All in blog

Exploring the Dark Side: Web3 Scams You Should Watch Out for (Part 2)


Nov 8, 2023

Crypto scam… how much regret and sadness is in these words. But don’t panic! We are back and ready to expose risky smart contracts, rug pulls, and poisoning attacks, so that you know exactly what red flags to pay close attention to.

There's a great variety of crypto scams out there, each unique in its deception. That’s why your wallet’s well-being depends so much on how careful, attentive, and well-informed you are. And we must say you are on the right track catching us with these scam exposure series.

We’ve already covered some of the most widespread schemes in Web3 Scams Chapter One. If you missed it, don’t forget to check it out later. Trust us, your wallet will thank you for it.

Here, we continue spilling the beans about crypto scams. And let us tell you, they're truly nasty and can wreak havoc on your finances if you're not careful.

Web3 scams zoomed-in + how to steer clear of them

Web3 scams zoomed-in.jpg

In this part, we will go through three types of crypto scams: risky smart contract logic, poisoning attack, and rug pulls. We'll explore how each one works, the warning signs to look out for, and the best strategies to protect yourself from falling victim to these deceptive tactics.

By understanding their mechanics, you'll be better equipped to navigate the Web3 space safely and confidently.

So, buckle up, check that W3A is on, and let's explore these dark waters of Web3 scam. 🔦

Risky smart contract logic

Risky smart contract logic.jpg

Sometimes, smart contract owners sneak in code functions to their contracts, opening up a bunch of additional possibilities for themselves.

Transactions with these smart contracts go as usual, however, you may later discover that your tokens have been sent to another address or burnt without your consent. Turns out, you gave the green light without knowing it when you signed the transaction with a “modified” contract.

There are lots of these excessive smart contract permissions, including:

  • Token restrictions — you buy a token only to discover that you can’t transfer or grant approvals for it.
  • Unsanctioned token management — you buy a token, but the smart contract owner will be able to manage it as they see fit: transfer, burn, block your token approvals or give their approvals.
  • Anti-whale restrictions — the contract can restrict your transactions if it decides that you have too many specific tokens on your balance.
  • Contract self-destruction — the contract can self-destruct at any time, which may lead to unpredictable outcomes for you. Say, one day you check your balance and *surprise-surprise*, all your tokens tied to this contract are gone.
  • Metamorphic contract — a contract owner can change the contract’s code as they like. It means if the owner decides that the contract should suddenly become malicious, nothing is stopping them from doing it.
  • Hidden token minting — a contract owner can secretly mint as many new tokens as they wish, and that could totally tank the token's price.
  • Custom block and allowlists — a contract owner can add users to their special allow and blocklists, which means they can restrict your token transactions.
Red flags

🚩 Specific logic in smart contract code, such as transfer_pausable, approve_pausable, suicidal, etc.

Safety tips

✅ Let's face it — you don't have that much time and desire to thoroughly review all the smart contract code. The smart move to dodge these smart contract risks? Pay close attention to Web3 Antivirus risk reports. The extension spots such excessive smart contract “privileges” right away.

Poisoning attack

Poisoning attack.jpg

The poisoning attack scam is a really sneaky and crafty one, we must admit. The scheme is the following: fraudsters create a wallet address that looks similar to the one you’ve already interacted with. Then, they send you a small portion of tokens just to contaminate your transaction history.

Now you have two almost identical addresses. So, scammers count on your inattentiveness and hope next time you decide to send assets to the original address, you mistakenly copy the evil twin address.

But do not panic — the “poisoning” address can’t do any harm to your wallet, like stealing sensitive data or managing your assets. Just ignore this address and make sure not to accidentally send assets to it.

Real-life case

Scammers made bank in 2023 by “poisoning” the wallet of the United States Drug Enforcement Administration (DEA). The DEA representatives mistakenly sent over $50,000 worth of crypto to a fake address. The funds were never recovered since the fraudsters immediately transferred them to other addresses.

Red flags

🚩 Incoming transfers in your wallet history you don't recall.

Safety tips

✅ Always double-check the recipient’s wallet address. The difference between the original and the fake address may be only a few digits.

✅ If your wallet has been “poisoned”, avoid copying the addresses from your transaction history.

✅ Keep an eye on W3A alerts to know whether your wallet was “poisoned”.

Rug pulls

Picture this: you're standing on solid ground and then, whoosh, it's gone! That's exactly how crypto folks feel when they find out a Web3 project they've invested in is just a rug pull scam. Panic, frustration, anger — all mixed up in one.

Rug pull scam comes in different variations, the most common ones being: scam ICO, pump and dump, and Ponzi scheme.

Let's break down each type so that you can spot these scams a mile away.

Scam ICO

An Initial Coin Offering, or ICO, is a popular way of raising funds for new crypto projects. ICOs are attractive for investors due to the potential for high returns. Plus, participation in an ICO can provide early access to a new cryptocurrency or blockchain service, which might have a higher value in the future.

However, engaging in ICOs can be pretty dicey for a couple of reasons. First off, the project could totally flop. That's a bummer, but hey, that's the risk with any investment, right? And second, there's a chance the ICO was a scam all along.

The creators of scam ICOs hook investors with big talk about new game-changing crypto or blockchain projects, promising crazy profits.

But once they've got the cash, poof! They're gone, taking all the money with them while you are left with a bunch of worthless tokens.

Real-life case

Scam ICO.jpg

In May 2023, the CEO of Titanium Blockchain Infrastructure Services (TBIS) was sentenced to prison for launching a scam ICO. Back in 2017 and early 2018, the ICO managed to gain $21 million of investors' money.

The CEO of TBIS confessed to falsifying the project's whitepapers, fabricating client testimonials on the TBIS website, and making false claims of business connections with the United States Federal Reserve. All this was done to deceive investors into believing in TBIS's legitimacy and potential for profit.

Red flags

🚩 Vague whitepaper full of buzzwords but no specific technical details or clear token and project use cases.

🚩 Unclear tokenomics.

🚩 No or very little info about the team behind the ICO.

🚩 Claims about guaranteed or unrealistically high returns on investment.

🚩 Poor communication between the ICO creators and investors: unanswered questions and vague answers.

Safety tips

✅ Verify the legitimacy of the team behind the ICO. Make sure they have online presence and relevant experience.

✅ Scrutinize the whitepaper and ensure it contains all the necessary details such as clearly defined use cases, tokenomics, and a project’s roadmap.

✅ Opt for projects that have a minimum viable product or a solid proof of concept.

✅ Check if the project has a genuinely active community.

✅ Don't skip over those W3A risk reports. By thoroughly analyzing the addresses you interact with, the extension can discover their involvement in rug pulls and other scams.

Pump and dump

The mechanics of pump and dump scam is already in its name — the fraudsters create a project, make it seem like a very advantageous investment, collect money, and disappear.

To make people believe the token is actually worth lots of money, scammers purchase it in large quantities, pumping its price and demand. Alongside, they actively promote it, creating hype and luring in unsuspecting investors.

Once the price is beyond the clouds, it is time for a dump. The scammers sell off their token holdings at an inflated price, causing the price to plummet.

Real-life case

Pump and dump.jpg

A former corrections officer got called out for running a pump and dump scheme with a Blazar token. The token was promoted as a new kind of pension system for police, firefighters, and paramedics, promising big returns.

As a result, the scammer managed to raise $623,388 from 222 investors. Then, one day, he dumped all his 41 billion Blazar tokens on PancakeSwap. And, as you'd expect, the token's value tanked.

Red flags

🚩 Suspicious trading activity — tokens keep getting shuffled around between the same addresses.

🚩 The project suddenly blew up on social media.

🚩 Promises of guaranteed or unrealistically high returns on investment.

🚩 No clear project info: whitepaper, tokenomics, team.

Safety tips

✅ Research the project’s information and ensure all the vital details are provided.

✅ Don’t fall for the flashy profit promises — check the project’s reviews and community.

✅ Assess the token’s trading activity to exclude suspicious patterns.

✅ Buy tokens on well-known and reputable cryptocurrency exchanges since they verify the legitimacy of the assets before listing them.

✅ Have the W3A extension on to receive detailed risk reports. It will warn you if an address you interact with is associated with fraud schemes and highlight wash traded tokens.

Ponzi scheme

Sadly, the old Ponzi scheme has managed to stick around and fit right into the Web3 environment.

It works as follows: scammers hype up their "totally game-changing" project, promising it'll recoup the investments and bring huge profits. It is supposed that the returns will be generated based on some kind of crypto investment or trading strategy.

In reality, the returns to the early investors are paid out from the money that new investors put in. It's just money shuffling around, with no new profits being generated. Well, if only for the project creator a.k.a the fraudster.

Eventually, the scam can't attract enough new investors to pay off the older ones. When the money runs out, the scheme collapses, and most investors lose their money.

Real-life case

Ponzi scheme.jpg

The OneCoin crypto project that managed to collect $4 billion from millions of investors turned out to be a Ponzi scam. One of its co-founders was sentenced to prison for 20 years while the other one is now playing hide and seek with the FBI, landing on their Most Wanted list.

Red flags

🚩 Guaranteed unbelievably high return promises on investments.

🚩 Vague or too complex investment strategy and tokenomics.

🚩 Pressure to reinvest your profits instead of cashing out.

Safety tips

✅ DYOR: look into the project's background, the investment strategy, tokenomics, etc.

✅ Check if the project is registered with regulatory bodies like the SEC or other relevant financial authorities.

✅ Find investors' feedback to make sure they receive their payments regularly and are satisfied with the project. But watch out for fake reviews.

✅ Always check the Web3 Antivirus risk report before making a transaction. It'll notify you if the address you're transacting with has any ties to Ponzi schemes.

That’s all for now. Or not really?

We wish we could say we've covered all the dangers in our Web3 Scams series, but that would not be true. You can bet that there are fraudsters out there creating new ways of stripping you off your crypto at this exact moment.

The state of cryptocurrency scams is truly alarming. We promise to keep you updated with all the new tricks that will appear in the future. But in return, promise us that you'll stay vigilant and continue educating yourself about crypto scams. And don't forget to keep your Web3 Antivirus running, so it's always there to alert you about any Web3 risks. Deal?

Latest articles

Subscribe to our newsletter

Be the first to know about new threats, features & updates

🎉 You’re in! Thank you for subscribing. 🎉

No spam
No commitment
Opt out anytime