When South Africa-based cryptocurrency exchange Luno discovered that many of its clients were being targeted by a project that promised investors returns so large that it was almost certainly a fraud, it did something that seems like basic common sense for any financial firm: It halted clients’ payments to accounts belonging to the scammers.
But in the crypto world, that response is not quite so common.
“It was a drastic strategy in many ways,” argued blockchain intelligence firm Chainalysis in the scams section of its 2021 Crypto Crime Report. “Cryptocurrency has historically been built on an ethos of financial freedom, and some users were likely to chafe at a perceived limitation on their ability to transact.”
Certainly, that ethos is behind much of the decentralized finance (DeFi) market, in which decentralized exchanges (DEXs) provide the trading services that exchanges like Luno do, generally with lower fees, but also without any central management that can spot and stop scams like this one. In fact, many DEXs are governed by protocols that require a voting process lasting a week or more before any changes can be made to the protocol. That means there is often no way to block even known scammers.
See more: Sen. Warren Calls DeFi the ‘Most Dangerous’ Part of Crypto at Senate Hearing
In Luno’s case, it worked with Chainalysis to track wallet addresses associated with the scammers, blocking them when discovered. As a result, daily transactions sent to the presumed crooks dropped almost 90%, from $730,000 in September to $90,000 in November.
A Growing Problem
This year saw $7.7 billion lost to scammers, according Chainalysis. That was an increase of 81% over 2020 — but still not as bad as 2019.
However, despite a huge increase in the mainstream attention being paid to crypto and the resulting attraction of new and inexperienced buyers, the losses to financial scams were not much higher than in 2020 — even though a Russian Ponzi scheme accounted for $1.1 billion of those losses single-handedly.
What changed this year was the explosion in the number and size of “rug pulls” — a type of scam in which a developer creates and markets a project. Interested buyers trade crypto such a stablecoins and ether for the project’s token and join its liquidity pool, hoping for a big windfall if it succeeds. That’s how most legit DeFi projects start. But in a rug pull, the developer eventually drains the liquidity pool of its locked cryptocurrency investments and makes off with everything, crashing the project token’s value to nothing.
Read also: What is Yield Farming and Liquidity Mining?
This year, scammers made off with about $2.8 billion through rug pulls, Chainalysis said.
Another change seen in the broader scam post-mortems is that there are more of them — up more than third to 3,300 over 2020 — and they have shorter lives. This year, the average scam ran 70 days versus 192 in 2020.
One reason, Chainalysis suggests, is that authorities are fighting back with more aggressiveness and expertise. The Commodity Futures Trading Commission (CFTC), for example, shut down 14 projects falsely claiming to have registered as cryptocurrency derivative trading services in September alone.
“Rug pulls are most commonly seen in DeFi,” the report stated. They are “prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges without a code audit.”
That’s one thing most centralized exchanges — the good ones, anyway — require before listing a coin. These code reviews by firms like Solidity Finance look for red flags, such as the ability of anyone to drain a liquidity pool without a vote open to all its governance token holders.
See also: What Is DeFi?
Chainalysis gives the example of AnubisDAO, which raked in $60 million “practically overnight” despite of the lack of a white paper or even a website, and developers who all worked under pseudonyms — which is not quite that rare in DeFi. Investors received ANKH tokens for locking crypto into the project’s liquidity pool, which disappeared after less than a single day.
The vast majority of this year’s rug pulls came from DEXs, but they are not limited to them, Chainalysis noted. Turkey’s Thodex, a centralized exchange, was looted by its CEO to the tune of $2 billion.