Rug Pull Forensics: Post-Mortem Analysis Tools, Evidence Maps, Wallet Clustering, and On-Chain Investigation Workflows

Rug pull forensics is the process of reconstructing how value was extracted from a token, liquidity pool, bridge wrapper, NFT mint, DeFi vault, or community project after a suspected scam or engineered collapse. A serious post-mortem does not stop at saying “the chart dumped.” It identifies the mechanism, preserves transaction evidence, maps contract control surfaces, reconstructs the timeline, follows liquidity, clusters suspect wallets, separates facts from assumptions, and turns a chaotic event into a defensible report. This TokenToolHub guide shows traders, investigators, builders, and security researchers how to analyze a suspected rug pull with structured evidence instead of speculation.

TL;DR

  • A rug pull is not just a price crash. Forensics looks for coordinated value extraction through liquidity removal, insider dumping, sell restrictions, tax manipulation, proxy upgrades, minting, bridge failure, or hidden wallet control.
  • The first job is evidence preservation. Capture token addresses, pair addresses, deployer wallets, owner wallets, liquidity events, admin calls, screenshots, archived links, and transaction hashes before websites, posts, and liquidity routes disappear.
  • A credible post-mortem needs a timeline. Reconstruct deployment, liquidity seeding, trading open, hype phase, control changes, extraction transaction, routing path, and possible off-ramp touchpoints.
  • Contract forensics identifies the control surface. Look for owner privileges, blacklist logic, tax setters, max transaction controls, pause functions, minting, proxy upgrades, liquidity control, and privileged wallet exemptions.
  • Liquidity forensics proves the extraction path. Track pool reserves, LP token ownership, add and remove liquidity events, large swaps, tax wallet flows, and reserve changes before and after the collapse.
  • Wallet clustering must be evidence-based. Shared funding, synchronized actions, repeated deployer behavior, common routers, and routing paths are stronger than weak assumptions.
  • AI can help summarize evidence and identify patterns, but it should not invent attribution. Use AI to structure reports, classify events, and highlight missing evidence, not to claim identities without proof.
  • Start with prevention: use the TokenToolHub Token Safety Checker before exposure, then use forensics after incidents to improve future detection.
Investigation note Do not turn weak evidence into public accusations

Rug pull forensics should be evidence-led. A wallet cluster, transaction pattern, or exchange deposit route may support a hypothesis, but real-world identity claims require stronger proof and appropriate legal process. Preserve evidence, separate facts from interpretation, and avoid harassment.

Investigator starting point

Before a rug, scan contracts and check token controls. After a rug, preserve evidence, map wallets, and reconstruct the value path. Keep your own assets protected while investigating suspicious links, fake claim pages, and malicious token contracts.

Open Token Safety Checker Use Nansen wallet intelligence Protect vault assets with Ledger

What counts as a rug pull?

“Rug pull” is often used loosely in crypto. A token drops 80 percent and people call it a rug. A founder disappears and people call it a rug. A liquidity pool dries up and people call it a rug. For forensics, the definition must be tighter because a credible post-mortem needs to distinguish market losses from deliberate extraction.

A rug pull is best understood as coordinated value extraction where insiders or privileged actors use control, deception, or structural advantage to remove value from buyers, liquidity providers, holders, or community participants. The extraction may happen through a smart contract function, liquidity pool action, hidden allocation dump, sell trap, bridge wrapper failure, tax wallet drain, proxy upgrade, or coordinated wallet route.

Not every failed project is a rug. Some teams are incompetent, underfunded, overpromising, or exposed to market volatility. A serious investigation does not begin with the conclusion. It begins with the mechanism. What happened on-chain? Who had control? Which wallets benefited? Which transactions changed the state? Where did liquidity move? What evidence proves the timeline?

Main rug pull categories

  • Liquidity rug: insiders remove liquidity from the pool, leaving holders with poor or impossible exits.
  • Supply dump: insiders sell large hidden allocations into buyers and drain the base asset from the pool.
  • Honeypot or sell trap: users can buy, but selling fails, is blocked, or becomes economically useless.
  • Tax toggle rug: sell taxes or transfer taxes are suddenly increased and routed to insider-controlled wallets.
  • Proxy upgrade rug: a contract implementation changes after launch to introduce malicious behavior.
  • Mint rug: privileged wallets create new supply and sell it into the market.
  • Bridge or wrapper rug: a wrapped asset becomes unbacked, frozen, or controlled by an issuer who extracts value.
  • Governance or treasury rug: treasury assets are moved, swapped, bridged, or drained through privileged control.
Rug pull forensics starts with mechanism classification A price collapse is an outcome. The mechanism explains how value left. Liquidity rug LP removed or pool drained Reserves collapse Supply dump Insider wallets sell Base asset extracted Sell trap Buy works, exit fails Blacklist, tax, revert Proxy or admin rug Rules changed after hype Upgrade or control call Bridge or wrapper rug Backing or issuer fails Wrapped asset loses trust

Evidence-first workflow: build the case folder before chasing wallets

A rug pull investigation can become chaotic quickly. Websites disappear, posts are deleted, DEX charts update, liquidity moves, wallets bridge funds, and community members start sharing unverified claims. The investigator’s first advantage is structure.

Before analyzing motives, create a case folder. The folder should preserve identifiers, timelines, screenshots, contract artifacts, liquidity events, wallet lists, and report drafts. This prevents the investigation from becoming a loose collection of tabs and screenshots with no chain of custody.

Minimum case folder structure

RUG PULL CASE FOLDER STRUCTURE 00_summary.txt - Short description of what happened - Suspected mechanism - Confidence level - Open questions 01_identifiers.txt - Chain - Token contract - Pair or pool address - Router and factory - Deployer wallet - Owner wallet - Tax wallet - Treasury or marketing wallets 02_timeline.csv - Timestamp - Block number - Event description - Transaction hash - Wallet involved - Notes 03_contract/ - Source code or bytecode - ABI - Ownership events - Proxy information - Admin call history 04_liquidity/ - Initial liquidity add - LP token recipient - LP transfers - Liquidity removal events - Reserve snapshots 05_wallets/ - Suspect wallet list - Funding source notes - Wallet cluster notes - Exchange or bridge touchpoints 06_screenshots/ - Website captures - DEX chart snapshots - Social posts - Announcements - Deleted or changed pages 07_report/ - Draft report - Tables - Diagrams - Appendix

What to capture immediately

  • Token contract address, pair address, deployer address, owner address, and chain.
  • Initial liquidity add transaction and all liquidity removal transactions.
  • Top holder snapshot and LP token holder snapshot.
  • Admin calls near the collapse, including tax changes, blacklist updates, trading toggles, max transaction changes, and ownership transfers.
  • Large sell transactions during the collapse window.
  • Wallets that received supply before trading opened.
  • Website, docs, whitepaper, roadmap, social profiles, and announcement screenshots.
  • Community warnings, founder messages, deleted posts, and support responses.
Forensics rule Every claim needs an artifact

A strong report links claims to transaction hashes, decoded events, function calls, wallet traces, screenshots, archived pages, or reproducible queries. Anything without evidence should be labeled as hypothesis.

Timeline reconstruction: turn chaos into sequence

The timeline is the spine of a rug pull report. It shows how the project moved from deployment to liquidity, trading, hype, extraction, routing, and aftermath. Without a timeline, readers cannot see causality. They only see a chart collapse.

A good timeline does not need to include every transaction. It needs to include the key events that explain control, value movement, and user harm. Each event should include a timestamp, block number, transaction hash, actor wallet, and short note.

Core timeline phases

  • Deployment: contract creation, deployer funding, source verification, proxy setup, initial owner.
  • Setup: token distribution, owner settings, tax wallets, router configuration, pair creation.
  • Liquidity seeding: initial LP add, LP token recipient, lock claims, LP transfer behavior.
  • Trading open: trading toggle, whitelist changes, max transaction settings, public announcement.
  • Hype phase: marketing push, influencer posts, community growth, unusual buy volume.
  • Control change: tax update, blacklist, pause, upgrade, ownership change, mint, or liquidity control action.
  • Extraction: LP removal, insider dump, tax wallet swap, bridge route, treasury drain, or sell trap activation.
  • Routing: fund splitting, stablecoin swaps, bridge transfers, deposit addresses, consolidation wallets.
  • Aftermath: deleted posts, statements, abandoned channels, repeated launches, victim reports.
Rug pull timeline reconstruction The investigator turns disconnected events into a verifiable sequence. Deploy Contract created Seed LP Pool funded Open Trading starts Hype Buy pressure Extract LP pull or dump Report narrative What happened, when, and why Output: Timeline CSV, tx hashes, diagrams, and evidence-backed conclusions.

Contract forensics: identify the control surface

Contract forensics asks a precise question: what could privileged actors do that ordinary holders could not? A token may claim decentralization, but the contract can reveal active owner controls, hidden operators, tax setters, pause functions, blacklist maps, mint functions, proxy administrators, or role-based permissions.

The goal is not to accuse every admin function of being malicious. Some projects need operational controls. The goal is to document the control surface and determine whether those controls were used before, during, or after the collapse.

Ownership and role checks

  • Who deployed the contract?
  • Who was the owner at launch?
  • Was ownership renounced, transferred, or hidden behind another role?
  • Does the contract use AccessControl, operator roles, guardian roles, or custom admin mappings?
  • Were roles granted or revoked near the incident?
  • Are admin wallets connected to deployer, LP, tax, or dumping wallets?

Tax and fee controls

Tax controls can become extraction tools when insiders can raise buy, sell, or transfer taxes and route proceeds to a wallet they control. Review the function names, maximum values, tax wallet, exemptions, and history of changes.

  • Can buy or sell taxes be changed after launch?
  • Is there a maximum tax limit enforced by code?
  • Who can change the tax wallet?
  • Which wallets are excluded from taxes?
  • Did taxes change immediately before user sell failures?
  • Did the tax wallet swap proceeds into the base asset?

Transfer restrictions

Many rug pulls and honeypots depend on transfer restrictions. These include blacklists, whitelists, trading toggles, cooldowns, anti-bot gates, max transaction limits, max wallet limits, and router-specific behavior. The key question is whether restrictions were applied unequally.

Proxy and upgrade risk

Upgradeable contracts require special attention. A project can deploy harmless logic, attract users, then upgrade implementation after liquidity and buyers arrive. If a proxy upgrade occurred near the collapse, the implementation change may be central evidence.

Record the proxy admin, previous implementation address, new implementation address, upgrade transaction hash, and whether the upgrade introduced malicious behavior, changed tax logic, enabled transfer restrictions, or redirected value.

Minting and supply control

A supply rug occurs when insiders mint or distribute tokens into wallets that later dump on the pool. Even if the token supply appears fixed on a website, the contract may include mint functions, hidden balance mechanics, rebasing logic, reflection manipulation, batch transfers, or privileged allocation routes.

Control surface Risk question Evidence to capture
Owner role Who can change critical settings? Owner address, ownership events, role calls
Tax setters Can fees be raised or redirected? Function calls, tax values, tax wallet flows
Blacklist or whitelist Can selected wallets be blocked or favored? Mappings, events, affected wallets, sell failures
Trading gates Can trading be opened, paused, or restricted? Trading flag updates, pause events, failed transactions
Proxy admin Can implementation logic change? Proxy admin, implementation history, upgrade tx
Minting Can supply be created or manipulated? Mint calls, supply changes, recipient wallets

Liquidity forensics: prove how value left the pool

Liquidity analysis is where a rug pull report becomes concrete. A pool is not just a chart. It is a contract with reserves, LP ownership, swap events, and liquidity add or remove events. If value was extracted through the pool, the pool will show evidence.

Start by identifying the primary trading pair. Then capture initial liquidity, later liquidity adds, LP token ownership, liquidity locks, transfer of LP tokens, reserve changes, major swaps, and the extraction transaction.

Liquidity questions

  • Who added the first liquidity?
  • How much base asset was added?
  • Who received the LP tokens?
  • Were LP tokens locked, burned, transferred, or held by an insider wallet?
  • Was liquidity removed in one transaction or gradually?
  • Did the base asset reserve collapse?
  • Were large insider sells responsible for draining the base asset?
  • Were tax wallet swaps used as a hidden extraction route?

Pool snapshot method

A simple pool snapshot can clarify the mechanism. Capture reserves before trading, before the dump, during extraction, and after the collapse. A liquidity pull usually shows both sides of liquidity being removed. An insider dump usually shows token reserve rising and base asset reserve falling as insiders sell into the pool.

POOL SNAPSHOT WORKSHEET Token: Chain: Pair: Router: Base asset: Snapshot A: Initial liquidity - Block: - Token reserve: - Base reserve: - LP recipient: - Tx hash: Snapshot B: Before collapse - Block: - Token reserve: - Base reserve: - Price: - Notes: Snapshot C: Extraction - Block: - Token reserve: - Base reserve: - Main extraction tx: - Wallet involved: - Mechanism: Snapshot D: After collapse - Block: - Token reserve: - Base reserve: - Remaining liquidity: - Notes:

Liquidity lock misconceptions

“LP locked” is not always the protection users think it is. A project may lock only a portion of liquidity, lock for a short period, use a questionable lock contract, create multiple pools, route volume through an unlocked pool, or use other rug mechanisms that do not require LP removal.

A post-mortem should verify how much liquidity was locked, where it was locked, for how long, and whether the locked amount was the meaningful trading pool. Do not rely on screenshots alone.

Value extraction map Follow the pool, then follow the receiving wallets. Retail buyers Base asset enters pool Token exits pool AMM pool Reserves change Swaps and LP events Insider wallet Removes LP or dumps Receives base asset Forensics target Identify the extraction tx, recipient wallet, and next routing hop.

Wallet clustering and funding paths

Wallet clustering is one of the most powerful parts of rug pull forensics, but it is also where weak reports often overreach. The goal is not to guess who someone is. The goal is to identify whether multiple wallets appear coordinated based on observable on-chain behavior.

Strong wallet clustering uses multiple signals. Shared funding is strong. Synchronized buying and selling is useful. Repeated interaction with the deployer, tax wallet, LP wallet, or previous rug contracts adds weight. A single shared DEX or similar trade size is not enough.

Start with known wallets

  • Deployer wallet.
  • Owner wallet.
  • Tax or marketing wallet.
  • LP token recipient wallet.
  • Wallets that received supply before trading opened.
  • Top sellers during the collapse window.
  • Wallets that received routed proceeds after extraction.
  • Wallets that funded gas for suspicious sellers.

Funding source analysis

Shared funding is one of the cleanest wallet cluster signals. If several “independent” wallets were funded by the same source shortly before launch, that suggests coordination. It becomes stronger if those wallets bought, sold, or routed funds in synchronized ways.

Peel chains and routing

After extraction, proceeds may move through peel chains. A wallet receives funds, sends a portion onward, keeps a portion, then repeats. This can be used for operational routing, exchange deposits, bridging, or obfuscation.

Record each hop with transaction hash, timestamp, asset, amount, source, destination, and destination type. Destination type may include ordinary wallet, bridge, exchange-labeled wallet, mixer, swap router, or new unknown wallet.

Using wallet intelligence tools

Wallet intelligence tools can help label exchange deposits, identify known entities, and connect related wallets faster than manual explorer work. For deeper wallet research, Nansen through TokenToolHub is relevant for wallet labels, smart-money context, and entity-level investigation workflows.

Cluster signal Strength How to use it responsibly
Shared funding source Strong Document source txs and timing
Synchronized sells Medium to strong Combine with funding, supply, or routing evidence
Shared deployer history Strong Link repeated contracts and deployer transactions
Same DEX router usage Weak alone Use only as supporting context
Same exchange destination Medium Do not claim identity without legal confirmation

Exchange, bridge, and off-ramp touchpoints

Many rug proceeds eventually move toward centralized exchanges, bridges, stablecoins, or mixers. These routes matter because they show how extracted value was prepared for liquidation, transfer, or concealment.

A transfer to an exchange-labeled address does not prove the real-world identity of the operator. It does, however, show a potential off-ramp point. Victims, compliance teams, and authorities may use this information when filing reports.

Off-ramp evidence to capture

  • Swap from token or base asset into stablecoins.
  • Consolidation into one wallet after extraction.
  • Transfers to exchange-labeled deposit addresses.
  • Bridge transactions from one chain to another.
  • Mixer or privacy mechanism deposits.
  • Repeated routes used by the same deployer cluster across previous launches.

Bridge route analysis

If funds are bridged, capture the source-chain transaction, bridge contract, destination chain, destination wallet, and minted or released asset. Bridge analysis is especially important when a rug happens on a smaller chain and proceeds move to a more liquid ecosystem.

For route-level research before interacting with wrapped or bridged assets, use the TokenToolHub Bridge Helper. In a post-mortem, the same thinking helps investigators understand whether the bridge was part of the attack surface or only a routing tool after extraction.

Attribution warning Exchange deposits are clues, not identities

Public reports should describe exchange touchpoints carefully. A wallet sending funds to a labeled deposit address is evidence of routing, but not public proof of a person’s identity.

AI-assisted rug pull forensics

AI is useful when it reduces repetitive work and improves structure. It can classify transactions, summarize timelines, compare wallet behavior, extract suspicious contract features, and draft report sections from evidence. It is not useful when it invents motives or identities.

The safest AI workflow is evidence-first. Feed the model transaction hashes, decoded events, wallet notes, contract function names, liquidity snapshots, and timelines. Ask it to organize facts, list missing evidence, highlight contradictions, and generate a conservative report draft.

Useful AI tasks

  • Convert raw transaction notes into a timeline table.
  • Classify transactions as deploy, add liquidity, remove liquidity, buy, sell, tax wallet swap, bridge, or transfer.
  • Summarize contract control surfaces from function names and decoded calls.
  • Identify missing evidence needed for a stronger conclusion.
  • Write a neutral executive summary from verified facts.
  • Draft community-safe warnings without overclaiming identity.
  • Compare the suspected rug to known patterns such as liquidity pull, tax toggle, sell trap, or proxy upgrade.

AI guardrails

  • Do not let AI invent wallet labels.
  • Do not let AI claim real-world identity from weak signals.
  • Require every factual claim to reference a transaction, screenshot, contract call, or artifact.
  • Separate facts, interpretations, and hypotheses.
  • Use AI to find missing checks, not to rubber-stamp conclusions.
AI PROMPTS FOR RUG PULL FORENSICS Prompt 1: Here is a list of transaction hashes, decoded events, wallet notes, liquidity snapshots, and screenshots. Build a timeline table with: 1. timestamp 2. block number 3. event type 4. wallet involved 5. evidence link 6. short neutral explanation Prompt 2: Classify this suspected rug pull mechanism as liquidity rug, supply dump, honeypot, tax toggle, proxy upgrade, bridge wrapper failure, or mixed mechanism. Separate confirmed facts from hypotheses. Prompt 3: Given these wallet funding paths and sell transactions, identify possible clusters. Rate confidence as low, medium, or high and explain what evidence would strengthen or weaken the cluster. Prompt 4: Draft an executive summary for a public post-mortem. Use only the facts provided. Do not name real-world people. Include confidence level and missing evidence.

To build stronger research workflows around AI, prompts, and crypto analysis, use the TokenToolHub AI Crypto Tools directory as a starting point.

Tool stack for rug pull post-mortems

A good post-mortem does not require every expensive tool. It requires the right minimum stack: block explorer, DEX analytics, token scanner, wallet intelligence, reliable RPC, spreadsheet, screenshots, and a clean reporting workflow.

Core tools

  • Block explorer: transaction hashes, decoded input, logs, contract verification, holders, token transfers.
  • DEX analytics: pool charts, liquidity changes, swap history, volume, reserves, pair addresses.
  • Token risk scanner: owner controls, tax logic, blacklist signals, minting, proxy hints, permission risks.
  • Spreadsheet: timeline, wallet list, tx classification, value movement, confidence notes.
  • Archive tool: page captures, deleted social posts, website changes, docs snapshots.
  • Wallet intelligence: labels, entity tags, exchange routes, cluster context.

Builder infrastructure

If you are building an internal investigation tool or automating repeated post-mortems, reliable RPC access matters. You need logs, balances at block heights, event pulls, wallet history, and consistent data retrieval. For builder workflows, Chainstack through TokenToolHub is relevant for blockchain infrastructure and RPC access.

Personal security tools

Investigators can become targets. Scammers may send fake recovery links, fake airdrops, malicious PDFs, phishing pages, or wallet-drainer sites to people asking questions. Keep vault assets away from research activity, use a separate browser profile, and sign only with wallets designed for that risk level. For long-term storage, Ledger through TokenToolHub is relevant as part of a wider self-custody setup.

Rug pull forensics tool stack Use tools to preserve evidence, not to replace judgment. Explorers Txs, logs, contracts DEX analytics Pools, swaps, liquidity Wallet intel Labels and clusters AI summary Reports and missing checks Case folder Timeline and evidence

How to write a credible rug pull post-mortem

A credible report reads like an incident report. It explains what happened, how you know, what evidence supports each claim, what remains uncertain, and what users or builders can learn from the event.

The tone should be neutral and precise. Avoid emotional language, personal attacks, or unsupported claims. The strongest reports are easy to verify and difficult to dismiss because every conclusion links back to on-chain evidence.

Recommended report structure

  • Executive summary: what happened, suspected mechanism, confidence level, and top evidence.
  • Identifiers: chain, token address, pool address, deployer, owner, LP wallet, tax wallet, key wallets.
  • Timeline: deployment, liquidity, launch, hype, control changes, extraction, routing, aftermath.
  • Mechanism analysis: liquidity pull, sell trap, dump, tax toggle, proxy upgrade, bridge wrapper failure, or mixed mechanism.
  • Contract control surface: owner powers, tax controls, blacklist, minting, proxy, pause, trading gate.
  • Liquidity evidence: pool snapshots, LP ownership, reserve changes, swap sequence, extraction tx.
  • Wallet clustering: funding paths, connected wallets, synchronized behavior, confidence level.
  • Money flow: extracted assets, routes, bridges, stablecoin swaps, exchange touchpoints.
  • Impact estimate: base asset removed, approximate user harm, confidence range.
  • Lessons: what users should have checked, what builders should avoid, what future scanners should flag.
  • Appendix: raw transaction list, screenshots, decoded calls, wallet tables, methodology notes.

How to present uncertainty

Not every investigation ends with perfect proof. Some evidence may support a high-confidence mechanism while attribution remains uncertain. That is acceptable if the report separates mechanism from identity.

Use categories such as confirmed, likely, possible, and unknown. Confirmed claims require direct evidence. Likely claims require several supporting signals. Possible claims should be framed as hypotheses. Unknowns should be listed clearly.

POST-MORTEM CONFIDENCE FRAMEWORK Confirmed: - Direct evidence from tx hash, decoded event, contract call, or pool reserve change. Likely: - Multiple supporting signals point to the same explanation, but one piece is missing. Possible: - Pattern resembles known rug behavior, but evidence is incomplete. Unknown: - Not enough data to conclude. Rule: Do not present possible as confirmed. Credibility compounds when uncertainty is stated clearly.

Reusable templates for investigators

Templates reduce mistakes. They make your process repeatable and help other analysts verify your work. Use the following formats as a starting point for internal notes or public reports.

Control surface table template

Surface Function or indicator Controller Used near rug? Evidence
Trading gate enableTrading, openTrading, tradingEnabled Owner or operator Yes or no Tx hash
Blacklist setBlacklist, setBot, denylist Owner or role Yes or no Tx hash
Tax toggle setTax, setFees, setSellFee Owner or role Yes or no Tx hash
Limits setMaxTx, setMaxWallet, cooldown Owner or role Yes or no Tx hash
Proxy upgrade upgradeTo, implementation change Proxy admin Yes or no Tx hash

Wallet cluster notes template

WALLET CLUSTER NOTES Case: Chain: Token: Primary pool: Rug window: Cluster A: - Wallets: - Shared funding: - Synchronized actions: - Shared contracts: - Routing path: - Confidence: - Evidence: - Open questions: Cluster B: - Wallets: - Shared funding: - Synchronized actions: - Shared contracts: - Routing path: - Confidence: - Evidence: - Open questions:

Public warning template

PUBLIC WARNING TEMPLATE Project: Token: Chain: Contract: Primary pool: Risk mechanism: Confidence level: What happened: [Neutral summary of the suspected rug mechanism.] Key evidence: 1. [Tx hash or artifact] 2. [Tx hash or artifact] 3. [Tx hash or artifact] User guidance: - Do not interact with suspicious claim links. - Do not approve unknown spenders. - Do not use a vault wallet for testing. - Preserve your own transaction evidence if affected. Important note: This warning describes on-chain evidence and risk signals. It does not identify real-world persons unless verified through appropriate legal channels.

Prevention lessons: how post-mortems improve pre-trade safety

The best rug pull post-mortems are not only about what went wrong. They teach what should have been checked earlier. Every incident should improve a pre-trade checklist, scanner logic, community warning system, or wallet safety habit.

For users, the lesson is simple: scan before exposure. For builders, the lesson is deeper: design transparent ownership, publish limitations, avoid hidden controls, timelock dangerous changes, and make liquidity claims verifiable.

Pre-trade checks that catch many rug patterns

  • Check whether the contract is verified.
  • Check owner status and admin permissions.
  • Check whether taxes can change.
  • Check blacklist, whitelist, pause, and trading gate functions.
  • Check minting and supply controls.
  • Check proxy upgradeability.
  • Check liquidity depth and LP ownership.
  • Check holder concentration and suspicious distribution.
  • Check deployer history and related contracts.
  • Use small test transactions before meaningful exposure.

Use the TokenToolHub Token Safety Checker as an early filtering layer. It does not replace a full investigation, but it can surface the control-plane risks that often appear again in post-mortems.

Scan before the post-mortem becomes necessary

Post-mortems are valuable, but prevention is better. Check contract permissions, liquidity, owner controls, wallet concentration, and bridge assumptions before committing funds.

Run Token Safety Checker Review bridge risk

Common rug pull forensics mistakes

The first mistake is assuming every price crash is a rug. A report needs mechanism evidence, not just chart emotion.

The second mistake is chasing wallets before preserving core evidence. If the website disappears and liquidity routes move, you may lose important context.

The third mistake is making identity claims from weak wallet clustering. Shared behavior is not the same as verified identity.

The fourth mistake is ignoring contract controls. A liquidity event may look like the rug, but the actual mechanism may have started with a tax change, blacklist call, proxy upgrade, or mint.

The fifth mistake is writing a public report without uncertainty labels. Readers need to know what is confirmed, what is likely, what is possible, and what remains unknown.

COMMON RUG PULL FORENSICS MISTAKES 1. Calling every chart collapse a rug without mechanism evidence. 2. Failing to capture deleted websites, posts, and screenshots early. 3. Ignoring LP token ownership and reserve changes. 4. Ignoring admin calls near the collapse. 5. Treating one wallet connection as proof of identity. 6. Not separating facts from hypotheses. 7. Estimating losses without explaining methodology. 8. Missing bridge or exchange routing after extraction. 9. Using emotional language instead of evidence. 10. Forgetting prevention lessons for future scans.

Best practices for rug pull post-mortems

A strong rug pull post-mortem is structured, evidence-backed, and useful. It should help affected users understand what happened, help future users avoid similar traps, and help builders improve monitoring systems.

Core best practices

  • Create a case folder before deep analysis.
  • Capture token, pool, deployer, owner, LP, and tax wallet identifiers.
  • Build a timeline with block numbers and transaction hashes.
  • Classify the suspected mechanism before writing conclusions.
  • Map contract control surfaces and admin calls.
  • Analyze liquidity events and pool reserve changes.
  • Cluster wallets only with multi-signal evidence.
  • Follow extracted value through swaps, bridges, and exchange touchpoints.
  • Use AI to organize evidence, not invent attribution.
  • State confidence level and missing evidence clearly.

Advanced best practices

  • Compare deployer history across previous launches.
  • Track tax wallet proceeds and swap timing.
  • Measure before-and-after pool reserves at key blocks.
  • Identify whether LP locks were full, partial, short-term, or irrelevant.
  • Check whether proxy implementation changed near the rug window.
  • Capture wallet funding sources before funds are bridged or split.
  • Use neutral language in public reports.
  • Attach evidence tables and diagrams for faster verification.
  • Feed confirmed patterns back into pre-trade scanner rules.
  • Share research responsibly through the TokenToolHub Community when appropriate.

Turn every rug post-mortem into future protection

The purpose of forensics is not only to explain the past. It is to improve future detection. Every confirmed mechanism should become a checklist item, scanner signal, community warning, or safer wallet habit.

Scan token controls Explore AI research tools

Final verdict: the strongest post-mortems show mechanism, timeline, and money flow

Rug pull forensics is not about outrage. It is about reconstruction. A credible report explains how value was extracted, when critical changes happened, which wallets were involved, where funds moved, and what evidence supports each conclusion.

The best investigations start with preservation. Capture identifiers, screenshots, contract data, liquidity events, wallet lists, and timeline notes before the trail becomes harder to follow. Then classify the mechanism: liquidity pull, supply dump, sell trap, tax toggle, proxy upgrade, bridge wrapper failure, treasury drain, or mixed attack.

Contract forensics tells you what privileged actors could do. Liquidity forensics tells you how the pool changed. Wallet clustering tells you whether the actors look coordinated. Off-ramp analysis shows where extracted value moved. AI helps organize the evidence, but it does not replace proof.

For users, the key lesson is prevention. Scan before buying, avoid suspicious approvals, keep vault assets separate, and test unknown assets with small wallets only. For builders, the lesson is operational: design transparency into contracts, reduce dangerous owner controls, timelock high-impact changes, and make liquidity claims verifiable.

A rug pull may happen fast, but a strong post-mortem slows the event down into evidence. That evidence becomes protection for the next user, the next community, and the next research workflow.

Before you buy, scan. After a rug, reconstruct.

Use a consistent process: contract controls, liquidity events, wallet clusters, bridge routes, and a timestamped evidence folder. That is how you turn noise into proof.

Use Token Safety Checker Research wallets with Nansen

FAQs

Is every token crash a rug pull?

No. A token can collapse because of market selling, poor execution, weak liquidity, or failed product delivery. A rug pull requires evidence of coordinated extraction, privileged abuse, structural deception, or intentional exit restriction.

What is the first thing to do after a suspected rug?

Preserve evidence. Capture token and pool addresses, deployer and owner wallets, key transaction hashes, liquidity events, admin calls, top holders, screenshots, and social announcements before information disappears.

How do I identify the rug transaction?

Look for the transaction or transaction cluster where value extraction occurred. This may be LP removal, a large insider sell, a tax wallet swap, a proxy upgrade, a blacklist call, a mint, or a bridge route that moved proceeds away.

What is wallet clustering?

Wallet clustering is the process of grouping wallets based on shared evidence such as funding source, timing, repeated interactions, routing paths, or deployer history. It should be used carefully and should not be treated as proof of real-world identity by itself.

Can AI investigate rug pulls automatically?

AI can organize timelines, classify transactions, summarize evidence, and highlight missing checks. It should not invent identity claims or replace transaction-level verification. Strong forensics remains evidence-led.

What makes a rug pull report credible?

A credible report includes identifiers, timeline, mechanism analysis, contract control surface, liquidity evidence, wallet flow, confidence level, and transaction-backed claims. It separates facts from hypotheses.

How can traders reduce rug pull risk before buying?

Scan the token contract, check owner permissions, review liquidity, inspect holder distribution, verify official links, avoid suspicious approvals, and use small wallets for experimental tokens. Do not trust the chart alone.

Should I publicly accuse a person after tracing wallets?

No. Public reports should focus on on-chain evidence and wallet behavior unless identity is verified through appropriate legal or investigative channels. Avoid harassment and unsupported claims.

TokenToolHub resources

Use TokenToolHub tools to connect post-mortem learning with pre-trade safety. The goal is to detect more risks before users become exit liquidity.

This guide is for educational research only and is not financial, legal, cybersecurity, tax, trading, or investment advice. Rug pull forensics can help preserve evidence and explain on-chain mechanisms, but it should not be used to harass people or publish unsupported identity claims. If you believe a crime occurred, preserve evidence and contact appropriate authorities in your jurisdiction.

Wisdom Uche Ijika - avatar
About the author: Wisdom Uche Ijika Verified icon 1
Founder @TokenToolHub | Web3 Technical Researcher, Token Security & On-Chain Intelligence | Helping traders and investors identify smart contract risks before interacting with tokens
Reader Supported Research

Support Independent Web3 Research

TokenToolHub publishes free Web3 security guides, smart contract risk explainers, and on-chain research resources for traders, builders, and investors. If this article helped you, you can optionally support the platform and help keep these resources free.

Network USDC on Base
Optional
0xBFCD4b0F3c307D235E540A9116A9f38cE65E666A

Support is completely optional. Please only send USDC on the Base network to this address. TokenToolHub will continue publishing free educational resources for the Web3 community.