In-depth investigation of the Rug Pull case reveals the chaos of Ethereum token ecology

Introduction

In the Web3 world, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued every day? Are these new tokens safe?

These questions are not without purpose. In the past few months, the CertiK security team has captured a large number of Rug Pull transaction cases. It is worth noting that the tokens involved in these cases are all new tokens that have just been listed on the chain.

Subsequently, CertiK conducted an in-depth investigation of these Rug Pull cases and found that there were organized criminal gangs behind them, and summarized the pattern characteristics of these scams. Through in-depth analysis of the modus operandi of these gangs, CertiK discovered a possible fraud promotion channel for Rug Pull gangs: Telegram groups. These gangs used the "New Token Tracer" function in groups such as Banana Gun and Unibot to attract users to buy fraudulent tokens and ultimately make profits through Rug Pull.

CertiK counted the token push information of these Telegram groups from November 2023 to early August 2024, and found that a total of 93,930 new tokens were pushed, of which 46,526 involved Rug Pull tokens, accounting for as high as 49.53%. According to statistics, the cumulative investment cost of the gang behind these Rug Pull tokens was 149,813.72 ETH, and they made a profit of 282,699.96 ETH with a return rate of up to 188.7%, equivalent to about US$800 million.

To assess the percentage of new tokens pushed by Telegram groups on the Ethereum mainnet, CertiK counted the new tokens issued on the Ethereum mainnet during the same time period. The data shows that a total of 100,260 new tokens were issued during this period, of which 89.99% were pushed through Telegram groups. On average, about 370 new tokens were born every day, far exceeding reasonable expectations. After continuous and in-depth investigation, we found the truth that was disturbing - at least 48,265 of them were involved in Rug Pull scams, accounting for as high as 48.14%. In other words, almost one in every two new tokens on the Ethereum mainnet is involved in a scam.

In addition, CertiK has found more Rug Pull cases in other blockchain networks. This means that the security situation of not only the Ethereum mainnet, but also the entire Web3 new token ecosystem is far more severe than expected. Therefore, CertiK wrote this research report, hoping to help all Web3 members raise their awareness of prevention, stay vigilant in the face of endless scams, and take necessary precautions in time to protect their assets.

ERC-20 Token

Before we officially start this report, let's first understand some basic concepts.

ERC-20 tokens are one of the most common token standards on the blockchain today. They define a set of specifications that allow tokens to interoperate between different smart contracts and decentralized applications (dApps). The ERC-20 standard specifies the basic functions of tokens, such as transfers, balance inquiries, and authorization of third parties to manage tokens. Thanks to this standardized protocol, developers can more easily issue and manage tokens, thus simplifying the creation and use of tokens. In fact, any individual or organization can issue their own tokens based on the ERC-20 standard and raise start-up funds for various financial projects through pre-sale tokens. Because of the widespread use of ERC-20 tokens, it has become the basis for many ICOs and decentralized financial projects.

USDT, PEPE, and DOGE, which we are familiar with, are all ERC-20 tokens, and users can buy these tokens through decentralized exchanges. However, some fraud gangs may also issue malicious ERC-20 tokens with code backdoors, list them on decentralized exchanges, and then induce users to buy them.

Typical scam cases of Rug Pull tokens

Here, we use a Rug Pull token scam case to gain a deeper understanding of the operation mode of malicious token scams. First of all, it should be noted that Rug Pull refers to a fraudulent act in which a project party suddenly withdraws funds or abandons a project in a decentralized financial project, causing investors to suffer huge losses. Rug Pull tokens are tokens issued specifically for the purpose of implementing such fraudulent acts.

The Rug Pull tokens mentioned in this article are sometimes also called “Honey Pot” tokens or “Exit Scam” tokens, but we will refer to them as Rug Pull tokens in the following text.

Case

The attacker (Rug Pull group) deployed TOMMI tokens using the Deployer address (0x4bAF), and then created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI, and actively purchased TOMMI tokens through other addresses to forge liquidity pool trading volume to attract users and new IPO robots on the chain to buy TOMMI tokens. When a certain number of new IPO robots were fooled, the attacker used the Rug Puller address (0x43a9) to perform Rug Pull. Rug Puller used 38,739,354 TOMMI tokens to hit the liquidity pool and exchanged for about 3.95 ETH. Rug Puller's tokens come from the malicious Approve authorization of the TOMMI token contract. When the TOMMI token contract is deployed, Rug Puller will be granted the approve permission of the liquidity pool, which allows Rug Puller to directly transfer TOMMI tokens from the liquidity pool and then perform Rug Pull.

Related Addresses

• Deployer: 0x4bAFd8c32D9a8585af0bb6872482a76150F528b7
• TOMMI token: 0xe52bDD1fc98cD6c0cd544c0187129c20D4545C7F
• Rug Puller: 0x43A905f4BF396269e5C559a01C691dF5CbD25a2b
• Rug Puller disguised user (one of them): 0x4027F4daBFBB616A8dCb19bb225B3cF17879c9A8
• Rug Pull funds transfer address: 0x1d3970677aa2324E4822b293e500220958d493d0
• Rug Pull fund retention address: 0x28367D2656434b928a6799E0B091045e2ee84722

Related transactions

• Deployer obtains startup funds from the centralized exchange: 0x428262fb31b1378ea872a59528d3277a292efe7528d9ffa2bd926f8bd4129457
• Deploy TOMMI token: 0xf0389c0fa44f74bca24bc9d53710b21f1c4c8c5fba5b2ebf5a8adfa9b2d851f8
• Create liquidity pool: 0x59bb8b69ca3fe2b3bb52825c7a96bf5f92c4dc2a8b9af3a2f1dddda0a79ee78c
• Fund transfer address sending funds to the fake user (one of them): 0x972942e97e4952382d4604227ce7b849b9360ba5213f2de6edabb35ebbd20eff
• Pretend to be a user buying a token (one of them): 0x814247c4f4362dc15e75c0167efaec8e3a5001ddbda6bc4ace6bd7c451a0b231
• Rug Pull: 0xfc2a8e4f192397471ae0eae826dac580d03bcdfcb929c7423e174d1919e1ba9c
• Rug Pull sends the funds to the transfer address: 0xf1e789f32b19089ccf3d0b9f7f4779eb00e724bb779d691f19a4a19d6fd15523
• The transfer address sends funds to the fund retention address: 0xb78cba313021ab060bd1c8b024198a2e5e1abc458ef9070c0d11688506b7e8d7

Rug Pull Process

1. Prepare attack funds.

The attacker recharged 2.47309009 ETH to Token Deployer (0x4bAF) through a centralized exchange as the starting capital for Rug Pull.

 Figure 1 Deployer obtains startup capital transaction information from the exchange

2. Deploy a Rug Pull token with a backdoor.

The Deployer creates the TOMMI token, pre-mines 100,000,000 tokens and allocates them to itself.

 Figure 2 Deployer creates TOMMI token transaction information

3. Create the initial liquidity pool.

Deployer created a liquidity pool with 1.5 ETH and all pre-mined tokens, and obtained approximately 0.387 LP tokens.

 Figure 3 Deployer creates liquidity pool transaction fund flow

4. Destroy all pre-mined token supply.

Token Deployer sends all LP tokens to address 0 for destruction. Since there is no Mint function in the TOMMI contract, Token Deployer has theoretically lost its Rug Pull capability at this time. (This is also one of the necessary conditions to attract new IPO robots to enter the market. Some new IPO robots will evaluate whether the tokens newly entered into the pool have Rug Pull risks. Deployer also sets the Owner of the contract to address 0, all in order to deceive the anti-fraud program of the new IPO robots).

 Figure 4 Deployer destroys LP token transaction information

5. Falsifying transaction volume.

The attacker used multiple addresses to actively purchase TOMMI tokens from the liquidity pool, driving up the trading volume of the pool and further attracting new bots to enter the market (the basis for judging that these addresses are disguised by the attacker: the funds of the relevant addresses come from the historical fund transfer address of the Rug Pull gang).

 Figure 5 Transaction information and fund flow of the attacker’s other addresses purchasing TOMMI tokens

6. The attacker initiated a Rug Pull through the Rug Puller address (0x43A9), directly transferred 38,739,354 tokens from the liquidity pool through the token backdoor, and then used these tokens to smash the pool, withdrawing about 3.95 ETH.

 Figure 6 Rug Pull transaction information and capital flow

7. The attacker sends the funds obtained from the Rug Pull to the transfer address 0xD921.

 Figure 7 Rug Puller sends attack proceeds to the transfer address transaction information

8. The transfer address 0xD921 sends the funds to the fund retention address 0x2836. From this we can see that when the Rug Pull is completed, the Rug Puller will send the funds to a fund retention address. The fund retention address is the fund collection place for a large number of Rug Pull cases we monitor. The fund retention address will split most of the funds received to start a new round of Rug Pull, and the remaining small amount of funds will be withdrawn through centralized exchanges. We found several fund retention addresses, 0x2836 is one of them.

 Figure 8: Transfer address fund transfer information

Rug Pull code backdoor

Although the attacker has tried to prove to the outside world that they cannot perform Rug Pull by destroying LP tokens, in fact, the attacker has left a malicious approve backdoor in the openTrading function of the TOMMI token contract. This backdoor will allow the liquidity pool to approve the transfer rights of tokens to the Rug Puller address when creating a liquidity pool, allowing the Rug Puller address to transfer tokens directly from the liquidity pool.

 Figure 9. openTrading function in TOMMI token contract 

 Figure 10 onInit function in TOMMI token contract

The implementation of the openTrading function is shown in Figure 9. Its main function is to create a new liquidity pool, but the attacker called the backdoor function onInit in the function (as shown in Figure 10), allowing uniswapV2Pair to approve the transfer of tokens of type (uint256) to the _chefAddress address. Among them, uniswapV2Pair is the liquidity pool address, _chefAddress is the Rug Puller address, and _chefAddress is specified when the contract is deployed (as shown in Figure 11).

 Figure 11 Constructor in TOMMI token contract

· Patterned crime

By analyzing the TOMMI case, we can summarize the following four characteristics:

1. Deployer obtains funds through centralized exchanges: The attacker first provides a source of funds for the deployer address (Deployer) through a centralized exchange.

2. Deployer creates a liquidity pool and destroys LP tokens: After creating the Rug Pull token, the deployer will immediately create a liquidity pool for it and destroy the LP tokens to increase the credibility of the project and attract more investors.

3. Rug Puller uses a large number of tokens to exchange for ETH in the liquidity pool: The Rug Pull address (Rug Puller) uses a large number of tokens (usually far more than the total supply of tokens) to exchange for ETH in the liquidity pool. In other cases, Rug Puller also removes liquidity to obtain ETH in the pool.

4. Rug Puller transfers the ETH obtained by Rug Pull to the fund retention address: Rug Puller will transfer the obtained ETH to the fund retention address, sometimes through an intermediate address for transition.

The above characteristics are common in the cases we captured, which shows that Rug Pull behavior has obvious pattern characteristics. In addition, after completing the Rug Pull, the funds are usually collected into a fund retention address, which suggests that these seemingly independent Rug Pull cases may involve the same group or even the same fraud gang.

Based on these characteristics, we extracted a Rug Pull behavior pattern and used it to scan and detect monitored cases in order to build a possible portrait of the fraud gang.

Rug Pull Gang

Mining fund retention addresses

As mentioned above, Rug Pull cases usually end with the funds being gathered into a fund retention address. Based on this pattern, we selected several highly active fund retention addresses with obvious characteristics of the modus operandi of related cases for in-depth analysis.

There are 7 fund retention addresses that have come into our view. There are 1,124 Rug Pull cases associated with these addresses, which have been successfully captured by our on-chain attack monitoring system (CertiK Alert). After the Rug Pull gang successfully implements the scam, they will collect the illegal profits to these fund retention addresses. These fund retention addresses will split the deposited funds and use them for new Rug Pull scams in the future to create new tokens, manipulate liquidity pools, and other activities. In addition, a small part of the deposited funds are cashed out through centralized exchanges or flash exchange platforms.

The statistics of funds at the fund retention address are shown in Table 1:

By counting the costs and revenues of all Rug Pull scams in each fund retention address, we obtained the data in Table 1.

In a complete Rug Pull scam, the Rug Pull gang usually uses one address as the deployer of the Rug Pull token and obtains the start-up funds through withdrawals from centralized exchanges to create Rug Pull tokens and corresponding liquidity pools. After attracting a sufficient number of users or new bots to purchase Rug Pull tokens using ETH, the Rug Pull gang will use another address as the Rug Pull executor to operate and transfer the proceeds to the fund retention address.

In the above process, we regard the ETH obtained by the Deployer through the exchange, or the ETH invested by the Deployer when creating the liquidity pool, as the cost of the Rug Pull (the specific calculation depends on the behavior of the Deployer). The ETH transferred to the fund retention address (or other transit address) by the Rug Puller after completing the Rug Pull is regarded as the income of the Rug Pull. Finally, the data on income and expenditure in Table 1 are obtained, among which the ETH/USD price used for the USD profit conversion (1 ETH = 2,513.56 USD, the price acquisition time is August 31, 2024) is calculated according to the real-time price at the time of data integration.

It should be noted that when the Rug Pull gang was carrying out the scam, they would also actively use ETH to purchase the Rug Pull tokens they created to simulate normal liquidity pool activities, thereby attracting new robot purchases. However, this part of the cost was not included in the calculation, so the data in Table 1 overestimates the actual profits of the Rug Pull gang, and the actual profits will be relatively low.

 Figure 12 Pie chart of profit ratio of retained funds addresses

The profit percentage pie chart is generated using the Rug Pull profit data of each address in Table 1, as shown in Figure 12. The top three addresses in terms of profit percentage are 0x1607, 0xDF1a, and 0x2836. Address 0x1607 has the highest profit, about 2,668.17 ETH, accounting for 27.7% of the profits of all addresses.

In fact, even if the funds are eventually gathered into different fund retention addresses, since there are a lot of commonalities between the cases associated with these addresses (such as the backdoor implementation method of Rug Pull, the cash-out path, etc.), we still highly suspect that these fund retention addresses may belong to the same gang.

So, is it possible that there is some connection between these fund retention addresses?

· Mining the relationship between fund retention addresses

 Figure 13: Funds flow diagram of the fund retention address

An important indicator for determining whether there is a correlation between the fund retention addresses is to check whether there is a direct transfer relationship between these addresses. To verify the correlation between the fund retention addresses, we crawled and analyzed the historical transaction records of these addresses.

In most of the cases we have analyzed in the past, the proceeds of each Rug Pull scam will eventually flow to only one fund retention address. It is impossible to associate different fund retention addresses by tracking the direction of the proceeds. Therefore, we need to detect the flow of funds between these fund retention addresses to obtain a direct connection between the fund retention addresses. The detection results are shown in Figure 13.

It should be noted that the addresses 0x1d39 and 0x6348 in Figure 13 are the Rug Pull infrastructure contract addresses shared by all fund retention addresses. The fund retention addresses split the funds through these two contracts and send them to other addresses, and these addresses that receive the split funds use these funds to forge the transaction volume of Rug Pull tokens.

According to the direct transfer relationship of ETH in Figure 13, we can divide these fund retention addresses into three address sets:

1. 0xDF1a and 0xDEd0;

2. 0x1607 and 0x4856;

3. 0x2836, 0x0573, 0xF653, and 0x7dd9.

There is a direct transfer relationship within the address set, but there is no direct transfer behavior between sets. Therefore, it seems that these 7 fund retention addresses can be divided into 3 different groups. However, these 3 address sets all split ETH through the same infrastructure contract for subsequent Rug Pull operations, which makes the seemingly loose 3 address sets connected together to form a whole. Therefore, does this indicate that these fund retention addresses actually belong to the same group?

This issue will not be discussed in depth here, and everyone can think about the possibilities on their own.

· Exploring shared infrastructure

There are two main infrastructure addresses shared by the fund retention addresses mentioned above.

0x1d3970677aa2324E4822b293e500220958d493d0 and 0x634847D6b650B9f442b3B582971f859E6e65eB53.

Among them, the infrastructure address 0x1d39 mainly contains two functions: "multiSendETH" and "0x7a860e7e". The main function of "multiSendETH" is to split the transfer. The fund retention address splits part of the funds to multiple addresses through the "Multi Send ETH" function of 0x1d39, which is used to forge the transaction volume of Rug Pull tokens. Its transaction information is shown in Figure 14.

This split operation helps the attackers fake the activity of the tokens, making them look more attractive, thereby inducing more users or new bots to buy them. By doing this, the Rug Pull gang can further increase the deceptiveness and complexity of the scam.

 Figure 14: Funds retention address splits funds transaction information through 0x1d39

The function of the “0x7a860e7e” function is to purchase Rug Pull tokens. After receiving the split funds from the fund retention address, other addresses disguised as ordinary users either interact directly with Uniswap’s Router to purchase Rug Pull tokens, or purchase Rug Pull tokens through the “0x7a860e7e” function of 0x1d39 to forge active trading volume.

The main function of infrastructure address 0x6348 is similar to 0x1d39, except that the function name for purchasing Rug Pull tokens is changed to "0x3f8a436c", which will not be expanded in detail here.

In order to further understand the Rug Pull gang’s use of these infrastructures, we crawled and analyzed the transaction history of 0x1d39 and 0x6348, and counted the frequency of external addresses using the two functions in 0x1d39 and 0x6348. The results are shown in Tables 2 and 3.

From the data in Table 2 and Table 3, we can see that the Rug Pull gang has obvious characteristics in using infrastructure addresses: they only use a small amount of fund retention addresses or transfer addresses to split funds, but forge the transaction volume of Rug Pull tokens through a large number of other addresses. For example, there are as many as 6,224 addresses that forge transaction volume through address 0x6348. Such a large number of addresses greatly increases the difficulty of distinguishing the attacker's address from the victim's address.

It should be noted that the Rug Pull gang’s method of forging transaction volume is not limited to using these infrastructure addresses. Some addresses will also directly exchange tokens through exchanges to forge transaction volume.

In addition, we also counted the usage of each function in the two addresses 0x1d39 and 0x6348 by the 7 fund retention addresses mentioned above, as well as the amount of ETH involved in each function. The final data are shown in Tables 4 and 5.

From the data in Tables 4 and 5, we can see that the fund retention address has split the funds 3,616 times through the infrastructure, with a total amount of 9,369.98 ETH. In addition, except for address 0xDF1a, all fund retention addresses only split and transfer through the infrastructure, and the purchase of Rug Pull tokens is completed by the addresses that receive these split funds. This shows that in the process of committing crimes by these Rug Pull gangs, the thinking is clear and the division of labor is clear.

Address 0x0573 did not split funds through the infrastructure. The funds used to forge transaction volume in the associated Rug Pull case came from other addresses, which shows that different fund retention addresses have certain differences in their crime styles.

By analyzing the financial connections between different fund retention addresses and their use of infrastructure, we have a more comprehensive understanding of the connections between these fund retention addresses. The modus operandi of these Rug Pull gangs is more professional and standardized than we thought, which further proves that there are criminal groups behind the scenes who carefully plan and operate all of this in order to carry out systematic fraud activities.

· Uncover the source of funds for the crime

When the Rug Pull gang conducts Rug Pull, they usually use a new external account address (EOA) as a deployer to deploy Rug Pull tokens, and these deployer addresses usually obtain startup funds through centralized exchanges or flash exchange platforms. To this end, we conducted a source of funds analysis on the Rug Pull cases associated with the fund retention addresses mentioned above, aiming to obtain more detailed information on the source of funds for the crime.

Table 6 shows the distribution of the number of Deployer funding source labels associated with Rug Pull cases in each funding retention address.

From the data in Table 6, we can see that in the Rug Pull cases associated with each fund retention address, most of the deployer funds of the Rug Pull tokens come from centralized exchanges (CEX). Among all the 1,124 Rug Pull cases we analyzed, the number of cases where the funds came from the hot wallets of centralized exchanges reached 1,069, accounting for as high as 95.11%. This means that for the vast majority of Rug Pull cases, we can trace back to the specific account holders through the account kyc information and withdrawal history records of centralized exchanges, thereby obtaining key clues to solve the case.

As we conduct in-depth research, we find that these Rug Pull gangs often obtain funds from multiple exchange hot wallets at the same time, and the usage of each wallet (number of times used, proportion) is roughly the same. This shows that the Rug Pull gang intentionally increases the independence of the capital flow of each Rug Pull case, thereby making it more difficult for the outside world to trace its source and increasing the complexity of tracking.

Through a detailed analysis of these fund retention addresses and Rug Pull cases, we can draw a portrait of these Rug Pull gangs: they are well-trained, have clear division of labor, are premeditated and well-organized. These characteristics show the high level of professionalism of the gang and the systematic nature of its fraudulent activities.

Faced with such a tightly organized criminal group, we can't help but wonder and be curious about their promotion methods: How do these Rug Pull gangs let users discover and buy these Rug Pull tokens? In order to answer this question, we began to focus on the victim addresses in these Rug Pull cases and tried to reveal how these gangs induced users to participate in their scams.

Mining the victim’s address

Through the analysis of fund associations, we maintained a list of addresses of the Rug Pull gang and used it as a blacklist to filter out the set of victim addresses from the transaction records of the liquidity pool corresponding to the Rug Pull tokens.

After analyzing these victim addresses, we obtained the victim address information associated with the fund retention address (Table 7) and the contract call information of the victim address (Table 8).

From the data in Table 7, we can see that in the Rug Pull cases captured by the on-chain monitoring system (CertiK Alert) we analyzed, the average number of victim addresses per case was 26.82. This number is actually higher than our initial expectations, which also means that the harm caused by these Rug Pull cases is greater than we previously thought.

From the data in Table 8, it can be seen that among the contract calls for purchasing Rug Pull tokens by the victim addresses, in addition to more conventional purchase methods such as Uniswap and MetaMask Swap, 30.40% of Rug Pull tokens were purchased through well-known on-chain sniper robot platforms such as Maestro and Banana Gun.

This finding reminds us that on-chain sniping robots may be one of the important promotion channels of the Rug Pull gang. Through these sniping robots, the Rug Pull gang is able to quickly attract participants, especially those who focus on token IPOs. Therefore, we focus on these on-chain sniping robots to further understand their role in the Rug Pull scam and its promotion mechanism.

Rug Pull Token Promotion Channel

We investigated the current Web3 IPO ecosystem, studied the operation mode of on-chain sniper robots, and combined with certain social engineering methods, we finally locked in two possible Rug Pull gang advertising channels: Twitter and Telegram groups.

It should be emphasized that these Twitter and Telegram groups were not created by the Rug Pull group on purpose, but exist as basic components in the new stock ecosystem. They are maintained by third-party organizations such as the chain sniper robot operation team or professional new stock teams, and are specifically used to push newly launched tokens to new stock investors. These groups have become a natural advertising channel for the Rug Pull group, which attracts users to buy malicious tokens by pushing new tokens, thereby committing fraud.

Twitter Ads

 Figure 15 Twitter advertisement of TOMMI token

Figure 15 shows the advertisement of the TOMMI token mentioned above on Twitter. It can be seen that the Rug Pull gang used the new coin push service of Dexed.com to expose its Rug Pull tokens to the outside world in order to attract more victims. In actual research, we found that a considerable number of Rug Pull tokens can find their corresponding advertisements on Twitter, and these advertisements often come from Twitter accounts of different third-party organizations.

Telegram group ads

 Figure 16 Banana Gun new coin push group

Figure 16 shows a Telegram group maintained by the Banana Gun team, which is dedicated to pushing new tokens. This group not only pushes basic information about new tokens, but also provides users with a convenient purchase portal. After the user has configured the basic settings of Banana Gun Sniper Bot, click the "Snipe" button corresponding to the token push information in the group (as shown in the red box in Figure 16) to quickly purchase the token.

We manually checked the tokens pushed in the group and found that a large proportion of them were Rug Pull tokens. This finding further deepened our speculation that the Telegram group is likely to be an important advertising channel for the Rug Pull gang.

The question now is, what is the proportion of Rug Pull tokens among the new tokens pushed by third-party institutions? How big is the scale of these Rug Pull gangs? In order to find out these questions, we decided to systematically scan and analyze the data of new tokens pushed in Telegram groups to reveal the scale of risks and the influence of fraud behind them.

Ethereum Token Ecosystem Analysis

Analyze the tokens pushed in Telegram groups

In order to study the Rug Pull ratio of new tokens pushed in these Telegram groups, we crawled the information of new Ethereum tokens pushed by Banana Gun, Unibot and other third-party Token message groups from October 2023 to August 2024 through Telegram’s API, and found that these groups pushed a total of 93,930 tokens during this period.

According to our analysis of the Rug Pull case, the Rug Pull gang usually uses Rug Pull tokens to create a liquidity pool in Uniswap V2 and invests a certain amount of ETH. After a user or a new bot buys Rug Pull tokens in the pool, the attacker makes a profit by dumping the market or removing liquidity. The whole process usually ends within 24 hours.

Therefore, we summarized the following detection rules for Rug Pull tokens and used them to scan these 93,930 tokens in order to determine the proportion of Rug Pull tokens among the new tokens pushed in these Telegram groups:

1. There is no transfer of the target token in the past 24 hours: Rug Pull tokens usually stop having any activity after the dump is completed;

2. There is a liquidity pool of the target token and ETH in Uniswap V2: The Rug Pull group will create a liquidity pool of tokens and ETH in Uniswap V2;

3. The total number of Transfer events from the creation of the token to the time of detection does not exceed 1,000: Rug Pull tokens are generally less traded, so the number of transfers is relatively small;

4. There was a large withdrawal of liquidity pool or market dumping in the last 5 transactions involving the token: Rug Pull tokens will undergo a large withdrawal of liquidity or market dumping at the end of the scam.

These rules were used to detect the tokens pushed by Telegram groups. The results are shown in Table 10.

As shown in Table 9, among the 93,930 tokens pushed in Telegram groups, 46,526 Rug Pull tokens were detected, accounting for 49.53%. This means that almost half of the tokens pushed in Telegram groups are Rug Pull tokens.

Considering that some project parties will also withdraw liquidity after the project fails, this behavior should not be simply classified as the Rug Pull fraud mentioned in this article. Therefore, we need to consider the impact of false positives caused by this situation on the analysis results of this article. Although our detection rule 3 has been able to filter out most of these situations, there may still be misjudgments.

To better understand the impact of these potential false positives, we counted the active time of these 46,526 tokens detected as Rug Pulls, and the results are shown in Table 10. By analyzing the active time of these tokens, we can further distinguish between true Rug Pull behavior and liquidity withdrawal behavior caused by project failure, thereby more accurately assessing the actual scale of Rug Pull.

Through statistics on active time, we found that the active time (from token creation to the last execution of Rug Pull) of 41,801 Rug Pull tokens was less than 72 hours, accounting for 89.84%. Under normal circumstances, 72 hours is not enough to determine whether a project has failed. Therefore, this article believes that Rug Pull behavior with an active time of less than 72 hours is not a normal behavior of the project party withdrawing funds.

Therefore, even in the worst case scenario, the remaining 4,725 Rug Pull tokens with an active time of more than 72 hours do not fall into the Rug Pull fraud cases defined in this article, and our analysis still has a high reference value, because 89.84% of the cases are still in line with expectations. In fact, the 72-hour time setting is still relatively conservative, because in actual sampling tests, a considerable number of tokens with an active time of more than 72 hours still fall into the category of Rug Pull fraud mentioned in this article.

It is worth mentioning that the number of tokens with an active time of less than 3 hours is 25,622, accounting for 55.07%. This shows that the Rug Pull gang is cyclically committing crimes with very high efficiency, and their crime style tends to be "short, flat and fast", with a very high capital turnover rate.

We also evaluated the cash-out methods and contract call methods of these 46,526 Rug Pull token cases in order to identify the criminal tendencies of these Rug Pull gangs.

The evaluation of cash-out methods mainly counts the number of cases corresponding to various methods used by the Rug Pull gang to obtain ETH from the liquidity pool. The main methods are:

1. Market dumping: The Rug Pull group uses tokens obtained through pre-allocation or code backdoors to exchange all ETH in the liquidity pool.

2. Removing liquidity: The Rug Pull group withdraws all the funds that they originally added to the liquidity pool.

The evaluation of the contract calling method is to check the target contract objects called by the Rug Pull gang when executing Rug Pull. The main objects are:

1. Decentralized exchange Router contract: used to directly operate liquidity.

2. The attack contract built by the Rug Pull gang: a custom contract used to perform complex fraud operations.

By evaluating the cash-out methods and contract calling methods, we can further understand the modus operandi and characteristics of the Rug Pull gang, so as to better prevent and identify similar fraudulent activities.

The relevant evaluation data of the cash-out method is shown in Table 11.

From the evaluation data, it can be seen that the number of cases where the Rug Pull gang cashed out by removing liquidity was 32,131, accounting for as high as 69.06%. This shows that these Rug Pull gangs prefer to cash out by removing liquidity, possibly because this method is simpler and more direct, without the need for complex contract writing or additional operations. In contrast, the method of cashing out by smashing the market requires the Rug Pull gang to pre-set a backdoor in the contract code of the token, so that they can obtain the tokens needed for the smash at zero cost. This operation process is more cumbersome and may increase risks, so relatively few cases choose this method.

The relevant evaluation data of the contract calling method is shown in Table 12.

It can be clearly seen from the data in Table 12 that the Rug Pull group prefers to perform Rug Pull operations through Uniswap's Router contract, which was executed 40,887 times, accounting for 76.35% of the total execution times. The total number of Rug Pull executions is 53,552, which is higher than the number of Rug Pull tokens 46,526. This shows that in some cases, the Rug Pull group will perform multiple Rug Pull operations, perhaps to maximize profits or cash out in batches for different victims.

Next, we conducted a statistical analysis of the cost and benefit data of 46,526 Rug Pull cases. It should be noted that we regard the ETH obtained by the Rug Pull gang from centralized exchanges or flash exchange services before deploying tokens as costs, and the recovered ETH at the end of the Rug Pull as income for relevant statistics. Since we do not take into account the ETH invested by some Rug Pull gangs when they forged the liquidity pool transaction volume, the actual cost data may be higher.

The cost and benefit data are shown in Table 13.

In the statistics of these 46,526 Rug Pull tokens, the final total profit was 282,699.96 ETH, with a profit rate of 188.70%, equivalent to about 800 million US dollars. Although the actual profit may be slightly lower than the above data, the overall scale of funds is still very astonishing, showing that these Rug Pull gangs have obtained huge profits through fraud.

From the analysis of the token data of the entire Telegram group, the current Ethereum ecosystem is already full of Rug Pull tokens. However, we still need to confirm an important question: Do the tokens pushed in these Telegram groups cover all the tokens launched on the Ethereum mainnet? If not, what is their proportion in the tokens launched on the Ethereum mainnet?

Answering this question will give us a comprehensive understanding of the current Ethereum token ecosystem. Therefore, we set out to conduct an in-depth analysis of Ethereum mainnet tokens to determine the coverage of tokens pushed by Telegram groups in the entire mainnet tokens. Through this analysis, we can further clarify the severity of the Rug Pull problem in the entire Ethereum ecosystem, as well as the influence of these Telegram groups in token push and promotion.

Analyze the tokens issued by Ethereum mainnet

We crawled the block data of the same period as the analysis of Telegram group token information above (October 2023 to August 2024) through the RPC node, and obtained the newly deployed tokens from these blocks (excluding tokens that implement business logic through proxies, because there are very few cases of Rug Pull involving tokens deployed through proxies). The number of tokens finally captured was 154,500, of which the number of Uniswap V2 liquidity pool (LP) tokens was 54,240, and LP tokens were not within the scope of observation in this article.

Therefore, we filtered the LP tokens and finally got a total of 100,260 tokens. The relevant information is shown in Table 14.

We performed Rug Pull rule testing on these 100,260 tokens, and the results are shown in Table 15.

We found that 48,265 of the 100,260 tokens tested for Rug Pull were Rug Pull tokens, accounting for 48.14% of the total. This proportion is roughly the same as the proportion of Rug Pull tokens in the tokens pushed in Telegram groups.

In order to further analyze the inclusion relationship between the tokens pushed by the Telegram group and all the tokens launched on the Ethereum mainnet, we conducted a detailed comparison of the information of these two groups of tokens. The results are shown in Table 16.

From the data in Table 16, we can see that the intersection between the tokens pushed by the Telegram group and the tokens captured by the main network is 90,228, accounting for 89.99% of the main network tokens. However, there are 3,703 tokens in the Telegram group that are not included in the tokens captured by the main network. After sampling and testing, these tokens are all tokens that implement contract proxy, and we did not include tokens that implement proxy when capturing the main network tokens.

As for the 10,032 mainnet tokens that were not pushed by the Telegram group, the reason may be that these tokens were filtered out by the push rules of the Telegram group. The reason for being filtered out may be due to lack of sufficient appeal or failure to meet certain push standards.

For further analysis, we performed Rug Pull detection on these 3,703 tokens that implemented contract proxy separately, and finally found only 10 Rug Pull tokens. Therefore, these contract proxy tokens will not cause much interference to the Rug Pull detection results of tokens in Telegram groups, which shows that the Rug Pull detection results of tokens pushed by Telegram groups and mainnet tokens are highly consistent.

The 10 Rug Pull token addresses that implement proxies are listed in Table 17. If you are interested, you can check the details of these addresses yourself. This article will not go into further details here.

Through this analysis, we confirmed that the tokens pushed by Telegram groups have a high degree of overlap with the mainnet tokens in terms of Rug Pull token ratio, further verifying the importance and influence of these push channels in the current Rug Pull ecosystem.

Now we can answer the question whether the tokens pushed in the Telegram group cover all the tokens launched on the Ethereum mainnet, and if not, what proportion do they account for?

The answer is that the tokens pushed by Telegram groups account for about 90% of the main network, and their Rug Pull test results are highly consistent with the Rug Pull test results of the main network tokens. Therefore, the Rug Pull test and data analysis of the tokens pushed by Telegram groups in the previous article can basically reflect the current status of the token ecology of the Ethereum main network.

As mentioned above, the proportion of Rug Pull tokens on the Ethereum mainnet is about 48.14%, but we are also interested in the remaining 51.86% of non-Rug Pull tokens. Even if Rug Pull tokens are excluded, there are still 51,995 tokens in an unknown state, which is far more than our expectation of the reasonable number of tokens. Therefore, we counted the time from the creation to the last inactivity of all tokens on the mainnet, and the results are shown in Table 18.

From the data in Table 18, we can see that when we expand our vision to the entire Ethereum mainnet, there are 78,018 tokens with a life cycle of less than 72 hours, accounting for 77.82% of the total. This number is significantly higher than the number of Rug Pull tokens we detected, which shows that the Rug Pull detection rules mentioned in this article cannot fully cover all Rug Pull cases. In fact, through sampling detection, we did find that there are undetected Rug Pull tokens. At the same time, this may also mean that there are some other forms of fraud that are not covered, such as phishing attacks, Pixiu disks, etc., which still require us to further explore and explore.

In addition, the number of tokens with a lifespan of more than 72 hours is as high as 22,242. However, these tokens are not the focus of this article, so there may still be other details waiting to be discovered. Perhaps some of these tokens represent failed projects, or projects that have a certain user base but have not received long-term development support. The stories and reasons behind these tokens may hide more complex market dynamics.

The token ecosystem of the Ethereum mainnet is much more complicated than we imagined. Various short-term and long-term projects are intertwined, and potential frauds are endless. This article is mainly to attract everyone's attention, hoping that everyone can realize that criminals have been quietly operating in unknown corners. We hope that through such analysis, we can encourage more people to pay attention and study, so as to improve the security of the entire blockchain ecosystem.

think

Among the newly issued tokens on the Ethereum mainnet, Rug Pull tokens account for as high as 48.14%, which is a very alarming ratio. It means that on average, one out of every two tokens launched on Ethereum is used for fraud, which reflects the chaos and disorder of the current Ethereum ecosystem to a certain extent. However, what is really worrying is far more than the current status of the Ethereum token ecosystem. We found that among the Rug Pull cases captured by the on-chain monitoring program, the number of cases in other blockchain networks is even more than that of Ethereum. So what is the token ecosystem of other networks like? It is also worth further in-depth study.

In addition, even if we exclude the Rug Pull tokens, which account for 48.14%, Ethereum still has about 140 new tokens launched every day, and its daily issuance range is still far higher than the reasonable range. Are there other undisclosed secrets hidden in these uninvolved tokens? These questions are worthy of our in-depth thinking and research.

At the same time, there are many key points in this article that need further exploration:

1. How to quickly and efficiently determine the number of Rug Pull groups in the Ethereum ecosystem and their connections?

With regard to the large number of Rug Pull cases currently detected, how can we effectively determine how many independent Rug Pull gangs are hidden behind these cases, and whether there are connections between these gangs? This analysis may require combining the flow of funds and the sharing of addresses.

2. How to more accurately distinguish the victim address from the attacker address in the Rug Pull case?

Distinguishing between victims and attackers is an important step in identifying fraudulent activities, but the boundary between the victim's address and the attacker's address is blurred in many cases. How to distinguish them more accurately is an issue worthy of further study.

3. How to move Rug Pull detection to the middle or even before the event?

The current Rug Pull detection method is mainly based on post-event analysis. Can we develop a method for in-event or pre-event detection to identify the possible Rug Pull risks in currently active tokens in advance? This capability will help reduce investors’ losses and intervene in time.

4. What is the profit strategy of the Rug Pull gang?

Study the profit conditions under which Rug Pull gangs will conduct Rug Pull (for example, the average profit they make before running away, see Table 13 of this article), and whether they use certain mechanisms or means to ensure their profits. This information can help predict the occurrence of Rug Pull behavior and strengthen prevention.

5. In addition to Twitter and Telegram, are there any other promotion channels?

The Rug Pull gang mentioned in this article mainly promotes its scam tokens through channels such as Twitter and Telegram, but are there other promotion channels that may be exploited? For example, forums, social media, advertising platforms, etc. Do these channels also have similar risks?

These issues are worth our in-depth discussion and thinking, and we will not expand on them here, leaving them for everyone's research and discussion. The Web3 ecosystem is developing rapidly, and ensuring its security not only depends on technological progress, but also requires more comprehensive monitoring and more in-depth research to cope with the ever-changing risks and challenges.

suggestion

As mentioned above, the current token issuance ecosystem is full of scams. As a Web3 investor, you may suffer losses if you are not careful. As the offensive and defensive confrontation between the Rug Pull gang and the anti-fraud team escalates, it is becoming increasingly difficult for investors to identify fraudulent tokens or projects.

Therefore, for investors who want to access the IPO market, our team of security experts provides the following suggestions for reference:

1. Try to purchase new tokens through well-known centralized exchanges: Give priority to purchasing new tokens through well-known centralized exchanges. These platforms are more stringent in project review and relatively safer.

2. When purchasing new tokens through a decentralized exchange, you must identify its official website and on-chain address: ensure that the purchased tokens come from the official contract address to avoid mistakenly purchasing fraudulent tokens.

3. Before buying new tokens, verify whether the project has an official website and community: Projects without an official website or an active community are often riskier. Pay special attention to new tokens pushed by third-party Twitter and Telegram groups, most of which have not been verified for security.

4. Check the creation time of the token and avoid buying tokens with a creation time of less than 3 days: If you have a certain technical foundation, you can check the creation time of the token through the block browser. Try to avoid buying tokens that have been created less than 3 days ago, because the active time of Rug Pull tokens is usually very short.

5. Use the token scanning service of a third-party security agency: If conditions permit, you can use the token scanning service provided by a third-party security agency to detect the security of the target token.

call

In addition to the Rug Pull scam group that this article focuses on, more and more similar criminals are using the infrastructure and mechanisms of various fields or platforms in the Web3 industry to make illegal profits, making the current security situation of the Web3 ecosystem increasingly severe. We need to start paying attention to some issues that are usually easily overlooked and prevent criminals from taking advantage of them.

As mentioned above, the inflow and outflow of funds from the Rug Pull gang will eventually flow through major exchanges, but we believe that the flow of funds from the Rug Pull scam is just the tip of the iceberg, and the scale of malicious funds flowing through the exchanges may be far beyond our imagination. Therefore, we strongly urge major exchanges to take stricter regulatory measures against these malicious fund flows and actively crack down on illegal fraud to ensure the safety of users' funds.

The infrastructure of third-party service providers such as project promotion and on-chain sniping bots has in fact become a tool for fraud gangs to make profits. Therefore, we call on all third-party service providers to strengthen the security review of products or content to avoid being maliciously exploited by criminals.

At the same time, we also call on all victims, including MEV arbitrageurs and ordinary users, to actively use security scanning tools to detect target projects before investing in unknown projects, refer to project ratings from authoritative security agencies, and actively disclose the malicious behavior of criminals and expose illegal phenomena in the industry.

As a professional security team, we also call on all security practitioners to proactively discover, identify, and combat illegal activities, speak out frequently, and safeguard the property safety of users.

In the Web3 field, users, project owners, exchanges, MEV arbitrageurs, Bots and other third-party service providers all play a vital role. We hope that every participant can contribute to the sustainable development of the Web3 ecosystem and jointly create a more secure and transparent blockchain environment.