Understand The Unlimited Minting Scam and Pool Liquidity Drain.

The cryptocurrency market, with its potential for quick profits and decentralization, attracts both experienced investors and newcomers seeking opportunities. However, this popularity also creates space for scammers who exploit their victims' lack of technical knowledge and excessive trust. One of the most common and insidious schemes is the so-called “Liquidity Rug-Pull”, a fraud in which the scammer presents themselves as an expert and manipulates inexperienced investors to profit at their expense. Recently, while participating in a discussion forum on a channel created by a major exchange on Discord, I came across the testimony of an investor who had just fallen victim to one of these scams.

The False Authority:

It all started with the scammer building an image of someone trustworthy, presenting himself as a person who knew a lot about cryptocurrencies, claiming he was a server moderator and a “project developer.” He used the channel of a major decentralized exchange (DEX) on Discord, reaching out to the victim through private messages, a method commonly used on these servers to find people new to this space, who were eager to invest but lacked much experience. That’s when he gained his trust, making it seem like he was offering a special opportunity.

Next, the scammer proposed something that caught attention: creating an exclusive digital coin, which he claimed would increase in value. Furthermore, to convince her, he showed off his supposed expertise in tokens, displaying impressive profits and images of wallets full of funds. These “proofs” were designed to impress someone who didn’t know how to verify whether the information was actually true or not. The promise of something unique and the chance to make quick money with her own token ended up drawing the victim in even more.

The target of this scheme was someone excited about investing but who didn’t fully understand how cryptocurrencies or digital markets worked. The investor himself reported being new to this world, who had heard success stories and knew it was possible to strike it lucky, but didn’t know how and lacked the knowledge to spot that something was off. In the end, the victim relied on the fake developer’s experience, trusting the story and investing in the scheme.

Token Creation and the False Guarantee:

The scammer put the plan into action, creating the token using the Base platform, though this type of scam doesn’t need any specific blockchain. Scammers often use networks like Ethereum, Binance Smart Chain, Solana, or any other that allows someone with basic development knowledge to deploy a smart contract. In reality, this process is simple and inexpensive, often costing just a few dollars in transaction fees, but the scammer portrayed it as something sophisticated and labor-intensive, heightening the illusion that the victim was part of an exceptionally tailored project.

At that point, the investor, excited about the idea of having his own “project” but still wary, reported that she asked the supposed developer for a guarantee to protect herself: “Send all the created tokens to my wallet, and I’ll add the liquidity myself. I don’t have much experience and I’m really afraid of scams.” The scammer agreed and sent the requested 1,000,000 tokens, since doing so made no practical difference to him. The key point of the exploit lies in the hands of those who control the token contract and can manipulate operations secretly, and not in the possession of the tokens themselves.

The Final Punch: Inflation and Rug Pull:

Although the victim received the tokens (supposedly all of them), the scammer retained control over the smart contract that created the token. Malicious smart contracts allow the developer to mint additional tokens at any time without notice or limit, manipulate wallet balances, and even delete or block tokens. Once the victim added liquidity to the pool (around $1,000), the scammer executed the final phase of the scam.

Using their authority over the smart contract, the scammer minted 1 trillion of new tokens, inflating the total supply of the cryptocurrency and transferred just 10 billion of the new tokens to the pool, possibly due to pool configuration restrictions. As a result, the victim’s stake, which was previously 100% of the initial supply, became an insignificant fraction of the new total. In other words, the victim initially owned 100% of the 1 million tokens, but after the supply was inflated, their share dropped to less than 0.001%. This dilution destroyed the token’s value that was in their hands and destabilized the liquidity pool, transferring the majority of the stake to the scammer.

Then, the scammer executed what is known as a “Rug-Pull.” He used the newly minted tokens to drain all the liquidity, exchanging them for the cryptocurrency that the victim had provided as the trading pair in the pool, in this case, WETH. By the time the victim realized what had happened, the liquidity pool was empty, their 1 million tokens were worthless, and the scammer had disappeared, changing their digital identity to repeat the scheme with new victims.

Conclusion:

The cryptocurrency market, being decentralized and lightly regulated, offers few options for recourse. Blockchain transactions are irreversible, and tracking down a scammer is a difficult task due to the pseudonymity provided by cryptographic wallets and decentralized protocols.

This scam highlights the importance of understanding the technical fundamentals of the crypto market. It is well known that smart contracts should be audited by trusted third parties. Tools like block explorers (Etherscan, BscScan, Solscan) can help verify the token’s supply and contract permissions, such as unlimited minting, ownership transfers, token burning, or wallet freezing. However, many newcomers have no idea how to use these tools or are unaware that such strategies are even possible.

This is where M13 Digital comes in. We provide reports on common scamming techniques, how to identify them, and most importantly, how to stay protected. In addition to analyzing smart contracts for malicious functions, we track transaction movements using public tools like blockchain explorers, as well as our own advanced filtering and on-chain search tools. These allow us to correlate transactions through timestamps and values, detect possible swaps and cross-chain conversions, and even identify the use of platforms designed to obfuscate transactions.

The Forensic Analysis:

After analyzing the token address transactions on Basescan, we confirmed that 1 million tokens were initially issued. The scammer sent a portion of these tokens to the victim, who then added $1,000 to the token pair in a liquidity pool. Shortly afterward, the scammer issued a vast additional amount of tokens (1 trillion), but inject 10 billion into the pool, possibly due to restrictions depending on the pool’s configuration. This action diluted the token’s value, significantly reducing the victim’s share in the liquidity pool.

The scammer first issued the tokens, transferred them to the token pair contract, and then used a secondary contract to facilitate a swap, converting the inflated token supply into WETH, the paired token. Next, the scammer withdrew the WETH via the Base network, transferred it to the Bitget bridge, and converted it into BNB using the Binance Smart Chain. From there, the funds were sent to a swap service, FixedFloat, where they were exchanged for USDC. This final step allowed the scammer to attempt using the funds on centralized exchanges as if they were legitimate. All of this, from the initial mint of 1 million token units to the final conversion into USDC, took less than 3 hours.

With a detailed report and sufficient evidence, it is possible to submit a legal request to centralized exchanges or stablecoin issuers, such as Circle (for USDC) or Tether(for USDT), to freeze the associated funds, although this process depends on cooperation and judicial support. However, it is worth noting that it is indeed possible to seek the recovery of misappropriated funds, but investors should also be guided on the best security practices in the world of crypto assets.