Get Secured
← All Posts Threat Intelligence February 2025

Rug Pulls, MEV Bots & Darknet Threat Actors in Web3

Executive summary

Web3 Threats Illustration

Threat actors in Web3 evolve faster than defenses. Staying informed is your first layer of protection.

As Web3 ecosystems expand, they attract not only developers and users, but also increasingly sophisticated threat actors. While smart contract bugs and protocol exploits often dominate headlines, more covert tactics like rug pulls, MEV bot attacks, and darknet coordination have emerged as dominant attack vectors in 2025.

Key concepts: This analysis covers crypto scam, blockchain security, security incident, on-chain fraud.

Understanding these threats is key not just for cybersecurity professionals, but for anyone working in decentralized finance, NFT platforms, DAO tooling, or Layer-2 applications. Let's explore how these attacks work, and how blockchain forensics and investigation teams help trace and contain them.

1. Rug Pulls: Anatomy of a Disappearing Act

Rug pulls are among the most common, and costly, types of exit scams in DeFi. In a typical case, developers launch a token or liquidity pool, attract investors, then remove liquidity or disable selling mechanisms, leaving holders with worthless tokens.

  • Sudden token minting or supply increases
  • Withdrawal of liquidity pairs within a narrow block range
  • Deployer wallets funneling assets through tumblers or mixers

Analysts increasingly use tools like address clustering, honeypot simulation, and contract behavior profiling to identify scams.

2. MEV Bots: Profit Extraction at Network Scale

Maximal Extractable Value (MEV) refers to profits miners or validators can extract by reordering, inserting, or censoring transactions within a block.

  • Frontrunning: Detecting a large trade and executing a buy before it
  • Backrunning: Buying a token after a large transaction, anticipating its price spike
  • Sandwiching: Placing two transactions around a victim's trade to manipulate price

Detection requires mempool analysis and simulation of block state. For researchers, replicating these behaviors in controlled environments is key to defense.

3. Darknet Forums and Threat Actor Intelligence

Blockchain may be transparent, but the people behind it are not. On darknet marketplaces and gated Telegram channels, actors share exploit kits and zero-day contracts.

  • Matching aliases or handles across social platforms
  • Fingerprinting browser data via known scam infrastructure
  • Tracking token transfers from darkweb wallets

OSINT plus on-chain intelligence yields actionable leads for threat attribution.

Attribution is difficult, but not impossible. Cross-platform identity mapping is an emerging frontier.

4. What to Do if You’ve Been Targeted

  • Snapshot affected contracts and transactions immediately
  • Engage blockchain forensic investigators to trace funds
  • Document everything for legal or exchange response

Having an incident response plan in place gives your team a head start.

Closing Thoughts

Web3 offers permissionless innovation, but also introduces a new dimension of cybercrime. As threat actors continue to evolve, so must the community’s defenses.

At Security4Web3, we support teams navigating this threat landscape through penetration testing, vulnerability analysis, and investigative forensics.

If you’re building something important in Web3, it's worth knowing who's watching.

Defending Against Social Engineering and Insider Threats in Web3

Much of the analysis around rug pulls focuses on the code: minting functions, ownership renunciation, honeypot logic. But the most overlooked dimension is the human one. The majority of rug pulls are insider events — they are not hacks perpetrated by unknown external actors, they are planned exits by the same people who built the project. That means the most effective defences are not technical. They are operational.

From our perspective — shaped by defence industry experience and deep exposure to crypto security failures — the pattern is consistent: teams move fast, skip vetting, and grant privileged access on the basis of pseudonymous reputation or social proof. That is a structural vulnerability, not just bad luck.

The Insider Threat Problem in Web3

In traditional finance or defence, background checks, vetting clearances, and separation of duties are baseline requirements before anyone gets near sensitive systems or funds. In Web3, it is common for anonymous contributors to hold deployer keys, treasury multisig seats, or admin roles within weeks of joining a project. The speed of the space is treated as a feature. It is also the primary reason insider threat risk is so high.

  • Key person concentration: When one or two individuals control deployer wallets and multisig quorums, a single insider decision can drain a protocol entirely.
  • Anonymous hiring: Projects that onboard contributors without identity verification have no meaningful way to assess prior conduct, conflict of interest, or malicious intent.
  • Undocumented access grants: Admin roles and upgrade authorities added informally — without a change control record — are invisible until something goes wrong.
  • Social engineering of co-founders: Lazarus Group and other organised threat actors specifically target team members with access, not just code. Phishing, fake partnership offers, and impersonation of trusted contacts are the entry vectors.

Process Controls That Actually Reduce Risk

The controls that matter most are not security tools — they are governance and process decisions. Require at least basic identity verification for anyone holding privileged access. Enforce separation of duties so that no single individual can authorise and execute a high-value transaction alone. Rotate keys on a defined schedule and revoke access immediately when contributors leave. Maintain an access register that is reviewed regularly, not assembled after an incident.

For protocols managing significant TVL, a structured insider threat review maps every privileged role and access path against the people who hold them — identifying concentration risk before it becomes a liability. For teams growing quickly or bringing in contractors, a security vetting process establishes a baseline of trust that pseudonymous reputation alone cannot provide.

The threat intelligence picture from darknet forums consistently shows that Web3 teams are targeted precisely because these controls are rare. Attackers know that the technical defences have improved. The operational defences have not kept pace.

Protect Your Protocol Before the Next Exploit

Book a Security Review