Exit scams, popularly referred to as rug pulls, are an ongoing criminal scheme in Web3. A rug pull involves fraudsters robbing a crypto project by liquidating their holdings without warning and leaving investors holding worthless tokens. While there is plenty of statistical information available detailing the prevalence and impact of exit scams over the years, there is less data examining the characteristics of rug pulls and the criminals committing these rug pulls. Filling this gap can result in actionable security methods that are informed by data-driven research. This research can improve anti-money laundering (AML) efforts, consumer protection, and the integrity of the crypto market as a whole.

This report analyzes the life cycle of an exit scam, from inception right up to completion. We can better understand the anatomy of a rug pull in its entirety when the entire life cycle of the scam is examined. From analyzing common characteristics, we can better understand potential risk factors and commonalities leading up to these scams. By identifying these trends and indicators, we can work to more efficiently secure the Web3 world by responding with more informed security approaches and tactics, both now and in the future.

CertiK conducted a study of 40 rug pulls to better understand the commonalities and differences leading up to the eventual removal of liquidity. By identifying both quantitative and qualitative variables of project characteristics, we were able to identify and analyze common features of rug pulls.

Conceptualization

In this study, we define an exit scam or rug pull as a criminal scheme involving a project being drained of its funds by one or more team members, after having used aggressive marketing and hype building to dupe investors.

For this study, only “hard” rug pulls were examined. which is when a project's team suddenly withdraws the funds from a project after garnering a significant amount of investment from their community. A soft rug pull is a more subtle way for founders to achieve the same goal of scamming their community. Rather than dumping all of their tokens on the market at once, founders will slowly sell their tokens while maintaining the front that they are still invested in and are supporting the project.

Additional information can be found in our blogpost on the differences between a hard and soft exit scam.

Methodology

We selected a random sample of 40 hard rug pulls from our comprehensive list of all rug pulls that occurred between 2020 and 2023. The sample collected ranged widely in the total amount stolen, ranging from approximately $3,000 to $12,000,000.

Criminal Profiling

The bad actor(s) responsible for hard rug pulls is always related to the project team. This is what makes an incident a rug pull. Otherwise, the event would be considered an exploit or hack if the project team was not responsible.

In our study of rug pulls, the responsible actor(s) were categorized into one of four groups: Project Team, Rogue Developer, Project Owner, or Undetermined. The definitions and findings of each category are detailed further below:

The Project Team category, accounting for 62.5% of cases, included situations where the entire project team was responsible for the rug pull. This figure includes one-person teams.

Rogue Developers, responsible for 10% of cases, were identified through notices from the remaining project team members.

Project Owners, responsible for 15% of cases, were also identified through notices from the project team.

The remaining 5 cases could not be reasonably determined and were classified as Undetermined.

This research highlights the importance of being vigilant when evaluating new projects and their associated risks. With the majority of rug pulls being caused by the project team, it's crucial to consider the team's motivations, intentions, and track record before investing in a project.

An established track record of integrity from a project is a strong positive signal. The average rug pull is active for 93 days before the eventual scam. Newly deployed projects with unknown developers and no commitment to transparency or decentralization should be treated with caution.

To combat the risk of these kinds of scams and help users make informed decisions, CertiK developed the KYC Badge initiative. This program focuses on verifying and vetting the teams behind projects, granting the badge only to those teams that agree to undergo a thorough background investigation. CertiK KYC helps to separate verified, transparent, and accountable teams from other projects. KYC investigators come from a variety of intelligence and law enforcement backgrounds and apply their skills to the comprehensive KYC process.

Rug Pull Red Flags

Through an enhanced due diligence process and thorough audits of the team and project management, CertiK investigators were able to identify a number of projects that raised major red flags. This risk was repeatedly detected through an analysis of intelligence discrepancies, a proprietary set of risk signals, and a dataset of known malicious Web3 operators.

Our investigators gained further insights through direct conversations with applicants to our KYC program who were identified as highly exposed to this risk. Out of the sample of 40 projects that ultimately executed a rug pull, we were able to interview two projects that eventually committed exit scams.

Project 1: Team Exit Scam

CertiK investigators interviewed the project owner of an anonymized project, which will be referred to as Project 1. During the interview with the project owner, several red flags were detected. The applicant was evasive, struggling to recall the names and even nicknames of other team members involved with the project. They also distanced themselves from the project, claiming to not know much about it and its structure.

Furthermore, the project owner and team members had no prior experience in crypto and were unable to provide any explanation of the utility of the project. They claimed the project’s goal was to donate to specific charity causes, yet they had no plan or process in place to do this and could not name specific charities or the proportion of funds that would go to these efforts. The charity claims appeared to be used as a mere marketing tactic to recruit investors.

Three months after this initial conversation, the project rug pulled. Our on-chain analysis indicated that the project’s team was responsible for the exit scam, and we reported them to the FBI and passed on the proof of identity documents that were submitted to us as part of the KYC process.

Project 2: Rogue Developer Exit Scam

In contrast to Project 1, the person responsible for Project 2’s exit scam was an anonymous developer who went rogue and stole all project funds. CertiK's conversation with the project owner of Project 2 took place a few days prior to the exit scam.

Project 2 had a visible online presence, with all members – except the developer who ultimately went rogue – having public associations with the project. When speaking with the project owner, all the names and identities of all the other members were disclosed but the project owner knew nothing of the anonymous developer. This developer went by a pseudonym, never participated in voice or video calls with the team, and revealed no personal information. The project owner felt that this was not a concern as the developer claimed to have extensive crypto experience and even named prior projects they had worked on. Additionally, the project owner firmly believed that most developers remain anonymous on project teams and that it was not a risk.

CertiK investigators noted that Project 2 did not have many other risk factors outside of the anonymous developer. However, this risk was heavily weighted, as the presence of a completely anonymous developer who holds smart contract privileges greatly increases the chance of a rug pull.

A few days after this conversation with the founder, the anonymous developer rug pulled the project.

How They Do It

Our analysis also uncovered a number of other commonalities shared by projects that ultimately rug pulled. This is by no means a “How to Commit an Exit Scam” guide; by shedding light on the most common behaviors of shady project founders we are making it easier for users to conduct their own accurate due diligence investigations. As the saying goes, sunlight is the best disinfectant, and the goal of this report is to make it more difficult for the pernicious threat of exit scamming to continue in the open.

Red Flag #1: Website Registration

Of the 40 projects analyzed, 37.5% of projects, or 15 total, used Namecheap as their domain registrar. Namecheap is a domain privacy provider that does not appear to require any personal information to register a domain. These services can potentially replace the real contact information associated with the domain with information from privacy services and randomly generated email addresses. Namecheap, based in the United States, may be subject to being subpoenaed by law enforcement, but its lack of requirement for personal or identifying information to register a website could be appealing to future exit scammers.

It is worth noting that 4 of the 40 projects did not have clearly identifiable website domains or no data was available on their associated website domain. The projects registered via Namecheap and the ones that were unknown combined accounted for 45% of the entire sample.

Additionally, the four exit scams that were pulled off by rogue developers did not use Namecheap, further indicating that projects that do not begin without malicious intent are less likely to intentionally use privacy domain providers in attempting to conceal private information.

None of the other registrars had enough statistical significance across the sample to make up a large percentage of the total domain registrations.

Red Flag #2: Project Lifespan

Another important variable to consider when researching the leadup to an exit scam is thelifespan of the project. The project lifespan in the context of this research is defined as the number of days from the inception date of the project to the date of the exit scam. The inception date for the project was calculated by compiling the social media creation dates, the on-chain wallet creation date, and the website date. From there, the inception date was averaged between what dates were available from those three categories. From our research, we reasonably identified the inception date of 36/40 projects that rug pulled. Five of the sampled projects did not have discernable data available in those three categories where we could determine an inception date.

Once the inception and rug-pull dates were collected for the 36 projects, the mean and median lifespan of the project was calculated in days. For reference, the mean here is the average taken of all days combined and averaged by the 36 projects. The median is the middle value of the entire data set ordered from the fewest days to the greatest days between the inception and rug pull.

We found that the average project that rug pulled existed for 92 days from inception to the scam. The median lifespan, or most common, was 57 days from start to finish.

While these findings show that a majority of rug-pulled projects have a typical lifespan of three months or less, it is important to note the outliers in the data. For instance, there were four projects in the sample that had a lifespan of approximately 300 days or more. These four projects ranged in criminal actor type, including project team, project owner, and rogue developer, suggesting that while this data speaks to trends and characteristics of rug pulled projects, these findings are not wholly descriptive of all exit scam projects.

Red Flag #3: Fraudulent Tactics

CertiK conducted a content analysis across the sample in order to identify common fraudulent marketing tactics designed to appeal to potential investors. When considering that the average lifespan of a rug-pulled project is 93 days, as detailed above, projects with malicious intent will focus on expanding their reach with investors in order to acquire the most amount of funds possible before the rug. Scammers that plan to rug pull are incentivized to employ scamming tactics that exploit the emotional and physiological triggers of investors in order to maximize investment into their project.

CertiK found that projects would oftentimes use multiple tactics within their project presentation. The full makeup and overlap of these tactics are visualized in the Venn diagram below.

The above Venn diagram illustrates that all categories had some overlap with other tactics, demonstrating that individual tactics are not typically used in a vacuum and are often a part of more complicated fraudulent schemes.

Red Flag #4: Rug Pull Roadmap and Whitepapers

For the 31 projects where website and project data could accurately be collected, CertiK found that most of the rug pulled projects do not consistently have roadmaps or whitepapers available. In cases where they were available, they were found to be of poor quality, with many grammatical errors, missing information, and oftentimes fraudulent messaging being used within these materials. The more sophisticated projects that did have roadmaps and whitepapers would heavily focus on marketing material that promoted false legitimacy appeal. Of the 31 projects, only seven had roadmaps and only four published whitepapers. For projects that had neither, many of them would state that the roadmap or whitepaper were coming soon.

Red Flag #5: Suspicious Team Presentations

Another important variable examined in this study was the team presentation within the projects and if the team was anonymous, semi-anonymous, or identified. Within the sample, the team presentation was collected for 31 projects. There was not a single case where a team was fully identifiable.

A majority of the projects were completely anonymous, accounting for 24 of the 31 projects. The 7 remaining projects were identified as semi-anonymous, accounting for 22.6% of the sample, however, teams varied in their presentation of their team within this category. Some projects listed one project team member with no identifiable information beyond that. Other teams used photos and names that were later determined by our investigators to be fraudulent.

We uncovered exit scams using AI-generated headshots of “teammembers” which were accompanied by false names and false information. Malicious projects will continue to adapt their tactics to make use of the latest technology.

Using Criminal Profiling to Detect and Prevent Rug Pulls

We identified and analyzed seven significant variables of characteristics and trends of projects that have committed hard rug pulls. We found major commonalities across these variables, indicating that rug pulls operate using broadly similar tactics. While these trends help us better understand common characteristics of exit scam projects prior to the rug, they also show the dynamic adaptations of these projects.

While the findings suggest that most rug-pulled projects have a short lifespan, are conducted by the project team, and use domain registrars that do not maintain the personal information of the registrant, there are plenty of exceptions. These findings should inform risk assessments when evaluating the risk of a project conducting an exit scam, but not be viewed as absolute.

The best scammers know these tactics and will utilize them to their advantage in trying to appeal to as many potential investors as possible. As a result, it is essential to conduct your own due diligence and refer to specialists with expertise in Web3 security.

Using a third-party security auditor to carry out background checks can enhance the security measures' efficiency and effectiveness. The auditor will ensure the confidentiality of the applicant's personal information, even from the recruiter, and appear more credible to the applicant. CertiK's team of experts consists of professionals with intelligence and law enforcement backgrounds. Along with utilizing a thorough background investigation and risk assessment process, CertiK has a unique database of repeat Web3 fraudsters and customized risk indicators that aid in fraud detection.

Exit scams are a persistent threat to the Web3 ecosystem. We’ve identified some of the major red flags to be watchful for, and our KYC process offers rigorous vetting for teams that wish to stand out from the crowd and prove their legitimacy. These threats are unlikely to disappear, but by raising the standard of security and transparency, and giving those teams that wish to stand out the tools to do so, we can help users make informed decisions and avoid falling victim to scams that exhibit red flags.