How to Check if a Crypto Token Is a Scam (9-Point Checklist for 2026)

Most crypto losses are not from "the market went down." They are from people buying tokens they could not have verified in 60 seconds, then getting drained in 24 hours.

This guide is the exact 9-point checklist I run before any new token enters my wallet, plus the one test that catches roughly 80 percent of scams on its own. By the end you will be able to triage any new token in under a minute and confidently say "this is risky but real" or "this is a rug, walk away."

The single most useful test (do this first)

Before all 9 checks, do this one thing:

Buy a tiny amount of the token (5 to 20 dollars). Immediately try to sell half of it.

If the buy goes through but the sell fails, you found a honeypot. Honeypots are contracts coded to let buyers in and prevent anyone from selling. They were the dominant scam type of 2022 and 2023 and they are still everywhere. The honeypot test is mechanical. Either you can sell or you can't.

If the sell goes through, you've eliminated the easiest scam category and earned the right to look at the other 9 things below.

Cost of this test: 20 dollars and 60 seconds. Cost of skipping it: your entire planned position size.

Why scams keep working

Three reasons retail keeps getting rugged despite years of warnings:

The good ones look professional. Scam tokens in 2026 have polished websites, fake KOL endorsements, paid Telegram engagement, and even fake audits from auditors that don't exist. The cosmetic signals stopped meaning anything around 2021.

FOMO disables verification. When a chart is going parabolic, the brain stops running checks. People who would normally read a contract end up aping in because "it's already up 4x today and I can't miss this."

Verification feels like effort. It takes 60 to 90 seconds of clicking through Etherscan and DEXScreener to verify a token. Most people would rather guess and hope than spend that minute, which is exactly the bet scammers are running.

The fix is mechanical. Run the same 9 checks on every token, every time, no exceptions, no "this one is different because [influencer] is in it."

The 9-point token scam checklist

1. Is the contract verified on the chain explorer?

Open the token's contract address on Etherscan (or Solscan, BscScan, depending on chain). Look for a green checkmark next to "Contract Source Code Verified."

Unverified contract means the developer published bytecode but not the human-readable source code. You cannot read what the functions actually do. Auditors cannot review it. Hard pass, always.

Verified does not mean safe, but unverified is automatically unsafe. This filter alone eliminates a large chunk of the trash.

2. Is the mint authority renounced?

If the developer can still mint new tokens, they can dilute every holder to zero overnight. This has happened thousands of times.

On Solana: Pull the token in Solscan. Under "Authorities" you should see "Mint Authority: null" or the equivalent of renounced.

On Ethereum and EVM chains: Read the contract on Etherscan. Look for a mint function. If it exists and the owner is still a real wallet (not the zero address), the developer can mint at will.

A few legitimate projects keep mint authority for governance reasons (stablecoins, certain LSTs). For everything else, unrenounced mint is a red flag and unrenounced mint with a large dev wallet is a near-certain rug setup.

3. Is the liquidity locked, and for how long?

"Locked liquidity" means the LP tokens that represent the liquidity pool are sent to a time-locked contract. The developer cannot pull liquidity until the lock expires.

Check Pinksale, UNCX, Team Finance, or the project's own announcement. Then verify the lock contract on the explorer to make sure it's real.

The thresholds:

• Under 30 days locked: rug waiting to spring
• 30 to 180 days: caution, treat as short-term trade only
• 6 to 12 months: acceptable for established projects
• Over 12 months or permanently burned LP: good signal

"Liquidity locked" with no duration mentioned is the same as no lock at all. The number matters.

4. Are the top 10 holders below 30 percent of supply?

Open the holders tab on the chain explorer. Exclude:

• The burn address (usually 0x000...dead)
• The liquidity pool contract
• The staking contract if applicable

Sum the remaining top 10 wallets. If they own more than 30 percent of circulating supply, you are exit liquidity for them. They can dump anytime and crater the price by 60 to 90 percent in a single block.

A healthy distribution shows top 10 (excluding burn and LP) holding 10 to 25 percent. Anything over 40 percent is dangerous regardless of how good the project narrative sounds.

5. What are the buy and sell taxes?

Many tokens have a small tax on buys and sells, usually 1 to 5 percent, routed to marketing, dev, or holders.

The danger signals:

• Tax above 10 percent in either direction: the contract is slowly draining buyers
• Sell tax higher than buy tax: classic exit-pressure tax, dev wants buyers in but punishes sellers
• Tax that can be changed by the owner post-deployment: the dev can set tax to 99 percent any time, making your tokens essentially unsellable

You can usually see tax structure on DEXScreener or by reading the contract's setFee and related functions.

6. Is the contract upgradeable?

An upgradeable proxy contract lets the developer change the contract logic after launch. This is sometimes legitimate (audited DeFi protocols use proxies for emergency fixes) but for a new token it's almost always a backdoor.

Look for "Proxy" or "TransparentUpgradeableProxy" in the contract code on Etherscan. If you see it, ask yourself: do I trust this team enough to let them rewrite the contract after I buy?

For unknown teams the answer is always no.

7. How old is the token?

Token age is information.

• Under 24 hours old: assume rug until proven otherwise
• Under 7 days: extreme risk, treat as a 0-or-100 lottery ticket
• Under 30 days: high risk, position size accordingly
• Over 90 days with consistent activity: lower base rate of immediate rug
• Over 1 year with active development: legitimate enough to evaluate on fundamentals

Survival is information. Most scams collapse within the first 14 days because the dev is rushing for the exit. Anything that has survived 6 months has at least passed the basic time filter.

8. How deep is the actual liquidity?

A token can have a "market cap" of 50 million dollars and still be impossible to sell more than 200 dollars of without crashing the price.

What matters is pool depth: how much real money is sitting on each side of the trading pair.

Rough thresholds:

• Under 25k liquidity: any whale exit nukes the price
• 25k to 100k: small positions only, expect 5 to 15 percent slippage on exit
• 100k to 500k: modest positions ok, monitor concentration
• Over 500k: acceptable depth for normal-sized retail trades
• Over 5 million: institutional-grade depth

Always check liquidity against your planned position size. If your position is over 5 percent of the pool, you cannot exit without moving the price against yourself.

9. Is the team doxxed or pseudonymous with a verifiable track record?

Doxxed (real names, real LinkedIn, real prior companies) is the safest. But anonymous teams can be legitimate IF they have a verifiable track record of shipping previous successful protocols.

The red flag is anonymous team with no track record. That is a lottery ticket dressed up as an investment.

Steps to verify:

• Search the team's pseudonyms on X and GitHub for prior projects
• Check the contracts of those prior projects (still alive? rugged?)
• Look for the dev's address history on chain
• See if any reputable VCs have backed the team before

No history plus no doxxing equals zero accountability. They can rug you, change pseudonyms, and start again next week.

The 60-second triage method

For tokens you want to evaluate fast, run this condensed version:

1. Honeypot test (buy small, try to sell): 60 seconds
2. Top 10 holders below 30 percent: 15 seconds on the explorer
3. Liquidity locked over 6 months: 15 seconds on Pinksale/UNCX
4. Mint authority renounced: 15 seconds on the explorer

If any one of those four fails, walk away. Total time invested: about 2 minutes. Total losses prevented: every rug that fails one of those four (which is most of them).

The other 5 checks above are worth doing for any token you plan to hold longer than a few weeks.

Tools that automate token scam checks

Manual checks work but they get tedious if you evaluate more than a couple tokens per week.

Token Sniffer (free). Decent baseline contract scanner. Flags obvious red flags but generates a lot of false positives on legitimate tokens with complex governance.

De.Fi Scanner (free tier). Good UI, covers most EVM chains, scans for common scam patterns. Misses subtle rug patterns and does not analyze concentration in context.

RugDoc, GoPlus Security. Free Telegram and web tools. Useful for cross-checking but the reports are technical and hard to act on for non-technical buyers.

Crypto Clarity AI. What I built. Paste any wallet or any single token contract. Get all 9 checks above plus 12-dimension risk scoring, plain English output, no technical knowledge required. Free 60-second demo,

9 once for full audit including any token in your wallet. Try it here.

Real examples of scam patterns you'll see in 2026

The "fair launch" with a 60 percent dev wallet

Project launches with no presale, no VCs, "100 percent fair." Liquidity is small. Within 24 hours, holders chart shows one wallet (not the dev wallet directly, of course, a fresh wallet funded an hour before launch) holds 60 percent. They wait for the chart to pump on hype, then dump and the price goes to zero.

How you would have caught it: holders check. Top 10 holding 60 percent means you're exit liquidity even when "fair launch" is in the name.

The honeypot disguised as a memecoin

Token launches with viral memes, gets shilled on X by paid accounts, chart pumps 200x in a day, everyone is bragging. Try to sell, the transaction fails. Look at the contract, sell function reverts based on a hidden whitelist.

How you would have caught it: 20 dollar buy and sell test before sizing up.

The "audited" rug

Project has a "security audit" PDF on its website. The audit is from "AuditGuard Pro" or some firm name you've never heard of. Click through, the firm doesn't exist or has no real presence. The dev paid for a fake audit to legitimize the project. Liquidity unlocks in 14 days. They rug on day 15.

How you would have caught it: liquidity lock duration check. 14 days is not a lock, it's a timer.

The slow-drain tax token

Token starts with a 2 percent buy and sell tax (normal). Three weeks later, dev calls setFee and raises sell tax to 50 percent. Now every sell loses half its value, but buys still work, so the dev keeps draining buyers while sells get penalized into paralysis.

How you would have caught it: check if the contract has an owner-modifiable setFee function. If yes, that's a backdoor tax weapon.

The upgradeable backdoor

Token uses a transparent proxy pattern. Looks fine for 6 months. Then the dev upgrades the implementation contract to add a blacklist function and freezes withdrawals from any wallet they choose.

How you would have caught it: proxy check. No upgradeable proxies for unknown teams.

What to do if you already hold a token that fails the checklist

If you ran this against your existing wallet and found a position that fails three or more checks, you have decisions to make. Realistic options:

1. Sell now, take the loss. If the token still has liquidity, exit before the dev does. Losing 60 percent is better than losing 100 percent.
2. Sell what you can, accept the rest is dead. If liquidity is shallow, sell down to whatever the pool allows without absurd slippage. Treat the remainder as gone.
3. Hold and hope. Statistically the worst option. About 90 percent of tokens that fail multiple structural checks go to zero within 12 months. The other 10 percent recover briefly and then go to zero anyway.

The expected value math heavily favors taking the loss. The only argument for holding is if the position is so small it's not worth the gas to exit.

FAQ

What's the difference between a rug pull and a honeypot?

A rug pull is when the developer pulls liquidity and runs, dropping the price to zero. A honeypot is a contract coded so you can buy but can't sell. Different mechanics, same outcome: total loss.

Can a token pass all 9 checks and still be a scam?

Yes, but it's much rarer. Sophisticated scams will pass surface checks. That's why a wallet-level audit looks at additional context like wash trading, suspicious holder graph patterns, and dev wallet behavior over time.

Is "DYOR" a sufficient defense?

No. "Do your own research" is meaningless without a checklist. Most people who say they "DYOR" are reading the project's own website and a few Twitter accounts that may be paid shills. Real DYOR is the 9 mechanical checks above.

How do I check if a Solana token is a scam?

Same framework, different tools. Use Solscan instead of Etherscan, Birdeye for liquidity, and check freeze authority along with mint authority (Solana has both).

Are memecoins all scams?

No. Most memecoins are extremely risky and the base rate of failure is high, but legitimate memecoins exist (DOGE, SHIB, PEPE survived multiple cycles). The 9-point checklist applies regardless of category. A "legit memecoin" still has to pass the structural checks.

What about new tokens from established teams?

Apply the same checks. Established teams sometimes ship contracts with backdoors for "flexibility," and "I trust the team" is the most expensive sentence in crypto. Verify mechanically, every time.

Should I avoid all unaudited tokens?

Audits help but they're not bulletproof. Many audited tokens have still rugged because the audit only covers code, not intent. Audit plus the 9 checks above plus team verification is the real defense.

How do I get fast at running these checks?

Bookmark Etherscan, Solscan, DEXScreener, and a contract scanner. Practice on a few tokens you don't own until the workflow becomes muscle memory. Or pay 19 dollars once for a tool that runs all 9 in 60 seconds on any wallet or token. Try it here.

Next step

If you have any tokens in your wallet right now that you have not run through this checklist, do it before you do anything else today. The 5 minutes it takes is the cheapest insurance in crypto.

If you want all 9 checks plus 12-dimension risk scoring across every token in your wallet in 60 seconds, the free demo is at cryptoclarityai.com/demo. No signup, no email, no credit card. Get the risk report and decide if the full 19 dollar audit is worth it.

Either way: stop buying tokens you have not verified. The next bear market will be triggered, and most of the people getting wrecked will have skipped a 60 second test that would have saved them five figures.