Check Point Research Unraveling the Rug Pull: a Million-Dollar Scam with a Fake Token Factory

Check Point Research detected a coordinated rug pull that siphoned nearly $1 million by creating fake tokens, inflating perceived trading activity, and withdrawing liquidity. The actor used wallet 0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798 and fake tokens such as GROK 2.0 to lure investors. #GROK2_0 #0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798

Keypoints

Check Point’s Threat Intel Blockchain flagged wallet 0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798 for blacklisted activity after observing about 40 rug pulls.
The scammer created trend-based fake tokens (example: GROK 2.0, token 0xd4b726c5b5e6f63d16a2050ee3ac4a0f0f81f1d4) to attract buyers.
Liquidity was added to token pools to create a veneer of legitimacy before marketing the tokens to buyers.
Two smart contracts were used to simulate trading and pump volume, notably contract 0x2ef3216e95e2b7c8e378ae64534100e69598f955.
Function selectors 0x521da65d and 0xf029e7cf were used to simulate trades and execute large swaps between WETH and the token to inflate perceived demand.
After convincing buyers to invest, the attacker drained liquidity from pools, leaving token holders with worthless balances.

MITRE Techniques

No MITRE ATT&CK techniques are explicitly mentioned in the article.

Indicators of Compromise

[Wallet address] Scammer wallet – 0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798 (monitored for ~40 rug pulls).
[Token contract] Example fake token – 0xd4b726c5b5e6f63d16a2050ee3ac4a0f0f81f1d4 (GROK 2.0).
[Smart contract] Trading/pumping contract – 0x2ef3216e95e2b7c8e378ae64534100e69598f955 (contains simulated trading function 0x521da65d).
[Function selectors] Trading/pump functions – 0x521da65d (simulated trades), 0xf029e7cf (large WETH⇄token swaps), and other selector(s) used across operations.

The Threat Intel system identified a single malicious wallet (0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798) that executed roughly 40 rug pulls, accumulating close to $1 million. The attacker generated multiple tokens named to exploit trending topics—one example being GROK 2.0 (token 0xd4b726c5b5e6f63d16a2050ee3ac4a0f0f81f1d4)—and seeded liquidity pools to appear legitimate.

Operationally, the scammer deployed at least two smart contracts to manage and disguise activity. One contract (0x2ef3216e95e2b7c8e378ae64534100e69598f955) exposed a simulated-trading function (selector 0x521da65d) to create fake on-chain trade history. Another function (selector 0xf029e7cf) was used to perform large swaps between WETH and the token, artificially inflating volume and price to attract external buyers.

Once external users bought into the pumped token, the actor removed liquidity from the pools—effectively draining the assets and leaving purchasers with illiquid tokens. The sequence of creating tokens, adding liquidity, running simulated trades and large swap operations, then withdrawing liquidity comprises the technical core of this rug-pull procedure.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print

Check Point Research Unraveling the Rug Pull: a Million-Dollar Scam with a Fake Token Factory – Check Point Research