The word honeypot dates back to the 16th century when it was used to refer to a pot of honey. Its figurative use, however, began much later.
In a figurative sense, honeypots were used to describe something highly attractive but potentially dangerous in the early 20th century. The term was first applied in espionage and security, where a honeypot referred to an alluring trap used to gather intelligence or catch adversaries. For example, in espionage it referred to a situation where an agent might be seduced or lured into compromising positions.
In computer security, honeypot was adopted in the 1990s to describe decoy systems set up to detect and study cyber attackers. This usage has since been extended to crypto scam techniques where "honeypot" refers to deceptive opportunities that trap users by making withdrawals impossible.
In this article, we examine honeypot scams in more detail, including their methods, identifying aspects, and extensive protection strategies.
What is a honeypot crypto scam?
A honeypot scam is a deceptive smart contract created to lure unsuspecting users with promises of large profits or unusual services. These scams initially appear legitimate and profitable but contain a hidden mechanism that generates tokens for the exploiter and drains the pool. As a result, victims may lose their funds or be unable to withdraw them. Even experienced crypto users can fall for honeypot scams due to technological flaws, psychological manipulation, and the complexities of blockchain technology.
How does a honeypot crypto scam work?
Honeypot scams are carefully planned and executed to fool even the most cautious investors. Understanding how these scams work can help you identify and protect your assets. Let's break down the stages of a honeypot attack and explain the details involved in each step.
Creating a fake smart contract or token
Scammers deploy a malicious smart contract or launch a fake token that looks like a legitimate investment opportunity. The contract is designed to allow users to invest funds but contains hidden rules that prevent withdrawals.
Luring victims with attractive offers
To make the scheme appealing, the contract or token offers unusually high returns, discounted tokens, or the appearance of strong growth potential. It could be tied to DeFi, staking, or other popular investment models. Sometimes, the scam is marketed through social media, forums, or even fake websites to build credibility.
To build up, celebrities and KOLs are hired to discuss or advertise the honeypot, and wash trading is used to boost trading volume.
The honeypot’s creator can also drive traffic using various promotion techniques. They might use search engine optimization, paid ads, and fake accounts to generate engagement. The goal is to spread links and information about the fraudulent platform as widely as possible.Victims invest money
Investors, drawn by the promise of lucrative returns, buy the tokens or deposit funds into the scam's platform or liquidity pool. The smart contract may allow deposits and show positive results, giving the illusion of a legitimate project.
In most cases, the contract starts with allowing small transactions and withdrawals to create a sense of security and trust with users. Victims see some returns and get comfortable with the honeypot. Once users are satisfied with small transactions, they invest larger sums.Funds become trapped
The key trap of a honeypot scam is that while users can deposit funds, they cannot withdraw them. The smart contract contains hidden functions or bugs that block withdrawal attempts. In some cases, only the creator’s account can withdraw funds, or there may be a fee structure that drains user balances on attempted withdrawals.
A honeypot may show high returns on an investment token, but when the user tries to sell or transfer their tokens, the transaction fails due to hidden logic in the contract. Meanwhile, the scammer can withdraw their share or move the funds into another wallet.
Scammer drains funds and disappears
Once enough money is invested, the scammers disappear, preventing victims from retrieving their funds. Recovering the stolen funds is almost impossible because smart contracts are autonomous and cannot be reversed once deployed on the blockchain.
Honeypot schemes effectively exploit crypto users by making the scam appear legitimate and profitable.
An example of a honeypot crypto scam
The Squid Game Token scam in 2021 is one of the most infamous examples of a honeypot crypto scam. It capitalized on the massive popularity of the Netflix series Squid Game and lured investors into a fraudulent cryptocurrency that ultimately resulted in a rug pull. Let’s break it down in detail.
— Squid Game Token (SQUID) launched
In October 2021, a new cryptocurrency called Squid Game Token (SQUID) was launched. The token was supposedly inspired by the hit TV show Squid Game and marketed as the native currency for an upcoming play-to-earn game based on the show's themes.
It quickly gained traction due to the show’s viral success, and the token was promoted across social media and major crypto news outlets, further fueling its hype.
— Rapid price surge and FOMO (Fear of Missing Out)
SQUID token prices skyrocketed in just a few days after launch, attracting many retail investors. The price surged from a few cents to over $2,800 in less than a week. The fear of missing out caused by the rapid price increase pushed even more people to invest despite some early warnings from experts within the crypto community.
— The honeypot mechanism kicks in
While investors could easily buy the Squid Game token, they soon discovered that selling or transferring it was impossible. The scammers had embedded a honeypot mechanism into the smart contract, which allowed investors to buy tokens but blocked them from selling or cashing out their profits.
— Red flags and warnings appear
Several warning signs became apparent as the token became more popular, but they were largely overlooked due to the excitement surrounding it:
- No affiliation with Netflix: Despite using the Squid Game name and themes, the token had no official connection with Netflix or the show's creators.
- Unverified team: The developers behind the token were anonymous, with no verifiable information about their identities.
- Unprofessional website: The token’s website contained grammatical errors, limited details, and vague information about the project.
- Buy but no sell: Early users warned that they could not sell their tokens and were often dismissed by others caught in the hype.
- Expert warnings: Crypto watchdogs and forums such as CoinMarketCap raised concerns, labeling the token as suspicious and warning investors of potential fraud, but this did not stop the massive influx of buyers.
—The Rug Pull
On November 1, 2021, after the token reached its peak price of around $2,861, the creators of SQUID pulled the rug and suddenly withdrew all the token’s liquidity. This caused the token’s value to plummet to nearly zero within minutes, leaving investors with worthless tokens. Scammers made off with approximately $3.38 million in investor funds.
— Aftermath
The Squid Game Token honeypot scam left thousands of investors with significant losses, further reinforcing the need for caution when investing in new and unverified cryptocurrency projects.
Major media outlets and crypto commentators used this incident to highlight the prevalence of honeypot scams and the need for better due diligence.
How to protect yourself from honeypot crypto scams: checklist
Honeypot scams can be difficult to detect, but following these best practices can minimize your risk of falling for such fraudulent schemes. Here’s a checklist of how you can protect yourself:
- Thoroughly investigate any project before committing funds. This includes checking its whitepaper, verifying the development team, and reviewing its community presence.
- Look for reviews. Search for independent reviews or discussions about the project in trusted crypto forums like Reddit’s r/Cryptocurrency or Bitcointalk. Negative reviews or widespread concerns can be early warning signs.
- Check for complaints. Scammers often create short-lived projects, so past victims might have already reported issues. Websites like Token Sniffer may highlight problems with a token or project.
- Check for legal registration. Verify if the project is registered with any legal authority, especially if it claims to be regulated. While this is rare for decentralized projects, it’s a helpful check for centralized ones. Avoid investing in projects with anonymous or unverified developers, as these often lack accountability and may vanish with your funds.
- Check certificate validity. A valid SSL certificate ensures the website has encrypted communication between your browser and the server, reducing the risk of being scammed. Look for HTTPS in the site’s URL and ensure it shows as “Secure” in your browser.
Fraudulent sites often have invalid or absent SSL certificates. Tools like SSL Labs or Qualys SSL Test allow you to check the security certificate status of a website. If a crypto-related website lacks a valid SSL certificate, it’s a major sign that the platform could be fraudulent or compromised.
- Check liquidity before investing in any token. Low liquidity or difficulty cashing out are key indicators of a potential honeypot. Use tools like DEXTools or Uniswap analytics to see the liquidity pools supporting the token. If the liquidity is low or controlled by a few wallets, this is a potential red flag.
- Test the sell button. If you can’t easily sell the token or if you notice that the token’s price is highly manipulated, it is a honeypot scam. You can use token analysis tools such as PooCoin or Token Sniffer to check for suspicious patterns. Illiquid tokens, where only certain wallets can sell or where buy orders are filled but sell orders aren’t, are strong signals of honeypot scams.
- Be skeptical of celebrity endorsements for crypto projects. Scammers often fake endorsements or hack popular accounts to promote their scam tokens. Verify the authenticity of any endorsement and see whether the celebrity has publicly confirmed their involvement with the project.
- Check for hacked accounts. Sometimes, celebrity or verified social media accounts are briefly hacked and used to promote scam coins. Always verify if the promotion is legitimate by looking for official announcements. In 2021, scammers briefly hacked high-profile Twitter accounts to promote fake giveaways and scam tokens. Always double-check promotions through multiple sources.
- Turn off automatic permissions. Disable automatic permissions when connecting wallets to decentralized apps (DApps). Always manually review and approve permissions, especially for smart contracts. Use tools like Etherscan or BscScan to verify the permissions the DApp requests. If a contract asks for full access to your funds or tokens without a valid reason, it’s a serious red flag.
Use tools like Revoke.cash to review and revoke unnecessary permissions to DApps after interacting with them.
- Use cold storage. Store most of your crypto in cold storage (hardware wallets) instead of keeping large amounts in hot wallets or exchanges. Cold wallets are offline and immune to online hacks, phishing attempts, and malicious contracts. Devices like Tangem Wallet allow you to secure your assets offline.
- Enable Two-Factor Authentication (2FA). Activate 2FA on all your exchange accounts and wallets for an added layer of security. This makes it harder for scammers to gain access, even if they manage to steal your login credentials. Use apps like Google Authenticator or Authy rather than SMS-based 2FA, which is more prone to SIM-swapping attacks.
What to do if you’ve fallen victim to a honeypot scam
Falling victim to a honeypot crypto scam can be a devastating experience. But acting quickly and responsibly can help mitigate the damage and protect others from falling into the same trap. Here’s what you should do:
Report the scam to crypto exchanges and law enforcement
If the scam occurred on a known exchange or if you used an exchange to transfer funds into the honeypot, immediately report the fraudulent activity to that platform. While many decentralized projects are harder to track, centralized exchanges may help to flag the scammer’s wallet or freeze any suspicious accounts.
If the scam was listed on platforms like CoinMarketCap or CoinGecko, consider reporting the token as fraudulent to get it delisted, helping to prevent others from becoming victims.
File a report with law enforcement
Depending on your jurisdiction, you should file a report with local or national authorities, especially those specializing in cybercrime. In the U.S., this could be through organizations like the FBI’s Internet Crime Complaint Center (IC3) or Europol’s Cybercrime Centre for European citizens.
While recovering funds through law enforcement is difficult, it creates an official record and can contribute to larger investigations.
Notify blockchain analytics firms
Services like Chainalysis or CipherTrace track suspicious activity on blockchains. Reporting to these firms can help with blacklisting scam wallets or identifying larger scam networks. Before reporting, collect evidence—transaction logs, wallet addresses, screenshots—to strengthen your case.Secure your remaining assets
Stop all further interactions with the suspicious wallet or contract. If you continue interacting with them, scammers may use phishing tactics or insert malicious code to drain more funds from your accounts.
Transfer your remaining assets to a trusted, secure wallet. Consider moving them to a cold wallet like Tangem Wallet. Tangem is an offline hardware wallet with strong security measures. If you’re using a compromised software wallet, consider creating a new wallet and transferring your remaining tokens to prevent further losses.
Revoke contract permissions
If you interacted with a malicious smart contract, the scammer may still have access to your wallet. Use tools like Etherscan’s Token Approval Checker to revoke any permissions granted to malicious contracts or addresses. Many platforms and wallets have tools that allow users to revoke permissions for DApps they’ve interacted with, preventing potential access to their funds. Learn more about revoking permissions here.
Raise awareness on social media
Use platforms like Twitter, Reddit, or Telegram to share your experience with the wider crypto community. The more people know about the scam, the fewer victims the scammers can deceive. Share details about the scam, including the project’s name, the wallet addresses used, and how the honeypot functioned to prevent others from falling into the same trap.
Conclusion
Honeypot crypto scams pose a significant threat to cryptocurrency investors. To avoid falling victim, you must remain vigilant, conduct thorough research, and use protective measures outlined in this article. Always approach new projects cautiously, especially when they involve anonymous teams, sudden price surges, or questionable endorsements. These best practices can protect your crypto assets and help create a safer crypto environment.