At what stage does Rug Pull usually occur? Signs and ways to avoid it

The explosion of decentralized finance (DeFi) has opened a new era for capital access, but at the same time, it has also created fertile ground for sophisticated forms of fraud. According to observations from Tan Phat Digital, "Rug Pull" or "rug pulling" has become an obsessive term, representing the largest forms of asset loss in cryptocurrency history.

Rug Pull is not simply an act of theft but a calculated process, often activated at the most sensitive times. Identifying when a Rug Pull usually occurs requires an understanding of smart contract source code, token economics, and crowd behavior psychology.

The nature and operating mechanism of a Rug Pull

Rug Pull simulates the act of suddenly pulling the rug out from under a person's feet. In the crypto market, this is a behavior where the development team or internal figures suddenly withdraw all liquidity or sell off a large amount of tokens, causing the investor's asset value to collapse to nearly zero.

The enforcement mechanism is often based on the absolute control of the developer through "backdoors" in smart contracts. The rise of Rug Pull between 2024 and 2025 reflects the professionalization of cybercriminals, as they move from sketchy "junk" projects to protocols with slick branding and complex roadmaps.

See also: What is Rug Pull? Handbook for preventing cryptocurrency fraud

Classification of main forms of fraud

Below are details of risk classification compiled by Tan Phat Digital:

1. Hard Rug Pull

• Main mechanism: Using malicious code, backdoor function, or sudden withdrawal of liquidity right in the source code.

• Legality: Clear fraudulent behavior, can be legally prosecuted.

• Timeline: Happens extremely quickly, from a few minutes to several hours.

• Level of damage: Usually 90% to 100% of investment value is lost.

• Technical signs: Transaction error, honeypot, liquidity disappears instantly on DEX exchanges.

2. Soft Rug Pull

• Main mechanism: Slow release of internal tokens or gradual abandonment of the project.

• Legality: Located in a legal gray area, it is difficult to prove initial fraudulent intent.

• Timeline: Lasts from a few weeks to several month.

• Level of damage: Damage from 70% to 95%, price gradually decreases over time.

• Technical signs: Internal wallet transfers tokens to the exchange, stops updating source code on GitHub, media team is silent.

Cycle analysis: Rug Pull often occurs when

In fact, risks are concentrated at important milestones, where information and liquidity imbalances reach the highest level.

Initial capital mobilization stages (Presale and IDO)

Exit Scam risk flares up most strongly when the capital call round ends successfully. Developers collect valuable coins such as ETH, BNB or Stablecoins but never issue official tokens or list on exchanges. A typical example is the Thodex exchange in 2021 that disappeared with 2 billion USD right after the mobilization phase.

Listing and liquidity injection phase (DEX Listing)

This is the most dangerous time for Hard Rug Pull. When retail investors start buying tokens on exchanges like Uniswap or PancakeSwap, the liquidity pool will accumulate valuable coins. If the liquidity is not locked (Unlocked Liquidity), the developer can empty the pool, causing the token price to go to zero immediately. On the Solana network in 2024-2025, the majority of carpet pulls occur within just a few minutes of listing.

Marketing Peak & FOMO period

Soft Rug Pull often chooses when the project is at the peak of attention. When the price peaks thanks to aggressive marketing campaigns and the FOMO effect, insiders will sell off. The Mantra (OM) incident in 2025 is a painful example when 17 related wallets dumped millions of USD tokens at the peak price range, causing the price to collapse 94%.

Stage of stagnation and abandonment (Stagnation)

The project "slowly dies" in terms of liquidity. The team stopped updating, communication channels went quiet and the roadmap was delayed indefinitely. The developer silently withdraws the remaining amount or closes the protocol when it has earned enough profit.

See more: Initial DEX Offering (IDO): Comprehensive Guide, Investment Opportunities and 2026 Vision

Decoding the signs in smart contracts

Tan Phat Digital recommends that investors carefully check the following technical factors:

• Absolute authority: If the developer still retains onlyOwner rights without giving up ownership (Renounced Ownership), they can activate Activate malicious functions at any time.

• Infinite Mint Function: Allows holders to mint unlimited additional tokens to sell off into the liquidity pool.

• Honeypot mechanism: Modify the transfer function to only allow buying but not selling.

• Tax Manipulation: Team can increase selling fees 99% or 100% to steal users' funds when they try to exit.

• Proxy Contracts: Fraudsters can change contract logic through Proxy structures even after being audited.

2024-2025 Market Landscape Analysis

Data shows a worrying trend: The number of incidents decreased but the value of damage skyrocketed.

• Year 2024: Recorded 21 incidents with a total loss of about 90 million USD.

• Year 2025: Recorded only 7 incidents but total damage jumped to nearly 6 billion USD (growth of more than 6,000%).

This shows the emergence of "super scam projects" with professional marketing and the ability to pass basic checks. Solana has become the focus of risk due to low transaction fees, with more than 98% of tokens on platforms such as Pump.fun considered risky or withdrawn.

Standard project appraisal process from Tan Phat Digital

To protect assets, investors should apply due diligence processes Multi-layered checks:

1. Check the team: Prioritize projects that are publicly identified (Doxxed) and have a transparent work history on LinkedIn/GitHub.

2. Verify liquidity keys: Use tools like Unicrypt or Team Finance to check lock time (should be above 6-12 months) and lock rate (should be above 95%).

3. Token distribution analysis: Use Bubble Maps to detect internal wallet clusters that hold more than 20% of total supply.

4. Use support tools:

   • Token Sniffer: Scan source code and score safety.

   • RugDoc: Rate Risk pricing for yield farming projects.

   • De.Fi Scanner: In-depth analysis of owner rights.

   • DEXTools / DexScreener: Real-time liquidity monitoring.

   • Honeypot.is: Check the ability to sell token.

Classic Rug Pull & Scam case study in Crypto history

Below is a summary of the 20 largest and most influential cases analyzed by Tan Phat Digital:

1. Mantra (OM) - 2025: The most shocking case of the year with an estimated loss of 5.52 billion USD. The 17 wallets involved dumped 43.6 million OM tokens in a short period of time, causing the price to drop by 94%.  

2. OneCoin (2014-2017): Global multi-level Ponzi model led by "Virtual Currency Queen" Ruja Ignatova. Losses amounted to more than 4 billion USD even without a real blockchain.

3. Africrypt (2021): Exchange in South Africa disappeared with about 3.6 billion USD (69,000 BTC). The two founding brothers claimed the exchange was "hacked" before disappearing.

4. BitConnect (2016-2018): Symbol of the Ponzi lending model. Promises 40% profit/month through AI bot. Estimated damage is 2.4 billion USD.

5. Thodex (2021): Turkish exchange suspends withdrawals, CEO flees with 2 billion USD of 400,000 users.

6. PlusToken (2019): High-interest cryptocurrency wallet in China. In fact, the Ponzi scheme misappropriated more than 2 billion USD.

7. Terra (LUNA) - 2022: The collapse of the ecosystem worth 40 billion USD. Although it was not an intentional Rug Pull from the beginning, poor risk management and internal dumping led to disaster.

8. WoToken (2018-2020): Another fraudulent wallet project in China, appropriating about 1.1 billion USD in a pyramid scheme.

9. Arbistar (2019-2020): Arbitrage trading bot Arbitrage promised huge profits, causing losses of about 1 billion USD before collapsing.

10. MetaYield Farm - 2025: Yield Farming project attracted 14,000 investors then withdrew 290 million USD and erased all traces of social networks.

11. Libra (LIBRA) - 2025: Taking advantage of the Inadvertent promotion from Argentinian President Javier Milei, internal wallets dumped goods and appropriated 250 million USD after capitalization reached 4.5 billion USD.

12. SafeMoon (2021-2023): A typical "Slow Rug" case. Executives secretly controlled the liquidity pool and siphoned off more than 200 million USD.

13. Rowan Energy - 2025: Clean energy project was exposed as Slow Rug when it secretly minted billions of illegal RWN tokens, appropriating 132 million USD.  

14. AnubisDAO (2021): Dog project on Ethereum raised 60 million USD (13,256 ETH) overnight then drained liquidity immediately.

15. Compounder Finance (2020): Development team swapped audited contracts with malicious contracts, draining 10.8 million USD.

16. Meerkat Finance (2021): The project on BSC claimed to be hacked for 31 million USD after just 1 day of launch, but in fact the development team withdrew the money themselves.  

17. Luna Yield (2021): The first big Rug Pull on Solana. The Yield Farm project wiped out the web and social networks, taking with it about 10 million USD.

18. Squid Game Token (2021): Token based on the movie Squid Game, increased in price thousands of times but installed Honeypot code (not for sale). The group of scammers disappeared with 3.3 million USD.

19. SharpeI (2024): Using celebrity images to inflate the price to a market capitalization of 54 million USD, then selling goods for 3.4 million USD, causing the price to decrease by 96%.  

20. Frosties NFT (2022): The classic NFT Rug Pull case caused investors to lose 1.1 million USD. This is the first case in which developers have been prosecuted by the US Department of Justice.

People also ask (FAQs)

Here are 10 frequently asked questions about Rug Pull compiled by Tan Phat Digital to help investors quickly grasp information:

1. What is a Rug Pull? A Rug Pull is a form of fraud in which developers create a seemingly legitimate cryptocurrency project to attract capital from investors, then suddenly withdraw all liquidity or sell off the tokens and disappear with the funds.

2. What is the basic difference between Hard Rug Pull and Soft Rug Pull? Hard Rug Pull uses technical malware in smart contracts to steal money immediately, while Soft Rug Pull is about gradual "discharge" or the team abandons the project slowly to avoid legal complications.

3. Why is liquidity lock important? Liquidity lock prevents developers from emptying the exchange pool. If liquidity is not locked, the project is at risk of being withdrawn at any time when the target capital threshold is reached.  

4. What is a honeypot in crypto? A honeypot is a type of malicious smart contract that allows you to buy tokens but prevents the right to sell. Investors saw the price increase sharply but could not get out, in fact all the money was stuck and belonged to the scammer.  

5. Why does Solana have a high Rug Pull rate in 2024-2025? Due to its extremely low transaction fees and fast speeds, Solana becomes the ideal place to generate millions of memecoins every day through tools like Pump.fun. Statistics show that more than 98% of tokens on these platforms do not maintain their value after 24 hours.

6. What role does FOMO psychology play in these scams? Scammers use aggressive marketing to create a sense of urgency, making investors afraid of missing out on the opportunity to get rich quickly. This causes them to skip basic checks and invest based on emotion.  

7. How did the Libra memecoin (Javier Milei) scam happen? In 2025, a memecoin token named LIBRA skyrocketed in capitalization to 4.5 billion USD after being mentioned by Argentine President Javier Milei. However, internal wallets quickly dumped millions of USD tokens, causing the price to collapse 97% in just a few hours.

8. How is Exit Scam different from regular Rug Pull? Exit Scam often occurs during or immediately after the capital raising stage (Presale/ICO), when the developer holding the money disappears before the token is widely traded. Rug Pull usually occurs when the project already has liquidity on exchanges.  

9. Are automated testing tools (like Token Sniffer) 100% accurate? No. These tools are based on known malware samples. Sophisticated fraudsters can write new source code or use Proxy structures to bypass automated filters. Investors still need to combine manual checking.  

10. What to do first when researching a new project (DYOR)? Check the team identity, read the Whitepaper carefully to see if there is actual value, and most importantly, verify the liquidity lock status and wallet allocation of the largest holders.  

Rug Pull is a cyclical fraud process that flares up most immediately after raising capital or when the project reaches its FOMO peak. In the Web3 era, relying solely on emotions is not enough.

Tan Phat Digital emphasizes the principle: "Don't Trust, Verify" (Don't trust, verify). A deep understanding of risk stages is the best shield for your capital against the constant evolution of cybercrime.