Rug Pull: What It Is and How to Avoid Crypto Exit Scams
A rug pull is a cryptocurrency exit scam in which a project's developers abandon it and abscond with investor funds, leaving token holders unable to sell and holding near-worthless assets. It most commonly targets new tokens listed on decentralized exchanges, where permissionless listing requires no identity verification. The three core methods are liquidity stealing (withdrawing the project's share of the liquidity pool), limiting sell orders through honeypot smart contracts (only the team can sell), and dumping (mass-selling the team's token allocation after hyping the price). Rug pulls range from premeditated "hard" pulls to slow-motion "soft" pulls that resemble mismanagement, making some easier to prosecute than others.
What Is a Rug Pull?
A rug pull is a type of crypto exit scam in which a project's founders abruptly abandon it and walk away with investor money, leaving token holders illiquid and holding assets worth close to zero. The name comes from the phrase "pulling the rug out" from under someone: one minute your tokens have value, the next they are unsellable. Rug pulls most often hit brand-new tokens launched on a decentralized exchange, because permissionless DEX listings require no KYC or identity checks. The mechanics vary — draining a liquidity pool, blocking sells, or mass-dumping the team's supply — but the outcome is always the same: the founders profit, and everyone else becomes the exit liquidity.
The Three Main Types of Rug Pulls
Nearly every rug pull is a variation of three techniques. Some are coded into the smart contract from day one ("hard" pulls), while others unfold slowly and look more like mismanagement ("soft" pulls).
1. Liquidity Stealing
When a token launches, the team usually pairs it with a real asset — such as Ethereum or BNB — inside a liquidity pool on a DEX. The team mints the project token at zero cost and only spends real money funding the ETH/BNB side. As buyers pile in, the pool fills with valuable ETH or BNB. The malicious developer simply withdraws their share of the pool, removing the asset traders need to sell back into. Holders are left with tokens nobody can convert to anything. This is the cleanest example of a hard pull.
2. Limiting Sell Orders (Honeypots)
In a "honeypot," the smart contract is written so that only the team's own wallet addresses can sell. Retail buyers see a chart that only goes up — because no one else can sell — and pile in chasing fast gains driven by FOMO. By the time the trap is discovered, the founders have already dumped their tokens and drained the pool. This is how the infamous "Squid Game" token operated.
3. Dumping
The most common method is also the simplest: the team hypes the token with aggressive social-media marketing, then sells its entire allocation on the open market once the price is high, crushing the chart. If the dump happens all at once it is a hard pull; if the team bleeds out its supply slowly under the cover of "development costs," it is a soft pull — harder to prove as intentional fraud.
Hard Pull vs. Soft Pull: A Quick Comparison
| Aspect | Hard Rug Pull | Soft Rug Pull |
|---|---|---|
| Intent | Malicious from inception | Often starts legitimate, turns bad |
| Speed | Instant — liquidity gone in one transaction | Gradual sell-off over weeks or months |
| Typical method | Liquidity stealing, honeypot contract | Slow dumping under "dev cost" cover |
| Detectability | Visible in contract code if audited | Looks like waning interest / mismanagement |
| Legal clarity | Clearly fraud | Hard to prosecute (grey area) |
Worked Example: How a $100,000 Pool Disappears
Imagine a new memecoin launches with a pool seeded by the developer: 1,000,000 tokens (minted for free) paired with 10 ETH (the only real cost). As hype builds, buyers deposit 90 more ETH chasing the token, so the pool now holds 100 ETH.
At, say, $3,000 per ETH, that pool now contains $300,000 of real value — and the developer, as the dominant liquidity provider, controls most of it. With one transaction the developer withdraws their liquidity share, pocketing roughly $270,000 in ETH. The remaining holders own tokens with effectively zero sell-side liquidity: the market price collapses toward $0, and there is nothing on the other side of the trade to cash out against. The team paid $30,000 to walk away with nine times that.
How to Avoid a Rug Pull: A Step-by-Step Checklist
No single check is foolproof, but stacking these filters dramatically lowers your risk. For a broader playbook on spotting fraud, see our overview of common crypto scams to avoid:
- Verify locked liquidity. Confirm the developer's liquidity is time-locked using a contract-scanning tool. Unlocked liquidity can be pulled at any moment.
- Ignore the hype and the green candle. A token featured everywhere on social media or pumping vertically is not proof of legitimacy — it can be a honeypot. Do your own research.
- Be wary of anonymous teams. Anonymous founders have no reputation to protect, which raises rug-pull risk. Doxxed teams are not automatically safe, but accountability matters.
- Distrust "too good to be true" yields. Absurd APYs and grand roadmaps with no concrete delivery steps are classic bait for collecting deposits before an exit.
- Look for a reputable external audit. A third-party smart-contract audit surfaces honeypot logic, mint backdoors, and unlocked liquidity before you buy — our guide to auditing a smart contract walks through what to check.
- Monitor ongoing development. Fading GitHub activity, silent founders, or stalled milestones can signal an incoming soft pull. Reassess your position.
Risks and Pitfalls Even Careful Investors Miss
- "Audited" is not "safe." An audit can be paid-for, outdated, or scoped to ignore the exact backdoor used. Read what the audit actually covered.
- Locked liquidity has an expiry. A 7-day lock looks reassuring but lets the team pull legally on day 8. Check the unlock date, not just the "locked" label.
- Centralized exchanges rug pull too. The Turkish exchange Thodex froze withdrawals "temporarily" before its CEO vanished with roughly $2 billion — proof that rug pulls are not only a DeFi or DEX problem.
- NFTs are not immune. The Frosties NFT project raised about $1.3 million, then deleted its channels hours after mint; U.S. authorities later traced and charged the founders via Discord and exchange subpoenas.
COINOTAG Perspective
The uncomfortable truth is that rug pulls are a feature of permissionless markets, not a bug — and they spike when retail enthusiasm peaks. During the 2021 bull run, rug pulls grew from a rounding error of scam revenue into one of its largest categories, precisely because new money chased new tokens faster than it could vet them. COINOTAG's view: treat every unaudited, anonymous, freshly launched token as exit-liquidity bait until proven otherwise. The asymmetry favors caution — a project you skip costs you nothing, while a single rug can erase a full position. Verifiable liquidity locks, a credible audit, an accountable team, and steady development are not guarantees, but together they shift the odds back in your favor.