A rug pull is when the creators of a crypto token drain the liquidity pool and vanish, leaving holders with a worthless asset. Most rug pulls leave visible warning signs — anonymous team, unaudited contract, short liquidity lock, concentrated token supply, guaranteed-return promises — that a 30-minute pre-buy check catches before you buy.
What you'll learn
What rug pulls and exit scams are and how big the problem is in 2026
How rug pulls actually work, step by step
The 5 red flags that catch most rug pulls before launch
What a real rug pull case looks like
How exit scams differ from rug pulls
Which detection tools help you screen projects in 30 minutes
What to do before buying any new token, and after if you get rugged
What are rug pulls and exit scams, and how big is the problem in 2026?
A rug pull is when the creators of a crypto token or DeFi project drain the liquidity pool and disappear. An exit scam is similar but at the platform level: a custodial exchange or yield platform takes user deposits and vanishes. DappRadar tracking put 2025 rug-pull losses at nearly $6 billion, with most of that concentrated in the contested Mantra OM event; even excluding that outlier, hundreds of millions to a billion dollars in losses flow through this category every year (source: Cointelegraph coverage of DappRadar's 2025 rug-pull tracking). Over 300,000 scam tokens have been created since the DeFi era began, defrauding more than 2 million investors — more victims than the FTX, Celsius, and Voyager collapses combined (source: Solidus Labs rug-pull research). The 2026 trend is fewer pulls but higher average loss per incident.
The distinction matters because the defense differs. Rug pulls happen at the token level. You buy the token, the creator drains the pool, the token goes to zero. Exit scams happen at the platform level. You deposit funds to a custodial service, the operator runs off with the deposits. Rug pulls are caught with on-chain due diligence before purchase. Exit scams are caught with custodial-risk hygiene before deposit. Both involve the same underlying pattern: a project that looks legitimate at the surface and is not.
The 2026 enforcement environment is more active than 2023-2024. The SEC, DOJ, and international counterparts have brought cases against major rug-pull operators in the past 18 months. Recovery for individual victims is still rare. The enforcement deters operators marginally. The user-side defense remains the primary protection.
Rug pull vs exit scam vs pump-and-dump
Property | Rug pull | Exit scam | Pump-and-dump |
|---|---|---|---|
Level | Token | Platform | Token |
Attack | Drain liquidity pool | Drain user deposits | Manipulate price |
Loss timing | One transaction | Days or weeks of deposits | Hours to days |
Defense | On-chain due diligence pre-buy | Custodial-risk hygiene pre-deposit | Price-pattern skepticism |
Recovery odds | Very low | Low | Medium (if you exit fast) |
For the broader scam-awareness foundation, see crypto phishing attacks and social engineering in crypto.
How does a rug pull actually work?
The project creators set up a token on a DEX with paired liquidity. Their token plus a real asset like ETH or BNB. Users buy the token, depositing the real asset into the liquidity pool. The creators wait for the pool to grow. They then remove the liquidity in a single transaction. The price crashes to zero. The token is worthless. The creators walk away with the real asset.
The mechanics are straightforward but the variations matter. A hard rug drains the pool in one transaction. The token price crashes 99.9% in minutes. A soft rug drains slowly through token-mint backdoors, fee mechanisms, or staking lockups that the creators control. The slow version is harder to detect because each individual drain looks like normal trading volume. The fast version is more common on memecoin DEX pools where the liquidity is small enough to drain instantly.
5-step rug pull mechanics
Creators deploy a token contract with paired liquidity (their token + ETH/BNB/SOL) on a DEX
Marketing campaign drives users to buy. Liquidity pool grows as buyers deposit ETH/BNB/SOL
Creators may use influencer pumps, fake audits, or false partnerships to accelerate growth
At a target pool size ($500K-$5M is typical), creators execute a "remove liquidity" transaction
Pool is empty. Token price crashes 99.9%. Creators move drained funds through a mixer within hours
Academic measurement matters here. Cernera et al. (USENIX Security 2023) studied 332,265 BSC token pools and found roughly 81% of one-day-lifetime tokens matched the rug-pull pattern, with PancakeSwap accounting for the overwhelming majority of those pools (source: Cernera et al., "Token Spammers, Rug Pulls, and Sniper Bots" (arXiv:2206.08202)). PancakeSwap is the dominant DEX for new BNB Smart Chain tokens, where most retail memecoin trading happens. Uniswap (Ethereum) has lower rug-pull rates because deployment costs are higher and KYC-friendly listings are more common. Raydium (Solana) sits between the two in rug-pull density. The 2026 surge in Solana memecoins has produced its own wave of rug pulls.
What are the 5 red flags that catch most rug pulls?
Five practical flags catch the majority of rug pulls before launch. Anonymous team with no verifiable background. Unaudited smart contract by reputable firms. Liquidity locked for under 30 days or not locked at all. Token concentration with one wallet or small group holding most of the supply. Guaranteed-return promises like "1000% APY" or "instant 10x." Checking all five takes about 30 minutes per project. Almost every rug pull leaves at least three of these visible before launch.
From Blofin's listing review pipeline, the rug pull projects we screen out share signatures. Anonymous team. Unaudited smart contract. Liquidity locked for under 30 days. Marketing volume disproportionate to project substance. The same five red flags catch most of them at the listing review stage. Retail investors who buy on chain do not have a listing review filter in front of them. The discipline is the same; the responsibility is theirs.
5-red-flag checklist
Flag | What to check | How to verify | Why it matters |
|---|---|---|---|
Anonymous team | Team identities, LinkedIn, prior projects | Search team names, reverse-image profile photos, check prior projects | Anonymous creators cannot be sued or pursued; raises the rug-pull risk substantially |
Unaudited contract | Audit reports from CertiK, PeckShield, Halborn, or equivalent | Visit auditor's site; check report date matches deployment | An unaudited contract may contain rug-pull backdoors invisible to non-developers |
Liquidity lock < 30 days | Liquidity-lock terms on contract or DEX | Use Unicrypt, PinkSale, or block explorer to verify lock duration | Short locks let creators pull liquidity immediately after launch; legitimate projects lock 6-12+ months |
Token concentration | Holder distribution; top wallets' share | Use Etherscan, BscScan, or Solscan to check top holders | One wallet holding 30%+ can crash the price at will |
Guaranteed-return promises | Marketing claims like "1000% APY," "instant 10x," "no-risk yield" | Read project docs and marketing | Real projects do not promise guaranteed returns; this is a baseline tell |
Liquidity locks deserve their own note. Legitimate projects lock liquidity for 6 to 12 months minimum, often longer. Locks under 30 days are a warning sign. No lock at all is a stop sign. Lock services (Unicrypt, Team.Finance, Mudra) publish the lock terms publicly. Anyone can verify before buying.
What does a real rug pull case look like?
A typical 2025-2026 rug pull looks like this. A new memecoin launches on a DEX. The team is anonymous behind a Twitter avatar. Marketing volume is high on launch day. Influencers (often paid) post about "100x potential." Liquidity is locked for 7 days. After 5-10 days, when the pool has grown to $500K-$2M, the team removes the liquidity in a single transaction. The price crashes 99.9%. The token is unsellable. The team's wallets are emptied to mixers within hours.
The historic reference cases set the pattern. Squid Game Token (2021) drained roughly $3.3M in a single transaction after viral pumping (source: Washington Post coverage of the Squid Game token rug pull). AnubisDAO (2021) drained around $60M in 20 hours (source: Decrypt: AnubisDAO investors lose $60M in alleged rug pull). Numerous memecoins on BNB Smart Chain and Solana in 2024-2025 followed the same template at smaller dollar amounts. The pattern repeats because the marginal cost of deploying a scam token is near zero and the marketing playbook is well-understood by criminal operators.
The case-specific details vary. Anonymous team avatars on Twitter/X. Discord servers with active "community moderators" who are part of the operation. Fake partnerships announced via press releases on minor crypto outlets. Influencers paid to post launch-day promotion. Liquidity locked for the minimum visible period to satisfy surface scrutiny. The whole operation is templated and reproducible. The rug pull is essentially a small business with a known life cycle.
Important caveat. Not every project that meets some red flags rugs. Many anonymous-team memecoins survive their launch window and become legitimate (if speculative) tokens. The flags are probability indicators, not certainties. A project with three flags has high rug risk. A project with all five has very high rug risk. A project with zero flags is not guaranteed safe but is much lower risk.
How are exit scams different from rug pulls?
Exit scams happen at the platform level, not the token level. A custodial exchange, yield platform, or "high-yield DeFi" service collects user deposits, operates normally for a while, then vanishes with the funds. The platform never had the assets it claimed. Rug pulls hit single tokens. Exit scams hit platforms. The defense is similar (verify everything before depositing) but the targets differ.
The historic exit-scam pattern: BitConnect promised 1% daily returns and collapsed in 2018 with $2.4 billion in losses, per the SEC complaint that drove the related criminal case (source: SEC complaint, BitConnect press release 2021-172). OneCoin promised a "Bitcoin killer" and turned out to be a Ponzi with roughly $4 billion in losses; the DOJ opened a victim claims process in 2026 (source: CoinDesk: DOJ opens claim process for OneCoin's $4 billion fraud victims). FTX (2022) was a hybrid case (partial fraud, partial mismanagement) that produced $8 billion in customer losses. The platform-level red flags overlap with rug-pull flags: anonymous founders are rare (regulators force KYC at the platform level), but unrealistic returns, opaque custody, and audit gaps all signal exit scam risk.
The defense against exit scams is the same self-custody discipline that defeats most custodial risk. Withdraw to self-custody anything you do not actively trade. Verify the platform's proof of reserves and audit history. Limit balances on any single platform to amounts you can afford to lose. Diversify across reputable venues with disclosed regulatory standing. The account-hardening layer that protects what you keep on exchanges is covered in two-factor authentication for crypto. None of this is foolproof but it caps the downside.
Exit scam vs rug pull
Property | Rug pull | Exit scam |
|---|---|---|
Level of attack | Token contract | Platform / company |
Operator visibility | Often anonymous | Usually has named team (KYC at platform launch) |
Detection path | On-chain due diligence | Platform-risk hygiene |
Typical loss size | $500K-$5M per token | $10M-$8B per platform |
Recovery odds | Very low | Low (bankruptcy proceedings sometimes return cents on the dollar) |
Examples | Squid Game Token, AnubisDAO, memecoins | BitConnect, OneCoin, partial FTX |
For the custody-decision framing that pairs with exit scam defense, see what is self-custody.
What detection tools and platforms help screen projects?
Several tools scan smart contracts for known rug-pull patterns. CertiK SkyNet gives real-time security scores for major tokens (source: CertiK SkyNet Score documentation). RugDoc reviews DeFi protocols. Token Sniffer scans new tokens for honeypot and rug-pull signatures. DEXTools, GeckoTerminal, and Etherscan provide on-chain data for liquidity and holder concentration. None of these is foolproof. Used together, they catch most issues before you buy.
The 30-minute pre-buy check uses these tools in combination. 5 minutes: Check Token Sniffer or RugDoc for known rug-pull signatures in the contract. 5 minutes: Check Etherscan / BscScan / Solscan for holder distribution. 5 minutes: Check liquidity lock on Unicrypt, PinkSale, or Team.Finance. 5 minutes: Search the team's claimed identities. 10 minutes: Read the project's docs and assess whether the promises are realistic. The total is 30 minutes. The cost of skipping is the entire position.
Detection tool stack
Tool | What it scans | When to use |
|---|---|---|
Token Sniffer | Honeypot patterns, ownership red flags, holder concentration | Every new token before buy |
RugDoc | DeFi protocol reviews; risk badge for known protocols | Every DeFi protocol before deposit |
CertiK SkyNet | Real-time security score for major tokens | Top-200 tokens; verifies audit history |
Etherscan / BscScan / Solscan | On-chain holder data, contract code, transaction history | Verify holder distribution and contract source |
Unicrypt / PinkSale / Team.Finance | Liquidity lock duration and conditions | Verify the lock period claimed by the team |
GoPlus / Quick Intel | Token security scans | Backup scan in 30-second mode |
No single tool is sufficient. CertiK SkyNet has high false-negative rates on small-cap tokens. Token Sniffer can miss novel rug patterns. RugDoc covers DeFi but not memecoins. The combination is what works. A project that passes all six in your 30-minute check is much less likely to be a rug than one that fails any of them. The wallet-software check that pairs with these on-chain tool checks is covered in how to verify wallet software.
What should you do before buying any new token, and after if you get rugged?
The pattern in users who never get rugged is the same pattern in users who never get phished. They take 30 minutes before buying instead of 30 seconds. They check the contract on a scanner. They look up the team. They verify the liquidity lock. The work takes one cup of coffee. The payoff is avoiding a category of loss that recovers almost never.
Before buying any new token, run the pre-buy check. Run the 5-red-flag verification. Run the 30-minute detection-tool sweep. Set position size assuming the token may go to zero. Use a separate wallet for speculative positions, not your main wallet — see hardware wallet guide for the cold-storage option that holds the bulk of your portfolio while a separate hot wallet handles speculation. If the project passes the checks, the position is still speculative; failed checks mean no buy. After getting rugged, the procedure is short. Trace the funds on chain. Notify the receiving exchange if the rugger's address sent to one. File with FBI IC3 (US) or your jurisdiction's equivalent. Recovery is rare. Documentation is for the record and to help broader enforcement.
Pre-buy + post-rug procedure
Stage | Action | Time |
|---|---|---|
Pre-buy minute 0 | Token Sniffer or RugDoc scan | 5 min |
Pre-buy minute 5 | Etherscan holder check (top wallets, concentration) | 5 min |
Pre-buy minute 10 | Liquidity lock verification on Unicrypt or PinkSale | 5 min |
Pre-buy minute 15 | Team identity search; reverse-image profile photos | 5 min |
Pre-buy minute 20 | Read project docs; assess promises against feasibility | 10 min |
Position sizing | Assume the position may go to zero; set size accordingly | 1 min |
Wallet hygiene | Use a separate wallet for speculative positions | 0 min (one-time setup) |
Post-rug step 1 | Trace funds on chain using Etherscan, Arkham, or Breadcrumbs | 10-30 min |
Post-rug step 2 | Notify receiving exchange of rugger's deposit if applicable | 10 min |
Post-rug step 3 | File with FBI IC3 (US) or local equivalent | 20 min |
For the broader recovery path if you got hit by an adjacent scam, see how to recover a crypto wallet, the step-by-step compromised wallet emergency steps for the first-hour response, and crypto scam recovery and reporting for the formal-reporting workflow.
Frequently asked questions
Are rug pulls illegal?
Usually yes in the US and most major jurisdictions, but enforcement is uneven. The SEC, DOJ, and FBI have brought cases against major rug-pull operators. Smaller rug pulls below enforcement thresholds rarely face action. The anonymity of many rug-pull operators makes prosecution difficult even when the act is clearly illegal. From the victim's perspective, the legal classification matters less than the practical recovery odds, which are very low.
Can I sue if I got rugged?
Sometimes, rarely successfully. Class actions against identifiable rug-pull operators have produced some recoveries. Litigation against anonymous operators is impractical. Suing the DEX (Uniswap, PancakeSwap, Raydium) where the rug pull happened generally fails because the DEX is a permissionless protocol and not the operator of the rugged project. Lawyers specializing in crypto recovery exist but typically pursue larger cases ($100K+ losses).
What are the recovery odds after a rug pull?
Very low. Most rug pulls move funds through mixers (Tornado Cash before sanctions, similar tools after) within hours. Once funds are mixed, on-chain tracing becomes much harder. Recovery rates are estimated in the low single digits — typically under 5%, and often under 1% for large rug pulls where funds are mixed quickly. The cases that recover are typically large-dollar cases where law enforcement coordinated with exchanges to freeze funds before withdrawal. For US-based victims, file with the FBI Internet Crime Complaint Center (source: FBI IC3).
How can creators do this if there's KYC on the platform?
KYC at the DEX level barely exists. Uniswap, PancakeSwap, and Raydium are permissionless. Anyone can deploy a token without identifying themselves. KYC exists at the centralized exchange listing level (Binance, Coinbase, Blofin) but not at the DEX deployment level. The rug-pull operator deploys directly on a DEX, bypassing any platform-level KYC.
What makes Solana more vulnerable to rug pulls?
Three factors. Cheap and fast token deployment (under $1 to launch a new token). High retail memecoin volume during 2024-2025 attention waves. Limited tooling maturity for on-chain investigation compared to Ethereum. The Solana ecosystem has improved tooling in 2026 (Solscan, SolanaFM, RugCheck) but the deployment cost and memecoin enthusiasm continue to attract rug-pull operators.
What protections do centralized exchange listings provide?
Reputable centralized exchanges (Blofin, Coinbase, Kraken, Binance) screen tokens before listing. The screening typically covers team identity verification, smart contract audit, liquidity, holder distribution, and regulatory status. Tokens that pass listing review at major exchanges have lower rug-pull risk than DEX-only tokens. The listing review is not perfect; some tokens that listed at major venues later turned out to be problematic. But the floor is substantially higher than DEX-direct deployment.
What is the safest way to invest in new tokens?
Three rules. Wait for the token to have a track record (at least 3-6 months post-launch, ideally with one major market downturn survived). Buy through reputable exchanges that screen listings, not DEX-direct. Size positions assuming any new token may go to zero. The three rules together do not eliminate risk but they cap the downside and remove most of the rug-pull surface. The trade-off is missing some "100x" opportunities; the math says most of those "100x" outcomes are rugs in disguise.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include the Cernera et al. USENIX Security 2023 paper on BSC token rug-pull patterns, DappRadar's 2025 rug-pull tracking (via Cointelegraph), Solidus Labs research on the 300K-token scam corpus and 2M-victim count, the SEC complaint in the BitConnect case, DOJ coverage of the OneCoin $4B fraud, Washington Post coverage of the Squid Game Token rug pull, Decrypt's reporting on AnubisDAO, CertiK SkyNet product documentation, and the FBI Internet Crime Complaint Center reporting channel. All facts independently checked against cited sources current as of May 2026.
This article is educational and does not constitute financial, legal, or investment advice. Rug pull and exit scam risk are inherent to permissionless token deployment and unregulated platforms. The 5-red-flag framework reduces but does not eliminate risk. Past performance and current red-flag status do not guarantee future outcomes. Blofin does not list tokens that fail listing review; tokens listed on Blofin have undergone screening but the listing does not constitute investment advice.