Article
Avoiding Crypto Scams: Rug Pulls, Phishing, and Wallet Drainers
The scams that actually drain wallets and how to spot them early: rug pulls, phishing sites, fake support, and the malicious approvals that quietly empty your account.
Crypto is permissionless - so are the scammers
The same property that makes crypto powerful - anyone can transact without asking permission - means there's no bank to reverse a fraudulent transfer. If you sign a bad transaction, the money is gone the second it confirms. There is no chargeback, no fraud department, no undo.
That sounds scary, and it should keep you alert, but it's not hopeless. Almost every drained wallet falls into a handful of patterns. Learn the patterns and you sidestep the overwhelming majority of attacks.
Rug pulls: the exit is the plan
A rug pull is a project built to be abandoned. Founders hype a token, attract buyers, then pull the liquidity (or dump their giant pre-mined stash) and vanish. The chart goes vertical, then to zero, in minutes.
Red flags cluster: an anonymous team with no track record, tokenomics where the team holds a huge unvested chunk, a 'community' that's all bots and copy-paste hype, locked liquidity that isn't actually locked, and absurd promised returns. Contrast that with legitimate projects - doxxed teams, audited contracts, multi-year vesting, real product. The Rug Pull Detector game on the Games page is built from real-world scam patterns mixed with real protocols precisely to train this instinct: read the pitch, count the red flags, then decide.
Phishing: the fake front door
Phishing is impersonation. A fake version of a real site, a Discord DM from 'support', a Google ad that outranks the real protocol, an email that looks like your exchange. The goal is to get you to enter your seed phrase or connect your wallet to a malicious contract.
Defenses are boring and effective. Bookmark the real URLs and use the bookmarks - never click ads or DM links to reach a dapp. Real support never DMs first and never asks for your seed phrase. Slow down when you're rushed: 'limited time', 'your account is at risk', and 'claim before it's gone' are manufactured urgency designed to switch off your judgment.
Wallet drainers and the approval trap
The nastiest modern attack doesn't steal your keys at all - it tricks you into signing a transaction that grants a malicious contract permission to spend your tokens. You think you're 'claiming a free NFT'; you're actually approving a drainer to transfer everything.
Two habits neutralize most of this. First, read what you're signing - wallets show the contract and the permission; if a 'free mint' asks for token approval or a 'setApprovalForAll', stop. Second, periodically review and revoke old approvals using a revoke tool; a permission you granted a year ago to a now-abandoned dapp is a back door left open. When in doubt, use a fresh 'burner' wallet with almost nothing in it for sketchy mints.
A simple safety routine
You don't need to be a security researcher. You need a routine. Keep savings in a hardware wallet that never touches random sites. Use a separate hot wallet for experiments. Bookmark real URLs. Read transactions before signing. Revoke stale approvals. Assume every unsolicited DM, airdrop, and 'you won' message is a scam until proven otherwise.
The scammers are counting on speed and excitement. Your edge is a five-second pause and a short checklist. That pause is the cheapest insurance in crypto - and it pays out every single time you don't sign the wrong thing.