PreSaleCryptoBMIC

safety · 9 min read · last updated 2026-05-08

Rug Pull Warning Signs: How to Spot a Crypto Exit Scam

A skeptical checklist of rug pull warning signs in crypto presales and tokens, with on-chain red flags, contract risks, and team-level tells.

Rug Pull Warning Signs: How to Spot a Crypto Exit Scam

If you have spent any time in presale Telegram groups, you already know the pattern. A token launches, the chart goes vertical for two hours, then liquidity vanishes and the developer’s account stops replying. The rug pull warning signs were almost always there before launch, sitting in plain sight on Etherscan, in the contract code, and in the team’s social history. People just did not look, or did not know what to look for.

This guide is a practical checklist. It is written for retail buyers who have already lost money once and do not want to lose it again. We are not here to sell you a course. We are here to slow you down before you click “approve.”

What counts as a rug pull

A rug pull is any scheme where insiders extract value at the expense of token buyers, then disappear or render the token worthless. Chainalysis tracked roughly $1.0 billion in scam revenue in 2023, with rug pulls and “pig butchering” hybrids making up a meaningful share, though down from the 2021 peak (Chainalysis, 2024). CertiK’s 2024 security report logged hundreds of exit scams in a single year, the majority on BNB Chain and Ethereum (CertiK, 2024).

There are three main flavors:

  • Hard rug: liquidity is removed in one transaction. The token price collapses to zero within minutes.
  • Soft rug: team wallets dump steadily into buyer demand over days or weeks. No single dramatic moment, just a slow bleed.
  • Honeypot: the contract allows buying but blocks selling for everyone except whitelisted addresses, usually the deployer.

Each leaves different on-chain fingerprints. Most warning signs apply to all three.

On-chain red flags you can check yourself

You do not need to be a Solidity developer to do basic due diligence. You need a block explorer and twenty minutes.

1. Liquidity is not locked, or is locked for an absurdly short window

Open the LP token contract on the DEX where the token trades. If the LP tokens are sitting in an EOA (a regular wallet) controlled by the deployer, they can be pulled at any moment. A real project locks LP for at least 12 months in a verifiable locker like Unicrypt, Team Finance, or PinkLock. Six-week locks are not protection, they are a countdown timer.

2. Top wallet concentration

Look at the holder distribution. If the top 10 non-exchange wallets hold more than roughly 40-50% of supply, a coordinated dump can end the chart. Watch for wallets that received tokens before public launch, especially in equal batches, which often indicates sybil distribution to insider alts. Our presale scoring methodology uses a stricter threshold for the top 20 wallets.

3. Mintable supply or hidden mint functions

If the contract has a mint() function callable by the owner, the team can dilute holders to zero whenever they choose. Even if they say they will not, the option is the risk. Renounced ownership is a partial fix, but only if there is no proxy.

4. Upgradeable proxy contracts

A transparent or UUPS proxy means the implementation contract can be swapped after launch (Solidity Docs). The team can promise low transfer taxes today and quietly upgrade to a 99% sell tax tomorrow. Proxies are not automatically malicious, but in a small-cap presale context they are usually a control mechanism, not a feature.

5. Blacklist and pause functions

Functions named blacklist, setBots, excludeFromTransfer, or anything that prevents specific addresses from selling, are honeypot infrastructure. They have legitimate uses for fighting MEV bots at launch, but if they remain after the first 24 hours, they are weapons pointed at buyers.

Off-chain warning signs

The contract is only half the picture. The other half is the team and the marketing.

  • Anonymous founders with no track record. Anonymity is not automatically a scam, but it removes legal recourse. If the team is anon and the token has no audit, no lock, and a heavy paid influencer push, you are the exit liquidity.
  • Paid influencer saturation before product. Ten YouTubers posting the same talking points in the same week is a campaign, not organic interest. The SEC has repeatedly flagged undisclosed promotion as a fraud indicator (SEC Investor Alert).
  • Roadmap is all marketing milestones, no technical ones. “CEX listing tier 1” and “100k holders” are not deliverables. Mainnet, audited contract, working product, are.
  • Telegram or Discord deletes critical questions. Healthy projects answer hard questions. Scam ops mute and ban anyone asking about vesting, team allocation, or audit firm credentials.
  • The audit is from a firm nobody recognizes, or the audit report is a PDF screenshot. Cross-check the audit firm on its own website. If the audit is not listed there, it does not exist.

For a deeper look at custody-side defenses if a token you hold turns out to be malicious, see our guide to revoking token approvals and the hardware wallet shortlist we maintain.

A 60-second pre-buy checklist

Before sending funds to any presale or new token, run this:

  1. Is liquidity locked for 12+ months in a known locker? Verify the lock URL yourself.
  2. Is the contract verified and non-upgradeable? Read the source.
  3. Are top 10 wallets under 40% combined? Excluding the LP and known burns.
  4. Is the team doxed, or is there a reputable lead investor with on-record exposure?
  5. Is there an audit from a recognizable firm, with the report hosted on the auditor’s domain?
  6. Can you actually sell a small test amount on-chain right now?

If two or more answers are “no” or “I cannot tell,” walk away. There will always be another presale. There will not always be another paycheck.

Things we cannot verify from the outside

Be honest about the limits of due diligence. You cannot verify:

  • Whether team wallets are linked to other failed projects unless they reuse addresses.
  • Whether off-chain custodians (CEX market makers) hold tokens that will be dumped.
  • Whether the audit firm was paid extra to overlook specific findings.
  • Whether the founders intend to continue building after the listing pump.

This is why position sizing matters more than research. Treat any presale allocation as money you are willing to send to zero. If that sentence makes you uncomfortable about your current size, the size is wrong.

For broader context on the presale risk landscape, see our presale red flags by chain breakdown and the recent rug case studies we track.

Honest summary

Rug pull warning signs are almost always visible before launch if you know where to look: unlocked liquidity, concentrated wallets, upgradeable contracts, blacklist functions, anonymous teams paired with heavy paid promotion. None of these alone is conclusive proof of fraud, but two or more in combination is enough reason to skip the trade. We cannot tell you any specific token is safe, and anyone who does is selling something. The job of due diligence is not to find winners, it is to filter out obvious losers, and that is a skill worth more than any alpha call.

Wallet shortlist for this topic: see our wallet reviews

FAQ

What is the most common rug pull warning sign?
Unlocked or majority-team-held liquidity. If the deployer can pull LP tokens or holds an outsized supply, the project can be drained at any moment without warning.
Are audits enough to confirm a token is safe?
No. Audits cover code logic at a snapshot in time. They do not verify team identity, post-launch upgrades, off-chain custody, or whether the deployer kept admin keys.
Can a token rug pull after launch?
Yes. Soft rugs happen weeks or months later through slow team-wallet selling, liquidity removal, or proxy contract upgrades that quietly change tax or transfer rules.

Sources

Research, not advice. This article is editorial. We are not your financial adviser. Crypto presales can lose 100% of capital.