A honeypot is a scam used in the crypto industry to trap victims and steal their assets or sensitive information.

What Is a Honeypot?

A honeypot is a scam used in the crypto industry to trap victims and steal their assets or sensitive information. Honeypots involve setting up a fake website or wallet that appears legitimate but is designed to lure in and deceive unwary users. For example, a scammer may create a fake wallet or a manipulated smart contract. Once victims deposit funds or provide personal information, the scammer can steal their assets and disappear. The fake site is the honeypot, tempting victims to engage with what seems like a legitimate platform but is actually a trap. 

Types of Honeypots

Fake websites

Fraudsters often create elaborate fake websites for crypto exchanges, wallets or investment platforms that closely resemble real, popular services. They use similar names, logos, web design and layouts to make the sites look credible. The sites encourage users to create accounts, link bank details and deposit funds, which the scammers can steal.

Phishing Emails

Scammers send fake emails that appear to come from well-known crypto companies or services, such as exchanges. The emails include logos and content to make them seem official. They may claim there is an issue with the recipient’s account and request login details to resolve it. Other times, they instruct the user to deposit funds into a fake wallet address controlled by the scammer. If the recipient enters their info or makes a transfer, the scammer gains access.

Social Media Scams

Fraudsters promote “investment opportunities” on social media platforms through fake celebrity endorsements, paid ads or imposter accounts (or hack a public figure’s account to do so). For example, they may create a fake celebrity profile promoting a cryptocurrency ICO. Users are enticed to send crypto deposits to participate, allowing the scammer to steal their funds.

Vitalik Buterin’s official X account hacked through a SIM swap attack

Manipulated Coins

Honeypot coins use smart contracts to lure investors. Users invest in the hope of astronomical returns but are unable to withdraw. When the scammers have collected enough funds, they can rug pull the smart contract.  

Malware Attacks

Malware is downloaded to the victim’s device, often through phishing links or attachments. It then infects the system and runs in the background without the user’s knowledge. It can steal wallet private keys, passwords and other data to siphon cryptocurrency. Anti-virus software can sometimes detect and remove the malware if the attack is identified.

Fake Airdrops

Scammers entice users by offering free cryptocurrency through airdrops. They instruct the recipient to provide their wallet address or private key to receive the funds. However, this gives the scammer access to the wallet, allowing them to steal any cryptocurrency within it. Legitimate airdrops never require sensitive wallet details.

How Honeypots Work

Honeypots are carefully orchestrated scams that operate in several key stages:

1. Setup

The first step is for the attacker to decide what type of honeypot to create. They choose based on their goals and available resources. For example, a phishing site that mimics a popular exchange or an investment Ponzi scheme may be set up.

2. Creation

Next, the fraudster builds the honeypot, like crafting a fake website. They design it to precisely imitate the real service it is impersonating. This includes visually identical interfaces, branding, functionality and wording to avoid suspicion. 

3. Promotion

With the honeypot fully created, the scammer then drives traffic to it through various promotion techniques. They may use search engine optimization, paid ads, social media campaigns and engagement through fake accounts. The goal is to widely disseminate links and information about the fraudulent platform.

4. Monitoring Activity

Once the site is live and gaining traction, the honeypot operator closely monitors any user activity within it. They await any account sign-ups, deposits, data entry or other engagement. 

5. Stealing

This is the final stage after a victim interacts with the honeypot. As soon as assets are deposited or sensitive data is collected, the scammer swiftly moves to steal it. Afterward, they rapidly take down the fake platform to avoid being caught.

How to Avoid Honeypots

Here are some best practices to identify and steer clear of honeypots:

Research before investing: Thoroughly research any platform or opportunity before providing funds or data. Search for reviews, complaints and confirmation of legal registration. 
Check certificate validity: Use tools to verify the SSL certificate on websites. Fraudulent sites often have invalid certificates. 
Monitor liquidity: Avoid tokens or coins that appear illiquid or difficult to cash out. This signals a potential honeypot.
Don’t trust celebrity endorsements: These are often fabricated to pump scam coins or projects. Verify endorsements. 

Moreover, sometimes, original accounts get hacked briefly to trap followers. 

Turn off automatic permissions: When connecting applications to wallets, manually enable permissions versus allowing all.
Use cold storage: Keep the majority of funds in cold storage to limit losses in the event of a scam.
Enable 2FA: Two-factor authentication adds an extra layer of security to accounts and wallets.