How Scammers Fake Crypto Projects

Most rugs are not accidents

The crypto press writes about every "rug" as if it were a tragic mistake. It almost never is. Scammers in 2026 run the same eight playbooks over and over. The names of the tokens change. The Telegram pictures change. The playbooks do not. Once you have seen them three times you can identify them in 30 seconds.

This post lays out the eight most common ways scammers fake a crypto project, what each one looks like in practice, the giveaway signs, and a verification checklist that catches almost every fake before you buy. Founders should also read this in reverse: knowing what fakes look like is the cleanest way to NOT be mistaken for one.

Playbook 1: the cloned project

The simplest scam. A real project with traction (say, "DOGE AI" with 50k holders) gets cloned. A new token deploys with the same name, the same logo, a near-identical Telegram, and lists on PinkSale or DxSale. Buyers searching for the original token find the clone first, ape in, and watch their money disappear.

Giveaways: contract address does not match the real project's official address (the real one is pinned in the official Telegram). Telegram is younger than the original. Twitter handle has a single underscore where the real one does not, or uses zeros for the letter O.

Defense: never paste a contract from a Telegram message you found via search. Always verify the contract through the project's official website, and check the website's domain age (whois.com) against the project's claimed founding date.

Playbook 2: the fake KOL endorsement

A scam project shows a screenshot of a famous trader (CryptoCobain, ZachXBT, etc.) endorsing the token. The screenshot is real-looking but fabricated. The real trader has not heard of the project.

In 2026 this has gotten worse because AI image generation makes fake screenshots indistinguishable from real ones at thumbnail size.

Giveaways: the alleged endorsement does not appear on the trader's actual feed. Search the trader's Twitter for the token name. If there is no real post from them, the screenshot is fake.

Defense: for any KOL endorsement, find the original tweet on the KOL's actual profile. If you cannot find it, treat the screenshot as fake. Project founders who use forged endorsements know they are forging them.

Playbook 3: the vampire launch

A token starts trending. Within 24 hours, a copycat launches with similar tokenomics, a similar name, and rides the original's momentum. Buyers searching for the trending token find the copycat first because the copycat actively promotes the search query. By the time the dust settles, the copycat has stolen the original's exit liquidity and dumped on its holders.

Giveaways: contract age. The trending original is usually 7 to 30 days old; the vampire is 3 to 24 hours old. Holder count divergence: the original has thousands, the vampire has hundreds.

Defense: when buying into a trending token, verify the contract's deploy timestamp on BscScan against the project's claimed launch date. A mismatch of more than 24 hours is a vampire scam. The post How to Spot a Honeypot in 60 Seconds covers the related contract-verification flow.

Playbook 4: the fake roadmap and promise inflation

The project page lists "Tier 1 CEX listing in 30 days", "Partnership with Coinbase confirmed", "Audited by CertiK" with no link. The promises are fabricated. There is no CEX listing. Coinbase does not know about the project. The audit was never done, or was done on a different contract.

Giveaways: every claim is unsourced. No links to confirmation tweets, no audit report URL, no exchange listing announcement on the exchange's own channels.

Defense: every concrete claim should have a clickable, verifiable source. "CertiK audited" should link to the actual CertiK report URL. "Listed on MEXC" should link to the actual MEXC announcement. "Partnered with X" should link to a co-announcement on X's official channel. Unsourced claims are fabrications until proven otherwise.

Playbook 5: the fake audit badge

The project displays an "audit completed" badge with a logo (CertiK, PeckShield, Hacken). The badge is photoshopped, the audit was done on a different contract, or the audit found critical issues that the team never addressed.

Giveaways: the audit badge has no clickable URL to the actual report. When you find the report, the contract address in the report does not match the deployed contract. Or the report flags critical bugs that the team marked "acknowledged" but never fixed.

Defense: every audit badge should link to the audit report URL. Verify the contract address in the report matches the deployed contract. Skim the "critical" and "high" severity findings; if any are unresolved, treat them as unresolved. The CA audits page on MoonSale shows audit badges that link to actual reports, which is the only meaningful version of an audit signal.

Playbook 6: the dev-team mask

The project's website shows a team of four people with LinkedIn profiles, headshots, and crypto-credible past projects. The headshots are AI-generated. The LinkedIn profiles were created last week. The "past projects" do not exist or were not actually built by these people.

Giveaways: LinkedIn profile age (right-click profile, view source, find the creation hint). Reverse-image-search the headshots: AI-generated faces sometimes match StyleGAN training output, and stock-photo lookalikes get caught by Google Lens. GitHub profiles with no commits before the project's launch month.

Defense: for any "doxxed" team, run reverse image search on every headshot. Check LinkedIn profile age. Check GitHub commit history (real engineers have commits going back years). For a project worth more than $5k of your money, spend 5 minutes on this.

Playbook 7: the community theater

The Telegram has 10,000 members. The chat is constantly active with "great project!" and "to the moon!" messages. New members get welcome DMs from "early supporters." The activity feels organic.

It is not. The members are bots. The active chatters are paid actors or sock-puppet accounts. The DMs are scripted by the team.

Giveaways: scroll the chat. If 90 percent of messages are short, generic praise with no project-specific content, the chat is theater. Real communities argue about tokenomics, ask hard questions, complain about the chart, and discuss roadmap. Fake communities only celebrate.

Defense: read the Telegram for 5 minutes before buying. Pay attention to the depth of conversation. A real community has at least 3 to 5 distinct ongoing conversations on different topics at any given moment. A fake community has one looped script.

Playbook 8: the honeypot wearing a wig

The most technically sophisticated scam. The contract LOOKS normal at first glance. Source is verified. Tax is reasonable. No obvious blacklist function. But buried in the transfer logic is a condition that prevents non-team wallets from selling under specific circumstances (after a certain price multiple, after a certain time, when the contract balance crosses a threshold).

This is the scam version of the honeypot covered in detail here, but harder to detect because automated scanners may miss the subtle conditional logic.

Giveaways: actual transaction history shows zero or near-zero successful sells from non-team wallets. The team wallet has sold; nobody else has. Any "test sell" you can do should fail or execute at a punitive tax rate.

Defense: the $1 test buy and immediate test sell catches even sophisticated honeypots. Buy through PancakeSwap, immediately try to sell, see what happens. If the sell reverts or the proceeds are vastly less than the buy, walk away.

The 30-second verification checklist

Combining all eight defenses into one fast checklist any investor can run before a buy:

1. Contract address verified on BscScan? (yes / no)
2. LP locked through a public lock contract? Use the token scanner to check, and the security score page on MoonSale-hosted projects.
3. Holder distribution healthy (LP at top, no single non-LP wallet over 10 percent)?
4. Sells visible in the last 24 hours of transactions?
5. Team doxx verified (real LinkedIn age, real GitHub commits)?
6. Audit badge links to a real report with the matching contract address?
7. Telegram has real conversation depth, not just looped praise?
8. Token age and holder count consistent with the project's claimed history?

A "no" on any of these is not automatically a scam, but is a signal to slow down. Three or more "no"s and the probability of a fake project crosses 80 percent.

What MoonSale defends against on its platform

The platform side handles a meaningful slice of these patterns automatically:

• Cloned project pattern: every project's contract is verified and surfaced on the project page. Buyers cannot get tricked by a Telegram-pasted "alternative" contract because the official MoonSale URL shows the canonical address.
• Fake audit badge pattern: the CA audits page only accepts audit badges with verifiable report URLs from approved auditors.
• Honeypot pattern: the token scanner runs automated checks before any project page publishes.
• Listing rate inversion (related to vampire launches): enforced at the contract level on Create Presale; the form will not let a founder ship a soft-rug listing rate.
• Source verification: automatic on every Create Token deploy.

Full defense layer is documented in MoonSale Security Standards Explained.

What the platform CANNOT catch

Honest section. There are scams the platform cannot detect because they live off-chain:

• Fake KOL endorsements posted before a launch lists
• Fabricated CEX listing claims in marketing copy
• AI-generated team headshots linked from project websites
• Bot-padded Telegram counts
• Fake roadmap items ("partnership with Coinbase")

The platform handles contract-risk. Buyers handle narrative-risk. The best defense is doing the 5 to 10 minutes of due diligence the checklist above asks for.

Common excuses scammers use

If a project's defense to any of the checklist items is one of these phrases, the probability of a scam jumps:

• "Audit coming next week"
• "Team will doxx when we hit $1M market cap"
• "Tier 1 CEX listing announcement soon, can't reveal which"
• "Contract is verified, you just have to trust us on the rest"
• "Liquidity will be locked after the presale ends"
• "We can't show the team yet for legal reasons"

Real projects ship the audit, the KYC, the lock, the team doxx BEFORE asking for money. Anything postponed to "after launch" is structurally a request for trust without proof.

How founders signal trust (the reverse view)

If you are a founder reading this and want to NOT look like a scam, the operations are obvious:

1. Lock LP for 365+ days through the lock contract before the launch goes public
2. Vest team tokens for 12+ months through the vesting contracts
3. Get an audit badge with a real, public report URL
4. Doxx the team with real LinkedIn profiles and verifiable past projects
5. Verify the contract on BscScan within 5 minutes of deploy
6. Build a real community before launch (200+ active members in the Telegram, real conversation)
7. Ship the security score with as many green checks as possible

Every check on this list is verifiable on chain or by reading public profiles. None requires the buyer to trust your word.

The post Common Mistakes New Token Creators Make covers more of the founder-side mistakes that get legitimate projects mistaken for scams.

Ready to verify any project?

Open the token scanner for any contract address, BSC or Ethereum. The scan returns in 5 seconds and covers the contract-side of the checklist. For projects launched on MoonSale specifically, the security score page surfaces the broader signals at the project-card level.

For the buyer-side honeypot detection deep-dive, see How to Spot a Honeypot in 60 Seconds. For the founder-side trust playbook, see What Makes a Successful Token Launch? and MoonSale Security Standards Explained.

Scammers run the same eight plays because the plays work. They keep working because most buyers do not run the 30-second checklist. The few buyers who do run it are the ones who survive long enough to compound returns. Be one of those buyers.