The Rise of Cryptocurrency Exit Scams and DeFi Rug Pulls

An investigative report explaining what cryptocurrency exit scams and DeFi rug pulls are, how they are carried out, and the tracing and investigations of such crypto frauds.

Cylynx

May 19, 2021 · 6 min read

Decentralised Finance or DeFi refers to financial applications built on top of blockchain systems with no central immediaries. As calculated by Coingecko, the market coin of the DeFi space has grown above $100B in 2021. The flood in capital also makes it a prime area for hackers and scammers to operate.

CipherTrace reports that DeFi rug pulls and exit scams formed 99% of all crypto frauds in 2020. DeFi-related hacks now make up more than 60% of the total hack and theft volume in 2021, a large increase from only 25% in 2020. Many of the recent investigations which Cylynx conducted are also linked to the use of DeFi smart contracts to hide and launder funds. In this advisory report, we discuss how exit scams are conducted and how investigators can trace and monitor such activity on the blockchain.

What are exit scams and DeFi rug pulls?

Both exit scams and DeFi rug pulls are crypto frauds. Exit scams happen when cryptocurrency promoters disappear with investors' money during or after an initial coin offering (ICO). DeFi rug pulls are a new form of exit scam whereby crypto developers abandon a project and run away with investors' funds by taking away buy support or Decentralised Exchange (DEX) liquidity pool from the market.

How are exit scams and rug pulls carried out?

Rug pulls typically occur in the DeFi ecosystem, especially on decentralised exchanges (DEXs) such as Uniswap or Sushiswap, as fraudulent token creators are able to create and list tokens for free without audit.

Scammers can create a token on a DEX and pair it with a leading cryptocurrency such as Ethereum. Thereafter, once investors have swapped their ETH for the new token or coin, scammers would drain the DEX pool. This drives the coin's price to zero, leaving investors with nothing but virtually worthless coins.

How to Spot a Rug Pull?

Here are some telltale signs of exit scams or rug pulls:

  1. Low or No Team Credibility

    Verify the team’s credibility through searching for their track records, social media, employment history, industry connections, etc.

  2. Ambiguous Cryptocurrency White Paper

    If the white paper is written in an ambiguous and unclear manner, it is often a red flag that it might potentially be an exit scam. An external audit is an indicator of the smart contract soundness, but not necessarily of the project’s soundness.

  3. Unrealistic Projections of Returns

    As with other scams, if something seems too good to be true, it probably is.

  4. Large Spendings on Promotion and Marketing

    Although highly promoted ICOs may not necessarily be a scam, do exercise caution when deciding to invest in projects which are heavily promoted. This is because less credible founders tend to rely on promotions and advertising to attract investors.

  5. Few Wallet Holders and Listing only on DEX Platforms

    Verify the number of token holders via a block explorer tool like Etherscan. Check whether it is listed and traded on other popular exchanges. A quick search on Coingecko can reveal more information about the coin.

Examples of Exit Scams and Rug Pull

In 2020, the USD value locked in DeFi has grown tremendously, increasing money laundering risks as hacked DeFi protocols form the bulk of crypto thefts. According to CoinGecko, by the end of 2020, DeFi had locked $19.8 billion—23% of Ethereum’s total market capitalisation, which is a more than 1000% increase from $1.7 billion at the beginning of 2020. The number has since grown to over $130 billion by May 2021, showing immense growth of the DeFi space. This flood in capital has attracted many hackers and scammers, as seen in the rise of exit scams and DeFi rug pulls.

Thodex

Earlier this year, Thodex — a Turkish cryptocurrency exchange with about 400,000 users — was accused of pulling an exit scam. Thodex’s website stated that the platform is “temporarily closed” to address an “abnormal fluctuation in the company accounts.” The cryptocurrency exchange has about 400,000 users, and its CEO allegedly took $2 billion of customer funds with him while fleeing Turkey.

Compounder Finance

Also earlier this year, Compounder Finance was rug-pulled with some $10.8 million of investor funds stolen. Compounder Finance had its contracts drained of $750,000 worth of wrapped bitcoin (WBTC), $4.8 million ether, $5 million dai and a small assortment of other tokens. While they have been audited previously, the team swapped the safe and audited contracts and replaced them with malicious contracts that enabled them to steal investor funds.

Meerkat Finance

Another incident involves Meerkat Finance, a DeFi project which had been drained by $31 million worth of crypto assets. On its official Telegram channel, the team claimed that its smart contract vault was compromised.

These are real incidents with millions and billions of dollars lost and thousands of investors affected. Given the rise of exit scams and DeFi frauds, we need efficient and reliable ways to detect and investigate such frauds.

Tracing the activities of a Rug Pull using Etherscan

To dive deeper into how a rug pull operation is actually carried out on a DeFi platform, we take a closer look at the TRUAMPL (TMPL) token, a coin that mimics Ampleforth (AMPL). The token was recently shilled on Twitter and mentioned on CoinMarketCap in the article titled Dark Side of DeFi.

Someone was shilling “TRUAMPLE” yesterday, and 3 hours later the developers pulled the rug, stealing 1800 ETH.
Be careful guys. Rug pulls are getting more and more frequent.

— Boxmining (@boxmining) August 26, 2020

There are multiple fraudulent scam TMPL tokens created. We take a look at one specified by the following smart contract: https://etherscan.io/token/0xfcb755b046ea9b9bc4586db4018b49c5a02e3d1c. Looking at the transfers log, we noticed that there are only 20 transactions and 10 holders. Most of the activity happened within a span of 4 days. Here’s a log of the key operations:

The Uniswap - TMPL smart contract given by the linked address reveals a similar scam operation but of a much larger scale.

The sequence of events can be summarised as follows:

  1. Scam token creator adds liquidity of the newly hyped up TMPL token to a DeFi platform such as Uniswap (circled in red).
  2. Users swap ETH or other valuable tokens for TMPL.
  3. As price of the token rises, and more users participate in the swap due to FOMO (fear of missing out).
  4. Scam token creator removes liquidity from the platform and takes gains on the valuable token (circled in red).
  5. Users are left holding worthless tokens with no place to withdraw or cash out.
  6. Rinse and repeat.

To verify that the withdrawal actually lands the token creator with more ETH than he had initially started off with, we can view the token transfer log for transaction 0x0d55ef. Not surprisingly, the scammer ends up with more ETH tokens which he transferred to other accounts and left the pile of useless TMPL tokens remaining in his account.

The use of smart contracts to launder illicit funds

While the examples cited above highlights how scammers exploit DeFi platforms to sell fraudulent tokens, variants of such methods are also used to hide illicit sources of funds.

By swapping into other less well-known tokens (possibly even created by the hacker), these individuals aim to evade attempts by cryptocurrency monitoring solutions to pick up the trail of their illicit gains. Investigations by Cylynx also reveal how suspected money launderers trade illiquid assets on DeFi platforms to conceal their sources of funds.

How Cylynx helps in investigations

Identifying and tracing such activities on the blockchain requires the ability to parse through blockchain records and make sense of transaction activities. In the cryptocurrency space, this is made more difficult due to the ease of creating multiple wallets and moving tokens around.

At Cylynx, we help cut down tedious investigation work and automate the tracing process. Through a combination of our graph propagation algorithm and on-chain forensics, we are able to deliver tracing reports on blockchain activities much more efficiently. Our reports also provide a clear audit trail of the source of funds which can be traced back to the blockchain. This gives law enforcement agencies the confidence to use our reports as part of their investigative work.

For exchanges and other virtual asset service providers (VASPs) which require real-time screening and alerts, our Transaction Monitoring solution allows you to prioritise risk cases and improve screening efficiency.

We provide a risk-based approach to Cryptocurrency monitoring to help VASPs comply with regulatory requirements. This includes screening sources of funds by filtering and rapidly identifying transactions from sources of concern, detecting red flags associated with suspicious transactions with on-chain analytics, and adverse news coverage.

Conclusion

Frauds and scams are not uncommon even in stock markets that are well-regulated and established. The unregulated nature of the cryptocurrency space, coupled with the flood of capital in the DeFi space, increases the risk of such exit scams and rug pulls.

While we have discussed red flags and how to spot these exit scams and rug pulls, these are insufficient as seen in the case of Compounder Finance where they have been audited prior to the rug pull. With thousands of investors and millions and billions of dollars at stake, an efficient and effective investigative solution is required to counter the increasing risk of crypto fraud.

At Cylynx, we offer graph propagation algorithms, on-chain forensics and monitoring solutions to make the investigative process more efficient, allowing an investigation team to prioritise risk cases, and improve screening efficiency. Get in touch with us here for a demo of our investigative and monitoring solutions.