DeFi scams represent malicious intent to take possession of someone else’s digital assets. They come in all shapes and sizes and can be as simple as a social media scam or as complex as rug pulls. DeFi scams can be broadly divided into two main categories:
- Elaborate schemes like impersonation or other fraudulent activity, tricking the user into single-handedly transferring assets to the scammers' crypto wallet.
- Malicious actors exploiting protocol loopholes or performing intentional attacks on users’ wallets, breaching their security.
The Most Common DeFi Scams and How to Spot Them
The number of DeFi scams is rising exponentially on a year-over-year basis, according to Crystal Blockchain’s analysis. While there are various types of DeFi scams, the most common and widely used include the following:
A rug pull is a type of exit DeFi scam in which project developers work to attract as many users as possible just to vanish with their assets at some point. Such malicious practices never intend to bring a product or a service to the market. Their sole goal is to generate hype, attract investors, and cash out.
According to Chainanalysis, rug pulls have pushed 2021 crypto scams to an all-time high. A rug pull is often used interchangeably with the term “pump-and-dump.” The similarity is that both scam tactics intend to generate hype, inflate the price of a worthless token and steal investors’ funds. However, the difference is that the former relies on technical backdoors, while the latter is focused mostly on aggressive marketing.
Rug pull scammers often intentionally program loopholes into projects’ smart contracts that allow them to exit easily while making it impossible for investors to sell (also known as “Honey Pot”). As a result, the latter are left with worthless tokens. Elliptic's “NFT Report 2022” finds that, by identifying loopholes in DeFi protocols, hackers managed to steal $12 billion in crypto assets in 2021. According to studies, a scam based on smart contracts (e.g., a token pre-programmed to scam users) is created every 4 minutes on average.
Scammers also carry out rug pull schemes by creating liquidity pools where they pair their tokens with a leading cryptocurrency. Developers require investors to deposit BTC, ETH, or another asset and swap it for their token. Once they do, the scammers drain the liquidity.
DeFi phishing is a scam where malicious actors deceive users into sending them money or granting access to sensitive data (e.g., private keys, seed phrases, wallet login details).
It is usually carried out via email or other forms of digital communication where the user is urged to respond manually or click a link. Doing so risks losing the user’s cryptocurrencies or compromising their device’s security.
Phishing scams are usually easily recognizable by individuals with moderate digital literacy, which is why they are often targeted at beginners.
Scammers often deceive individuals into investing in their projects by creating fake accounts that impersonate real-life public figures on Twitter, Facebook, or other social media platforms. While these practices are the easiest to spot, crypto enthusiasts might act impulsively and miss the red flags due to the fear of missing out (FOMO).
Other social media scams include fake giveaways and competitions that require users to send funds to participate.
This practice includes sending a small amount of cryptocurrency (called dust) to thousands or tens of thousands of DeFi wallets. The moment the received coins are sold, they start serving as a tracker, indicating the transactions associated with the particular wallet.
A dusting attack aims to de-anonymize wallets and identify accounts with significant crypto holdings for hackers to attack later.
However, dusting isn’t necessarily a malicious practice. It is also used by governments, law enforcement agencies, or analysis firms for investigative purposes.
The most popular way of exploiting the practice of airdrops is by requesting users to connect their wallets to a particular platform to redeem the promised free tokens. This allows scammers to plant a compromised smart contract that can serve as a trojan horse, granting them direct access to the user’s funds.
What Security Measures Can You Follow?
Most jurisdictions don’t regulate the DeFi industry, meaning that the participants in it are responsible for protecting their assets. While it is impossible to eliminate DeFi scams entirely, it is essential to take the necessary steps and lay the groundwork for protecting yourself.
- Beware of what projects you trust and what platforms and users you engage with online.
- Be cautious of phishing – don’t click on suspicious links, or share your wallet’s private keys, seed phrase, or other sensitive information.
- Monitor the project developers’ relationship with their community and the token distribution plans to avoid rug pulls.
- Use a trusted and secure DeFi wallet and keep it safe.
- Enable additional security features like two-factor authentication, biometrics, or else.
How to Proceed If You Fall Victim of a DeFi Scam?
If you believe you have fallen victim to a DeFi scam, there are several actions to take.
You can try contacting the project team or the protocol’s developers and ask them to help recover lost funds. If they can’t, they can at least help others avoid being scammed.
If you are using a service provider to access a DeFi project (e.g., a wallet, an exchange, or a marketplace), you can report the case to their fraud department.
Consider also reporting the scam to authorities. Although DeFi regulation is broadly lacking, there have been successful DeFi scam prosecutions in recent years.
For more information on crypto scams and how to protect yourself, check out our dedicated article.