Crypto crime hasn’t slowed down. By mid-2025, thieves had already stolen over $2.17B from crypto services—worse than all of 2024—with a single exchange hack accounting for the majority. That backdrop makes disciplined due diligence non-negotiable.
The 30-second sniff test (fail fast)
- Guaranteed returns, “risk-free,” or urgent “act now” pitches. Classic fraud red flags called out by U.S. regulators.
- Celebrity or influencer shilling without clear, specific compensation disclosure. The SEC has charged multiple celebrities for unlawful touting.
- “Sponsored search” for an ICO. Google’s ad policy prohibits ads promoting ICOs—seeing one should trigger extreme skepticism.
- “We’re licensed/approved” with no trace. Check the SEC’s PAUSE list of fake/impersonator firms and the UK FCA Warning List.
Step-by-step: The no-BS checklist
1) Check the legal footing before the hype
ICOs that offer “investment contracts” are securities in many jurisdictions. The SEC’s framework applies the Howey test: money invested, common enterprise, profits expected from others’ efforts. If it looks like that—and it’s unregistered—walk away.
- U.S.: Search EDGAR for filings (S-1, Reg D/CF/A+, etc.) or any material disclosures.
- Verify people, not just products: use Investor.gov’s “Check Out Your Investment Professional” tool; unlicensed sellers are a red flag.
- UK: If they’re marketing to you in Britain, crypto promotions must be FCA-authorised/approved and carry specific risk warnings.
2) Treat advertising as a signal, not a pitch
If an “ICO” is running search ads, that clashes with Google’s crypto policy (ICO ads are disapproved). Scam promoters often ignore or work around these rules.
3) Inspect the smart contract like an adult
You don’t have to be a Solidity wizard to catch basics:
- Is the code verified on Etherscan? If not, you can’t truly review behavior. (See Etherscan’s guides to Read/Write and contract verification.)
- Who has privileges? Look for owner/admin roles that can mint, pause, blacklist, set taxes, or upgrade contracts. OpenZeppelin’s access-control docs show how these powers work. If they’re centralized, you’re trusting humans.
- Honeypot/unsellable-token traps: contracts that let you buy but block selling via whitelists, huge sell taxes, or minimum-sell tricks are common. Uniswap’s support docs and security write-ups detail the patterns.
- Practical step: on Etherscan’s “Read/Write Contract” tabs, check
owner,mint,pause,setTax,blacklist, or proxy/upgrade functions before you buy.
4) Follow the money: liquidity and locks
Rug pulls often drain DEX liquidity. Verify whether LP tokens are locked in a time-lock/locker and for how long. Be extra cautious with Uniswap v3’s NFT-style LP positions—“locking” requires special handling and is not default.
5) Check holder concentration
Use Etherscan’s “Holders” tab. If a handful of wallets control most supply, insiders can nuke the market with one click. Concentration isn’t proof of fraud, but it is dump risk.
6) Don’t outsource your brain to “audits”
Audits reduce certain bugs but can’t stop a “soft rug” (team decides to bail) and may miss economic/game-theory risks. Case studies and auditor disclaimers make that clear. Treat audits as one input—not a guarantee.
7) Pressure, promises, and private DMs are your cue to exit
High-pressure timelines, “guaranteed” APY, or romance-style approaches on social apps are classic fraud tells per the FTC.
ICO vs. DeFi rug pulls vs. honeypots: know the patterns
- ICO scams: solicit funds for a token offering that likely meets the securities test but lacks registration and disclosures. Red flags: guaranteed returns, celebrity hype without proper disclosure, and no regulator filings.
- Rug pulls: devs remove liquidity, mint/dump via privileged functions, or upgrade contracts to malicious versions. (Yes, upgrades can be abused.)
- Honeypots: you can buy, but selling is blocked or severely taxed by code. If a support page flags a token as “unsellable,” back out.
Mini playbook: 10 checks before you send a cent
- Look up the company/offering in EDGAR (or your local registry). No filings for a public raise? Big risk.
- Verify the seller on Investor.gov; avoid unlicensed promoters.
- Search the SEC PAUSE list and FCA Warning List for impersonators.
- If you found them via a search ad for an “ICO,” stop. That ad category is disallowed.
- Open the token on Etherscan: confirm verified code and scan the Read/Write tabs for owner powers.
- Check “Holders” to gauge concentration and watch wallets tied to deployers/treasury.
- Confirm LP locks (and the lock duration). Short or no lock = easy exit for insiders.
- Beware “unsellable”/honeypot symptoms and extreme buy/sell taxes.
- Treat audits as helpful but insufficient; read the findings and remaining privileges.
- Walk away from time-pressure, secret methods, or “risk-free” gains.
How to report suspected fraud (and protect others)
- U.S.: File with the SEC (Tip/Complaint) and the FBI’s IC3. You can also report to the FTC and your state regulator.
- General guidance from U.S. agencies emphasizes filing even if you’re unsure; it helps link cases across jurisdictions.
FAQs
Are celebrity-backed tokens safer?
No. The SEC has fined/charged celebrities for unlawful touting of crypto asset securities when compensation wasn’t properly disclosed. Disclosures must be clear and specific.
Is an audit a green light?
No. Audits can’t prevent soft rugs and may not cover upgrade keys, taxes, or economic design. Use audits as one datapoint alongside admin-key and liquidity checks.
What’s the difference between a rug pull and a honeypot?
Rug pulls usually drain liquidity or dump newly minted supply; honeypots block selling through malicious code. Both leave you holding the bag.
I’m outside the U.S.—do these checks still help?
Yes. For example, UK crypto promotions must be authorised/approved and carry specific warnings. Similar regimes are spreading; check your local regulator’s rules.
