The Web3 ecosystem has rapidly evolved into a dynamic frontier of innovation, speculation, and unfortunately, deception. As new tokens launch daily and users chase opportunities across decentralized exchanges, a parallel rise in sophisticated scams and exploitative tactics has emerged. From liquidity rugs and contract honeypots to coordinated influencer shills, malicious actors have adapted just as quickly as the tools designed to stop them.

Traditional token scanners and audit checklists often fall short in the face of these evolving threats. Many users interact with risky assets without realizing the signs were already present — just scattered across different data silos, buried in transaction graphs, or hidden behind pseudonymous wallets.

RugCheck set out to change this by offering fast, on-chain token risk scores. But today, the need for a broader, deeper, and more interconnected approach has never been greater. Isolated heuristics or single-platform tools can only go so far.

That’s why RugNet was built — a prototype for a cross-platform risk intelligence framework that fuses RugCheck’s insights with a wider range of on-chain and off-chain signals. Their goal is to empower users, protocols, and security researchers with an adaptable and transparent model for identifying, visualizing, and understanding risk before it becomes irreversible loss.

This report introduces RugNet, outlines its multi-source methodology, and walks through a case study of how this framework can be used to identify malicious actors, uncover wallet connections, and surface early warning signs of token-based scams.

To address the limitations of siloed token risk assessment tools, this project introduces a cross-platform intelligence framework that synthesizes data from both on-chain and off-chain sources. The methodology is grounded in four key pillars: token profiling, wallet network analysis, behavioral heuristics, and threat signal enrichment.

The foundation of the analysis begins with RugCheck’s API, which provides essential on-chain heuristics for newly launched tokens. This includes indicators such as:

• Contract verification status

• Owner privileges (e.g., mint, blacklist, trading controls)

• Liquidity lock status and duration

• Honeypot detection and proxy contract flags

These initial assessments form a base-level score for token safety and help prioritize tokens for further investigation.

Once a token is flagged as suspicious, the next step involves constructing its wallet interaction graph. This graph is generated by:

• Tracing all wallets that have interacted with the token’s smart contract

• Identifying clusters of wallets that repeatedly deploy or trade multiple high-risk tokens

• Mapping token creator wallets to prior deployments or suspicious funding sources

Graph analysis tools and clustering algorithms are used to highlight potential patterns of coordinated behavior or serial exploitation.

Beyond contract logic and wallet connections, the framework applies behavioral heuristics such as:

• Sudden liquidity removals or price spikes followed by sell-offs

• Token launches timed during high network congestion or volatile events

• Wallets that engage in rapid multi-token creation without social presence

These behavioral signatures are used to build probabilistic risk profiles and identify tactics frequently associated with rug pulls or pump-and-dump schemes.

To complete the picture, the framework incorporates off-chain data to supplement on-chain activity. Sources include:

• Twitter/X and Telegram mentions related to the token or creator

• GitHub repositories linked to the token project

• Public alert systems and community watchlists

This fusion of community-driven intelligence and codebase scrutiny allows for risk scoring models to capture more than just transactional activity — they can also weigh the credibility and intent behind a project’s launch.

This methodology enables a comprehensive, adaptable, and reproducible approach to identifying token-related threats. By combining structural analysis, behavioral signals, and social indicators, it becomes possible to move from passive assessment to active defense.

The execution of this multi-source intelligence framework relies on a modular stack of tools purpose-built for extracting, analyzing, and visualizing blockchain data. These tools span four major functions: data ingestion, wallet graphing, behavioral analysis, and visual storytelling.

• RugCheck API: The primary source for token risk scores, liquidity data, and contract permission flags.

• Etherscan API: Used to fetch token holder data, contract source code, and transaction logs.

• DEX APIs (e.g., Uniswap, Jupiter): Collected price and liquidity movement data to detect volatility anomalies.

• Off-chain platforms:

  • Twitter/X: Social mentions and project promotion timing

  • Telegram scraper bots: Presence and volume of discussion groups

  • GitHub: Linked repos, commit history, and contributor overlap

All data pipelines are designed to be reproducible and timestamped to allow temporal correlation between events.

• NetworkX (Python) and Gephi were used to generate wallet graphs, where:

  • Nodes represent unique wallet addresses

  • Edges represent token transfers or contract interactions

• Additional attributes were added to nodes:

  • Creator/Deployer status

  • Historical token deployment activity

  • Flagged risk levels from RugCheck

These visual networks revealed patterns such as centralized token distribution, recurring deployer clusters, and high-frequency liquidity drainage.

• Custom heuristics were applied on-chain data to flag anomalies such as:

  • Liquidity removed within <1 hour of launch

  • Multiple contracts deployed from the same wallet in rapid succession

  • Sudden spike in transfers or buys with no off-chain announcement

• Scripts were written in Python using web3.py, pandas, and datetime modules for time-series analysis and event window breakdowns.

• All visuals were rendered using:

  • Plotly for interactive timelines

  • Gephi for wallet relationship graphs

  • Mermaid.js for lightweight flowcharts

  • Canva/Figma for diagram polishing

• Reports were drafted and published on Notion, ensuring the project is publicly viewable and easily navigable.

This toolset enables scalable monitoring and investigation across tokens, wallets, and behavioral signals. The next section will apply this stack to a real-world case study to demonstrate how multi-source risk detection works in practice.

In December 2024, social media influencer Haliey Welch, popularly known as "Hawk Tuah Girl," launched a memecoin named $HAWK on the Solana blockchain. The token rapidly gained attention, reaching a market capitalization of nearly $500 million shortly after its debut. However, within a short span, its value plummeted to approximately $25 million, leading to allegations of a "pump-and-dump" scheme and subsequent legal scrutiny.

1. Token Profiling via RugCheck API An initial assessment using the RugCheck API would have provided insights into the token's contract characteristics, including:

• Contract Verification Status: Determining whether the contract was verified on the blockchain.

• Owner Privileges: Identifying any special permissions held by the contract owner, such as the ability to mint new tokens or modify the transaction fee.

• Liquidity Lock Status: Assessing whether the liquidity was locked and for how long, which is crucial for investor confidence.

2. Wallet Network Mapping: Analyzing the wallet interactions associated with $HAWK could reveal patterns indicative of coordinated activities:

• Creator Wallet Analysis Tracing the origin wallet that deployed the $HAWK contract and its previous activities.

• Transaction Clustering: Identifying clusters of wallets that engaged in significant buying or selling around the token's launch.

• Liquidity Movements: Monitoring wallets that added or removed substantial liquidity, especially during the token's peak and subsequent crash.

3. Behavioral Heuristics and Risk Flags:
Applying behavioral analysis could highlight red flags:

• Rapid Price Fluctuations: The token's swift rise and fall in value could indicate manipulative trading behavior.

• High Concentration of Holdings: If a small number of wallets held a significant portion of the token supply, it increases the risk of market manipulation.

• Lack of Transparency: Absence of clear communication from the project team regarding tokenomics, roadmap, or utility.

4. Off-Chain Signal Enrichment: Supplementing on-chain data with off-chain information provides a holistic view:

• Social Media Activity: Monitoring platforms like Twitter and Telegram for promotional content, user sentiments, and potential misinformation.

• Media Coverage: Reviewing news articles and reports for any mentions of the project, especially those highlighting concerns or controversy.

• Legal Actions: Staying informed about any lawsuits or regulatory actions taken against the project or its promoter.

By integrating these analytical layers, stakeholders can better assess the risks associated with emerging tokens like $HAWK, potentially avoiding significant financial losses.

The $HAWK memecoin incident revealed multiple early-warning signs that could have been flagged using a multi-source intelligence approach. These findings fall into four distinct dimensions: contract-level vulnerabilities, wallet behavior, market manipulation tactics, and off-chain credibility gaps.

Using RugCheck and supporting blockchain explorers, the following red flags were identified in the $HAWK token contract:

• No Verified Source Code: The contract was deployed without verified source code on-chain, limiting public transparency into its functions.

• Privileged Controls: The deployer retained permissions that could enable arbitrary token minting or transaction fee manipulation.

• Liquidity Lock Status: While initial liquidity was added, the lock duration and conditions were unclear, exposing users to potential rug pull scenarios.

• High Creator Wallet Activity: The deployer wallet associated with $HAWK had launched other tokens previously, several of which exhibited rapid pump-dump patterns.

• Concentrated Holdings: Over 60% of the token supply was held by fewer than 10 wallets at peak, revealing a centralization risk.

• Pre-Market Transactions: Several large buys were executed before any public announcement, suggesting insider positioning.

• Pump Followed by Immediate Dump: The token saw a near-vertical price increase followed by sharp dumps within 48 hours, resembling coordinated exit behavior.

• Liquidity Drainage: Wallets associated with the deployer removed significant liquidity during the price crash phase.

• Bot-like Buy Pressure: Anomalous transaction timing and sequencing suggest automated trading activity was used to create fake demand.

• Lack of GitHub or Whitepaper: No verifiable project documentation or technical plans existed beyond influencer tweets.

• Influencer Involvement as Sole Hype Mechanism: The token’s only marketing came via the celebrity’s endorsement on social media, without disclaimers or technical disclosures.

• Community Red Flags Ignored: Several early warnings on Twitter and Discord about the wallet’s prior activity were not addressed.

These findings highlight how a multi-layered approach can identify scam patterns early — even when social sentiment appears bullish. Had this framework been applied pre-launch or during the first hours of $HAWK trading, many users could have been warned and possibly avoided significant financial harm.

Based on the $HAWK case study and the broader analysis pipeline, the following recommendations aim to strengthen RugCheck’s capabilities and empower users to detect and avoid scam tokens before it's too late.

Why: Many scam tokens originate from wallets with a history of malicious deployments.
What to do:

• Add a “Wallet Risk Score” next to token deployers, factoring in:

  • Past contract creation volume

  • Links to flagged rugs

  • Average token lifespan post-deployment

Impact: Users get real-time context on who is behind the token, not just what the token is.

Why: Many rug deployers operate across chains, recycling tactics.
What to do:

• Extend RugCheck’s heuristics to support Solana, BNB Chain, and Base.

• Cross-reference deployer wallet activity across EVM-compatible networks.

Impact: Detect repeat offenders, even if they migrate across chains to avoid scrutiny.

Why: Token risk is dynamic and changes rapidly post-launch.
What to do:

• Implement a real-time alert system triggered by behaviors like:

  • Sudden liquidity removal

  • Ownership transfer of contracts

  • Unusual transaction clustering

Impact: Users are notified before damage is done, especially during the first 24 hours of token activity.

Why: The crypto community often spots risks faster than platforms.
What to do:

• Enable users to leave token or wallet-level annotations, vote on suspicious behavior, and share custom risk insights.

• Incorporate crowd-sourced labels into token score weighting.

Impact: Decentralizes oversight and strengthens risk intelligence using community-powered truth signals.

Why: Visualizing ecosystem-wide scams helps users spot trends.
What to do:

• Build a dashboard that shows ongoing rug patterns, top flagged deployers, and risky tokens grouped by behavior clusters.

• Highlight real-time volume of flagged rugs, liquidity drained, and recurring wallets.

Impact: Makes risk tangible and visible, similar to how Nansen’s wallet tracking added market context.

As scams evolve, platforms like RugCheck must not only monitor but adapt and intervene. By combining smart heuristics, wallet graphing, off-chain data, and user input, RugCheck can become not just a passive risk scanner — but an active defense layer in the memecoin economy.

The memecoin landscape is moving faster than ever — and so are the tactics used by malicious actors to exploit it. As the $HAWK case demonstrates, even the most hyped tokens can mask serious risks beneath the surface.

By aggregating on-chain and off-chain signals through a multi-source intelligence framework, RugCheck is uniquely positioned to detect threats early, surface hidden patterns, and protect users in real time. The future of token safety lies in proactive, adaptive systems — and with enhanced tooling, community collaboration, and cross-platform reach, RugCheck can become the go-to guardian of crypto’s most vulnerable frontier.