The Ethereum chain doesn’t hide anything. Bytecode, deployer history, liquidity locks, holder concentration - all of it is queryable in milliseconds. We index 80+ flags per contract. The median rug pull on Uniswap V2 starts liquidating 12 seconds after the first organic sell hits the mempool.
And yet, 43% of every new token deployed on mainnet last week was flagged as a scam by our pipeline. About $24,000 in ETH was extracted from buyers every day across the chain. 13 rugs an hour on average.
This piece is not “be careful out there”. It’s an attempt to quantify, with our own on-chain data, the six cognitive patterns that keep scams profitable even when the technical surface is fully transparent. Each section pairs a bias with a measurable on-chain signal. The closing question is what to do about it, given that none of these patterns reverse with more education.
1. The clock isn’t on your side
The first sell after liquidity is added is usually the only warning. On Uniswap V2 pools we monitor, the median time between the first organic sell and the rug transaction is 12 seconds. 78% of new scam contracts are flagged by our pipeline within five minutes of deployment. A human checking Etherscan, reading the contract, glancing at the holder distribution, and posting “is this safe?” in a group chat is operating on a 15-to-30 minute response time.
That gap - between the time it takes a scam to extract value and the time a human takes to assess it - is the entire game. Every other bias on this list amplifies the gap. None of them shrink it.
The lesson isn’t “move faster”. You cannot manually beat 12 seconds. The lesson is that any decision-making process that requires you to read, think, and confirm is structurally late.
2. Authority bias and the brand-jack economy
22% of scam tokens we tracked over the last 30 days re-used a known name. CLAUDE (the AI assistant), GROK (xAI’s model), SAM and ALTMAN (OpenAI), MUSK, TRUMP, PEPE copycats, MOODANG, UNICAT. Each ticker borrows authority that the buyer’s brain has already validated outside the trading context.
The cognitive pattern is transfer of authority : “I trust Anthropic, therefore the $CLAUDE token must be related to Anthropic, therefore this contract is probably safe.” Every clause in that chain is false. The token has no relationship to the brand it impersonates. We mapped 15 separate contracts using the $CLAUDE ticker on Ethereum mainnet in the last 60 days - none of them are issued by Anthropic, because Anthropic doesn’t issue tokens. (See our $CLAUDE case study and the largest $CLAUDE rug for the per-contract math.)
The on-chain signal that flags this: ticker-name reuse across deployer addresses that share no funding history. When a single ticker has 15+ contracts deployed by wallets funded from different sources, you are not looking at a coordinated launch. You are looking at a brand-jack pattern.
3. Manufactured social proof
When the holder count on a new token jumps from 0 to 200 in the first hour, the brain reads “people are buying this”. The deployer’s brain reads “the airdrop landed”. We can prove the difference.
In our serial-scammer wallet study, the top wallet in our database deployed 27 contracts and 24 of them were scams - an 88.9% scam rate. In one-funder-24-rug-pulls we traced 24 different rug contracts back to a single funding wallet two hops up the chain. The cluster looks like 24 independent projects from the front end. From the funding graph, it’s one operator running a contract factory.
The “200 holders” the buyer sees in the first hour are typically the deployer’s airdrop sprayed across burner wallets the deployer also controls. The on-chain signal - top-3 holder concentration over 90% in the first 50 transfer events - flags this in 200 milliseconds. The human signal - “wow, look at the activity” - never triggers because there isn’t activity, there’s choreography.
4. Cognitive overload makes simplification a trap
A human can hold about three to five risk factors in working memory while making a decision. Our pipeline runs 80+ distinct checks across eight analyzer dimensions on every new token : honeypot simulation, source-code regex on 52 patterns, bytecode opcode detection (17 selectors), liquidity burn status, top-holder concentration, deployer wallet age + history, network graph crawling, real-time event monitoring, sandwich detection. (Full methodology here.)
The dimensionality mismatch forces a compression. Humans collapse 80 signals into “verified ✓ or not”. The deployer’s job is to make exactly the signal you check pass - verified source code, liquidity lock screenshot, ownership renounced. Every other signal stays a scam factor.
This is why “I checked Etherscan and the contract was verified” doesn’t help. Contract verification means the deployer published the source. It says nothing about whether the source contains a hidden mint function (52 distinct source patterns flag this), nothing about whether the deployer’s wallet has shipped 23 previous rugs, nothing about whether the LP tokens are unlocked.
The fix isn’t to memorize 80 checks. It’s to admit you can’t.
5. Sunk cost keeps buyers in after the score flips
We instrument the funnel. When the same address gets a score upgrade from 30 to 80 within 24 hours of the first buy - meaning new red flags surface after the user already had a position - the rate at which buyers exit is much lower than the rate at which new buyers enter that same token. The score change is visible on the contract’s /scam/<TICKER>/<addr> page. The exit rate is not.
The pattern matches loss aversion plus sunk cost. The wallet has already paid for a position. Selling at -40% locks the loss. Holding feels like preserving the optionality of a recovery. The 0-100 risk score is now telling you that a recovery is statistically unlikely - and the buyer keeps the position anyway.
We don’t sell the answer here because there isn’t a clean one. The intellectually honest version is : “your existing position should be evaluated as if you were considering opening a new one today, ignoring entry price”. Almost no buyer applies that lens. The on-chain mempool data continues to show late selling at the rug transaction, not before it.
6. Survivorship bias makes the 10x feel achievable
Telegram channels post the 10x. They never post the 24 contracts the same channel posted last month that went to zero. Our 78,000-token study is unambiguous : ~43% of new contracts we see are flagged. Of the 57% that aren’t immediately flagged, a substantial fraction die from low liquidity, abandonment, or post-launch rug. The fraction that returns 10x is small enough that the expected value of buying a new random token is negative across the full sample.
A buyer doesn’t experience the full sample. They experience the 1-in-200 they bought that 5x’d and remember it. The 199 that went to zero are forgotten - or worse, attributed to “I picked badly that time” instead of “the distribution is hostile”.
The survivorship effect is amplified by social media. Every $200 → $20K story is a tweet. Every $20K → $0 story is silence. The visible base rate is wildly overestimated. Our biggest CLAUDE rug extracted +165 ETH (~$314K) from buyers across a single contract. None of those buyers tweeted.
What actually fixes this
Education does not fix this. Every one of the six patterns is documented in any decent behavioural finance textbook and has been since the 1970s. The patterns aren’t a knowledge gap. They are how human cognition works on a 12-second clock, under uncertainty, with social media as the feedback loop.
The asymmetry is structural. The only category of solution that scales matches the asymmetry on the other side : automated, sub-second, exhaustive analysis that runs before the human decision. Not as a check the user opens after they’re curious - as a default that surfaces the verdict before the trade is composed.
That’s the wager underneath what we’re building. The chain is transparent. The signals are queryable. The 12-second window cannot be beaten by humans, ever. So the verdict needs to land in the wallet UX, the Telegram message preview, the Discord embed, the browser extension, the API call the trading bot makes. Anywhere the buyer is one click from committing capital, the score should already be visible.
The patterns above won’t reverse. The infrastructure that pre-empts them is the only viable response.
All figures cited above come from RektRadar’s own on-chain dataset - 78,000+ ERC-20 contracts analyzed, ~33,000 deployer wallets mapped, every block on Ethereum mainnet ingested since February 2026. The full methodology is in Inside the Analyzer. The free scanner is at app.rektradar.io - paste any contract address for the full breakdown.