Skip to main content

Overview

Fake tokens are malicious tokens designed to impersonate legitimate projects. Scammers create tokens with similar names, symbols, or branding to trick users into buying worthless counterfeits.
Always verify the exact contract address of a token before trading. Similar names and symbols are easy to copy.

How Fake Tokens Work

  1. Target Selection: Scammer identifies a popular or trending token
  2. Impersonation: Creates a new token with identical or similar name/symbol
  3. Distribution: Fake token appears in wallets or DEX searches
  4. Deception: Users mistake it for the real token and buy
  5. Exit: Scammer sells or rugs, leaving victims with worthless tokens

Types of Fake Tokens

Name Squatting

  • Exact or near-exact name copying
  • Same symbol as legitimate token
  • Different contract address (the key difference)

Airdrop Scams

  • Unsolicited tokens appear in your wallet
  • Designed to lure you to malicious websites
  • Often have enticing names or values

Logo/Branding Copies

  • Stolen logos and imagery
  • Copied website designs
  • Fake social media accounts

Pre-Launch Fakes

  • Created before official token launches
  • Exploit hype around upcoming projects
  • Users think they’re getting early access

Detection Indicators

TagSeverityDescription
fake_tokenCriticalToken identified as impersonating another
airdrop_scamHighUnsolicited token likely part of scam
phishing_tokenCriticalToken designed to steal funds
unverified_contractMediumContract source code not verified

API Example

Never share real API keys in screenshots, logs, or client-side code.
curl -X GET "https://api.webacy.com/tokens/{TOKEN_ADDRESS}?chain=eth" \
  -H "x-api-key: {API_KEY}"
Response indicating fake token: 
{
  "overallRisk": 99.0,
  "issues": [
    {
      "tag": "fake_token",
      "severity": "critical",
      "description": "Token impersonates a legitimate project"
    },
    {
      "tag": "phishing_token",
      "severity": "critical",
      "description": "Token designed to lure users to malicious site"
    }
  ]
}

Red Flags

  • Different contract address - Always verify against official sources
  • No liquidity or minimal liquidity - Real tokens have established pools
  • No transaction history - Legitimate tokens have trading activity
  • Appeared in wallet unexpectedly - You didn’t buy or claim it
  • Links to suspicious websites - Different from official project URLs
  • No social presence - Not mentioned by official project accounts

Verification Steps

  1. Check official sources
    • Project’s official website
    • Verified social media accounts
    • CoinGecko/CoinMarketCap listings
  2. Verify contract address
    • Compare exact address character by character
    • Use official links, not search results
  3. Check on block explorer
    • Verify contract is verified
    • Check creation date and transaction history
    • Look for legitimate trading activity

Protection Strategies

  1. Bookmark official sites - Don’t use search engines to find DEXes
  2. Verify contract addresses - Always check the exact address
  3. Ignore airdrops - Don’t interact with unsolicited tokens
  4. Use official links - Get addresses from verified sources only
  5. Check token age - New tokens impersonating old projects are suspicious
  6. Verify on multiple sources - Cross-reference contract addresses

Handling Fake Airdrops

Never interact with suspicious airdropped tokens. Attempting to sell them may trigger wallet draining transactions.
If you receive unexpected tokens:
  • Don’t try to sell them - This can trigger malicious contracts
  • Don’t visit linked websites - These are often phishing sites
  • Hide the token - Most wallets let you hide unwanted tokens
  • Report if possible - Help protect others from the same scam