emerging one after another. This article aims to raise awareness among readers, hoping that everyone can realize that in our unknown corners, criminals have been quietly acting. We hope that through this analysis, we can inspire more people to pay attention and study, thereby improving the security of the entire blockchain ecosystem.

Reflection

The current proportion of Rug Pull tokens among the newly issued tokens on the Ethereum mainnet is as high as 48.14%, which is a highly alarming figure. It means that on Ethereum, on average, one in every two tokens launched is used for scams, reflecting a certain degree of chaos and disorder in the current Ethereum ecosystem. However, what is truly concerning goes far beyond the current state of the Ethereum token ecosystem. We found that in the Rug Pull cases captured by on-chain monitoring programs, the number of cases on other blockchain networks even exceeds that of Ethereum. What is the state of the token ecosystem on these other networks? This also deserves further in-depth research.

Furthermore, even excluding the 48.14% of Rug Pull tokens, there are still about 140 new tokens launched on Ethereum every day, and this daily issuance range is still far higher than the reasonable range. Are there other undisclosed secrets hidden among these unexamined tokens? These questions are worth our deep contemplation and research.

At the same time, there are many key points in this article that require further exploration:

1. How to quickly and efficiently determine the number of Rug Pull groups in the Ethereum ecosystem and their connections?

Given the large number of Rug Pull cases detected so far, how can we effectively determine how many independent Rug Pull groups are hidden behind these cases and whether there are connections between these groups? This analysis may need to combine fund flow and address sharing situations.

2. How to more accurately distinguish between victim addresses and attacker addresses in Rug Pull cases?

Distinguishing between victims and attackers is an important step in identifying fraudulent behavior, but the boundaries between victim addresses and attacker addresses are often blurred in many cases. How to make this distinction more precise is a question worthy of in-depth research.

3. How to move Rug Pull detection forward to during or even before the event?

Currently, Rug Pull detection methods mainly rely on post-analysis. Is it possible to develop a method for detecting during or before the event to identify potential Rug Pull risks among currently active tokens in advance? This capability would help reduce investor losses and allow for timely intervention.

4. What are the profit strategies of Rug Pull groups?

Researching under what profit conditions Rug Pull groups will execute a Rug Pull (for example, at what average profit they choose to run away, which can refer to the data in Table 13) and whether they use certain mechanisms or means to ensure their profits. This information can help predict the occurrence of Rug Pull behaviors and strengthen prevention.

5. Besides Twitter and Telegram, are there other promotional channels?

The Rug Pull groups mentioned in this article mainly promote their scam tokens through Twitter and Telegram, but are there other promotional channels that could be exploited? For example, forums, social media, advertising platforms, etc. Do these channels also pose similar risks?

These questions are all worth our in-depth exploration and contemplation. We will not elaborate further here, leaving them for everyone’s research and discussion. The Web3 ecosystem is rapidly developing, and ensuring its security relies not only on technological advancements but also on more comprehensive monitoring and deeper research to address the ever-changing risks and challenges.

Recommendations

As mentioned earlier, the current new token launch ecosystem is flooded with numerous scams, and as Web3 investors, a slight misstep could lead to losses. With the escalating cat-and-mouse game between Rug Pull groups and anti-fraud teams, the difficulty for investors to identify fraudulent tokens or projects is also increasing.

Therefore, for investors looking to enter the new token market, our security expert team offers the following suggestions for reference:

1. Try to purchase new tokens through well-known centralized exchanges: Prioritize purchasing new tokens through reputable centralized exchanges, as these platforms have stricter project reviews and relatively higher security.

2. When purchasing new tokens through decentralized exchanges, ensure their official website and on-chain address: Make sure that the tokens you purchase come from the contract addresses officially released by the project to avoid mistakenly buying scam tokens.

3. Verify whether the project has an official website and community before purchasing new tokens: Projects without an official website or active community often carry higher risks. Pay special attention to new tokens pushed by third-party Twitter and Telegram groups, as these pushes are mostly not security-verified.

4. Check the creation time of the token to avoid purchasing tokens created less than 3 days ago: If you have a certain technical foundation, you can check the creation time of the token through a block explorer and try to avoid purchasing tokens created less than 3 days ago, as Rug Pull tokens typically have short active times.

5. Use third-party security agencies' token scanning services: If conditions permit, you can utilize token scanning services provided by third-party security agencies to detect the safety of target tokens.

Call to Action

In addition to the Rug Pull scam groups focused on in this article, an increasing number of similar criminals are exploiting the infrastructure and mechanisms of various fields or platforms in the Web3 industry for illegal profits, making the current security situation of the Web3 ecosystem increasingly severe. We need to start paying attention to some issues that are easily overlooked in daily life to prevent criminals from taking advantage.

As mentioned earlier, the funds flowing in and out of Rug Pull groups ultimately pass through major exchanges, but we believe that the flow of malicious funds from Rug Pull scams is just the tip of the iceberg. The scale of malicious funds flowing through exchanges may far exceed our imagination. Therefore, we strongly urge major exchanges to take stricter regulatory measures against these malicious fund flows and actively combat illegal fraudulent activities to ensure the safety of users' funds.

Similar to project promotion and on-chain sniper bots, third-party service providers have effectively become tools for scam groups to profit. Therefore, we call on all third-party service providers to strengthen the security review of their products or content to avoid being maliciously exploited by criminals.

At the same time, we also urge all victims, including MEV arbitrageurs and ordinary users, to actively use security scanning tools to detect target projects before investing in unknown projects, refer to authoritative security agencies' project ratings, and proactively disclose the malicious behaviors of criminals to expose illegal phenomena in the industry.

As a professional security team, we also call on all security practitioners to actively discover, identify, and combat illegal activities, and to be diligent in voicing their concerns to safeguard users' property security.

In the Web3 field, users, project teams, exchanges, MEV arbitrageurs, and third-party service providers all play crucial roles. We hope that every participant can contribute to the sustainable development of the Web3 ecosystem, creating a safer and more transparent blockchain environment together.