Mapping a Serial Rug Pull Scammer on Binance Smart Chain

This blog post will examine an active rug pull campaign in which the scammer has gained over US$2M since 30 July. We will also examine why rug pull events are pervasive in the Web3 ecosystem; how such events can be detected and analyzed using publicly accessible blockchain explorers, online analytical tools, and data repositories; and review some key technical indicators as early warnings to rug pull scams, based on the results of our work using machine learning.

The data discussed in the article are obtained from Web3rekt.com. Web3rekt.com is dedicated to the education and awareness of various blockchain incidents, including hacks and scams. The site maintains a repository of blockchain (or Web3) security incidents dated back to 2012, and it serves to assist blockchain participants with accurate resources and analyses to understand the risks involved with cryptocurrencies and various blockchain projects.

Web3rekt.com aggregates Web3 incidents from a series of specifically designed bots and alert notifications, as well as from human contributors, e.g., reporters. To ensure that incidents are accurate and representative, Web3rekt.com also relies on human analysts to confirm reported incidents using on-chain transaction information, and verified incidents are then captured in the database. Human analysts use tools such as blockchain explorers and other blockchain forensics solutions, including breadcrumbs.app, bubblemaps, dune analytics and others to assist with the analysis.

According to insights obtained from Web3rekt.com, 2022 YTD losses due to scams exceeded US$200M, with some estimates exceeding this value, as incidents may go unreported due to a variety of factors, including size of losses, limited number of victims, lesser-known chains, etc.

Figure 1 - 2022 YTD Losses Related to Scams (web3rekt.com)

Furthermore, the majority of these scams are likely to be rug pulls, based on the review of Web3rekt’s related extended method.

Figure 2 - 2022 YTD Incidents by Count

What exactly are rug pulls? Rug pulls are blockchain events in which the project owner or team removes liquidity of the pool, mints new tokens,dumps tokens and abandons the project, having raised significant funds through selling the project tokens as initial coin offering (ICO) or executed other similar mechanics that can significantly collapse the price of the project tokens.

From the rug pull operator perspective, the emerging blockchain ecosystem offers a near-perfect medium to the possibility for increasing wealth at a rapid pace. Cryptocurrencies also provide pseudo-anonymity to the operators, as well as lower the cost of the implementation. Unlike traditional scams, a rug pull has no geographic or time restriction, allowing any individuals to be conned across the globe. Marketing for rug pulls targets a specific group of individuals, playing on known Web3 psychology methods such as greed, FOMO, FUD, WAGMI and others (“fear of missing out,” “fear, uncertainty, and doubt,” and “we’re all going to make it,” respectively).

We’ve all heard stories of people who were able to pay off their debts using earnings from selling cryptocurrencies. Unfortunately, for every success story comes both a greedy person who flew too close to the sun and a scared investor who is unable to make a significant return on their crypto because they aren’t making significant investments. While polar opposites, both sides of the spectrum have one thing in common: ignorance. Rug pull victims don't know how the market works, and scammers take advantage of that ignorance and FOMO. Scammers achieve this by buying enough of their crypto to drive up the price, making it appear as if the token is doing well. Seeing a token skyrocket in value can cause a layman to want to invest in it, not knowing that they may end up losing their entire investment. Without knowledge of the crypto market, investors are making either blind shots in the dark or heeding advice from fellow uninformed investors. Balancing fear and greed through research is the best way to maximize one’s crypto portfolio and avoid future rug pulls.

Executing a rug pull, on the other hand, requires a certain degree of technical sophistication with Web3 technology solutions and tokenomics. For example, one would need to be able to describe a utility for a given token, along with the attributes, or tokenomics for the token, including but not limited to the token's creation and distribution, supply and demand, incentive mechanisms, and token burn schedules. In addition, one would also require the ability to program and deploy one or more token contracts, set up a liquidity pool (LP) for the each of the contracts, and design a scheme from which the tokens can be manipulated to increase value over time (e.g., wash trading), either through social media marketing (e.g., pump-and-dump), or by other means. Much of these technical barriers were removed with the availability of online tools to craft and create new token distribution and related smart contracts, as well as using social media channels such as Twitter, Telegram, and Discord to pitch and target individuals.

Most rug pulls are reactively detected after a significant drop, typically >90 percent of its token price, as shown with HeroWorld Token from our case study. Machine learning approaches and token analyses can provide more proactive ways to avoid rug pulls.

Figure 3 – Example of HeroWorld Token Price Collapse

However, there are many possible reasons for tokens to exhibit price slippage without being rugged. For example, data migration of contracts or transfer of ownership may trigger substantial price drops without malicious intent.

It is here that our story begins. We noted that there was a significant change in the price of Bitnity token.

Figure 4 - Bitnity Token Price Collapse

While confirming the transactions related to the Bitnity rug pull for Web3rekt.com, we noted that there is one address, 0xb467b6b019ec9289b52f57ba0bfb09b8fc9b9ec1, that exchanged significant amount of WBNB tokens to other token addresses and EOAs.

Using the proper blockchain explorer, where we can examine details of transactions in real-time, we were able to decide that this address 0xb467b has transacted a total of 1,837 times as of 19 August 2022.

Figure 5 - Partial Transaction List taken on August 19

How was the scammer able to achieve this outcome? Let’s look at one of the token contracts that they executed in more detail.

On 7 August 2022, the scammer set up a new token contract named HeroWorld (https://www.web3rekt.com/hacksandscams/herowd-1047) with the token ID of HEROWD via transaction ID 0xe4b917a95d5aa02ee8b9da1cb68b58208cb4b8b808881fa949e9eea9109699af, using the deployer or creator with the address 0xf63497643ff8738e595ea30d71de83fd8d4ca174. For this setup, the scammer minted the deployer with 30 billion HeroWD tokens and funded it from address 0xb467b.

Figure 6 – Deployer Minted 30 Billion HeroWD Tokens

Next, the scammer took the necessary steps to improve the transparency of the contract for users by submitting the source code for verification and obtaining the “Contract Source Code Verified” green mark, as shown below. While this small step may not fool seasoned blockchain participants, it may trick naïve participants to believe the token to be more trustworthy than it is.

Figure 7 - Setup Verified Source Code Mark

Within an hour after creating the HeroWD token contract, the scammer funded the contract with 160 BNB using funds from address 0xb467b via TX 0x9d9af3eaee9b434797e02dc3d2619057090a20ea6b0f32bfaf3f7f5956569dc1, as the funding would later be needed to create the liquidity pool for the token pair.

Figure 8 - Transfer BNB for Liquidity Pool Setup

What is a liquidity pool and who are the liquidity providers? The liquidity pool provides the mechanism from which buyers and sellers of tokens conduct the trade by paying fees to the pool and to the liquidity providers. A liquidity provider is someone who provides their crypto assets to a platform to help decentralize trading by using an Automated Market Maker (AMM) protocol or Decentralized Exchanges (DEX), such as UniSwap or, in this case, PancakeSwap. Together, both work as follows:

1. When a new pool is created, the first user who supplies liquidity for a particular token pair sets the price of the token in the pool.
2. The liquidity pool, in this example PancakeSwapV2, creates a smart contract for each pair where the liquidity funds are deposited.
3. The liquidity provider needs to supply an equal value of both tokens, or BNB and corresponding NoEmo tokens are sent for the token pair.
4. Other users can then buy and sell the asset by swapping it with other tokens against the liquidity pairs.
5. Liquidity providers earn returns that start from 7.5 percent, depending on the pools. These rewards are paid out in the platform’s native tokens, such as UNI or CAKE.

For our specific case, we can see that the scammer funded this liquidity pool pair using the deployer address 0x0a333 with 15 billion HeroWD tokens and 160 BNB with a value of $47,810.09 as of 8 August 2022, via transaction ID 0xe54a13942550a30644e1b9812ef671277b051f851c8499bbef94ac8934b35e80.

Figure 9 - Added to Liquidity Pool

Approximately four hours later, the scammer traded 960,000 billion HeroWD tokens for 455.9 BNB tokens valued at $136,225.52.

Figure 10 - Swapped from Liquidity Pool

The gain of the swap was immediately moved into our previously discussed address 0xb467b via transaction ID 0x1b14a146db2bc9c8c3651c48beb01d205bb58fc46f00c71c1484b7d247eea5fe.

Figure 11 – Transfer Gains to Funding Address

How could this be possible when the deployer address 0xf6349 received only 30 billion of the HeroWD tokens? An examination of the tokens transferred by the deployer also confirmed that the deployer only performed three transactions as shown below.

Figure 12 – Token Transaction Summary

Using on-chain data, we should only expect 15 billion, not the 960,000 billion tokens shown for the actual transaction. To get to the root of the issue, instead of examining a transfer specific to the tokens, we need to examine the transactions to the deployer address. This requires us to use a different view of transactions from the blockchain explorer, as shown below:

Figure 13 - Key Transactions - Part 1

Figure 14 - Key Transactions - Part 2

Figure 15 - Key Transactions - Part 3

We noted that, prior to the swap transaction, there was another transaction that performed a transfer of some sort with the following details:

Figure 16 - Hidden Transfer

This transaction was successfully executed, as shown by the “success” status. Exactly what transferred we do not know, but we can infer from the warning message that the scammer may have rigged the smart contract so that the event for the transferred tokens was not broadcasted (e.g., non-conforming to ERC-20 standard). This implementation is what we typically call a hidden transfer, which is intended to obfuscate the transaction and mislead inexperienced Web3 users. It is pervasive such that blockchain explorers’ supply added explanations to caution users when the more information icon is selected, as shown below.

Figure 17 - Possible Reasons for Failed Transfers of ERC-20/BEP-20

This scammer also used a second method to add tokens to the deployer address prior to the swapping of the tokens for the BNB tokens. Instead of obfuscating the token transfer, the scammer simply minted and transferred more tokens using the 'Mit' method, as shown in this transaction related to the Too Token (https://www.web3rekt.com/hacksandscams/too-token-1026). An inexperienced individual with limited smart contract implementation would have been fooled by this intentional mislabeling, as they may have been looking for the “mint” method.

Figure 18 - Use of 'Mit' Function

The best approach to verify stated methods is by examining the underlying code, such as shown below. In this case, we were able to confirm that the “Mit” method is callable only by owners, and its sole purpose is to add tokens to a target address.

Figure 19 - Source Code Review of ‘Mit’ Function

Another approach that we saw the scammer use to increase the number of tokens available to be swapped was using a normal transfer function, as noted in the NoEmo token contract (https://www.web3rekt.com/hacksandscams/noemocoin-1032) andas shown in the token transactions shown below.

Figure 20 – Normal Transfer of Minted Tokens

This approach would have been flagged by the least experienced blockchain participants. Accordingly, this scam pattern was only seen in 2.7 percent of the contracts examined.

The scammer implemented the above-mentioned scam patterns across 37 token contracts, yielding net profit of 6,447 BNB or over US$2M at the time of this post. The scam rotates to a new contract every 7.2 hours with a standard deviation of 9.2 hours; thus, we should expect a token contract rugged from this serial scammer within 16.4 hours from the creation of the token contract, based on past performance.

Figure 21 - List of Scam Token Contracts from the Serial Scammer as of August 21, 2022

Next, we want to figure out the source of the funds the scammer used to execute these scams. To do that, we need to work backward to the earliest token contract deployed, or the Arcadia token (https://www.web3rekt.com/hacksandscams/arcadia-token-1042).

Figure 22 - Partial View of Key Transactions on Arcadia Token Contract

From the earliest transaction, we also noted that the same address 0x467b6 was used to fund the contract. Accordingly, we can then review the earliest transaction that funded this address as shown below:

Figure 23 - Origin of Transfer to Address 0x467b6

Expanded on the details of the transaction, we obtained no other details.

Figure 24 - Inclusive Details of Initial Source of Funds to 0x467b6

The underlying reason to switch views is that, in addition to normal transactions, blockchain explorers such as Etherscan or Bscscan also display so-called internal messages, which are transactions that originate from other contracts and not from user accounts.

Figure 25 - Source of Initial Funds to Address 0x467b6

Accordingly, from the Internal Transactions tab, we are then able to find that the scammer funded address 0x467b6 from Tornado Cash, a popular cryptocurrency tumbler that was recently sanctioned on 8 August by the Office of Foreign Assets Control (OFAC), an enforcement agency within the U.S. Department of the Treasury. According to a press release from the U.S. Treasury, Tornado Cash had been used to launder more than $7 billion worth of virtual currency since its founding in 2019, including more than $455 million stolen by the Lazarus Group, a cyberterrorism group reportedly sponsored by the North Korean government.

Since the sanction took place after the scammer had onboarded the funds, the scammer currently has no means to offboard the ill-gotten gains via Tornado Cash. However, it may be possible for the scammer to move the funds to unregulated or less-regulated central exchanges, or to bridge the funds from Binance Smart Chain to other blockchain networks to take advantage of other unsanctioned mixing services or via the Secret Network using the Secret protocol.

Based on the reviews of on-chain transactions across these scam contracts, we draw the following observations:

1. The scam campaign is still ongoing and illicit gains stay on-chain.
2. The same individual(s) handles the scam.
3. Initial source of funds from Tornado Cash was intended to prevent deanonymizing of the individual(s).
4. The observed scams show similar tactics and transactional patterns.
5. Gains from prior scams are used as source of funds to create and execute ongoing scam token contracts.

Leveraging our expertise in machine learning, we used Python scikit-learn to evaluate a data set extracted from Web3rekt.com consisting of historical rug pull events from 2021 through May 2022. Of the 55 features (e.g., attributes) reviewed, we found that there are certain features that can help crypto participants to reduce their exposure to rug pulls from investing in a project or a token. Some of the key observations are:

1. 95.2 percent of rugged projects or tokens have teams that are fully anonymous, and we were not able to confirm any verifiable attribution to specific named individual.
2. 13 percent of rug pulls take place within a day. Another 54 percent take place within 50 days (about 1 and a half months). After 350 days (about 11 and a half months), rug pulls account for less than 8 percent of the incidents reviewed.
3. Certain blockchain networks have greater occurrences of rug pulls.
4. There is inconclusive data to support that projects or tokens that underwent KYC or smart contract audit lower the risk of getting rugged.
5. Since a token contract can be programmatically examined for certain patterns in the coding design—such as honeypot, tax rate, usage of blacklist and whitelisting, just to name a few—by comparing the results of the token analysis of attributes between the rugged data set and a non-rugged data set, one can name attributes that may be leading indicators to rug pull event.

By computing a score as the absolute deviation of the same attribute across the two above-mentioned data sets, we were able to rank the importance of the attributes as indicators for rug pull. In other words, the greater the percentage, the more significant the attribute serves as a predictor.

• • is_blacklisted +59%
  • transfer_pausable +43%
  • is_mintable +20%
  • hidden_owner +18%
  • is_whitelisted +10%
  • is_anti_whale +6%

The definition for each of the attributes is as follows:

• Is_blacklisted indicates that the contract can blacklist addresses. This is significant because the malicious contract owner may abuse the blacklist by blacklisting most users, leaving those users without trading recourse.
• Transfer_pausable indicates that the contract owner can suspend trading on the token at any time, except for those who have special authority.
• Is_mintable indicates that the owner can mint additional tokens without restrictions. Mint functions can directly trigger a massive sell-off, causing the token price to plummet.
• Is_whitelisted indicates that a function allowing specific addresses to make early transactions, possibly tax-free, is present and not affected by transaction suspension. Similar to blacklisting, this capability may be abused by the project owner to limit selling.
• Hidden_owner describes a token where the developers have the ability to manipulate the contract after ownership has been renounced. Generally, the token with hidden owner represents a certain degree of risk, especially regarding rug pulls and other unintended actions.
• Is_anti_whale describes whether the contract has the function to limit the maximum number of transactions or the maximum number of tokens held, as whales can exert significant influence on token price.

Figure 27 - Distribution of Rug Pulls by Blockchain Network

In conclusion, we investigated transactions of a serial rug pull scammer since the start of the scam campaign. We introduced several on-chain transaction tracing techniques to auditors and cybersecurity professionals and showed that we were able to cluster transactions to the same responsible party. We traced the origin of the funds for the scam campaign to Tornado Cash and offered some predictions on possible next steps for the scammer. Furthermore, we highlighted an application of machine learning to evaluate attributes that may identify leading indicators as early warning of rug pull events. In addition, we applied token analysis by comparing a rug data set vs. a non-rugged set to identify additional attributes unique to token analysis that can also provide an early warning for rug pull events.

About the authors: Tuan Phan is the founder of Zero Friction LLC and the opensource Web3rekt.com project. Chad Friedman is a contributor and an analyst for the Web3rekt.com project.

Zero Friction provides cybersecurity and blockchain technology advisory services to clients in commercial and public sectors by combining exceptional service delivery with technology enablers.

Web3rekt.com is dedicated to the education and awareness of the various blockchain incidents, including hacks and scams. The web3rekt.com database serves to assist blockchain participants with accurate resources and analyses to understand the risks with cryptocurrencies and the various blockchain projects.