Copycat Token — Rug Check Risk Guide
Copycat tokens — imitation scams and how to spot them
What is a copycat token in crypto?
A copycat token is a malicious token deployed with identical or near-identical metadata (name, symbol, image, description) to a legitimate project — designed to trick buyers into sending funds to the wrong contract address. Copycats thrive in three windows: (1) the first hours of a hyped project's launch when multiple contracts share the same symbol, (2) after a high-profile token announcement on Twitter when buyers rush before verifying, and (3) cross-chain where the same symbol is legitimate on one chain but a copycat on another. On Solana, the update authority pattern makes copycats especially insidious: a dev can deploy a blank token, then swap the metadata to impersonate any other token — a legitimate-looking "BONK" or "WIF" that was actually deployed last week. Detection requires fingerprint-matching across name, symbol, image hash, and deployment recency — plus cross-referencing against trusted token registries (Jupiter Strict List on Solana, CoinGecko/CMC on EVM). Sharpe's Rug Check maintains a canonical-address registry for top tokens per chain and flags any contract with matching metadata that doesn't match the canonical address.
Frequently Asked Questions
- What is a copycat token?
- A malicious token with metadata (name, symbol, image) that imitates a legitimate project, deployed to trick buyers into sending funds to the wrong contract address.
- How do I find the real contract address for a token?
- Check the project's official Twitter, Discord, or website for the canonical address. Cross-reference against Jupiter Strict List (Solana) or CoinGecko / CoinMarketCap (EVM). Sharpe's Rug Check maintains a canonical-address registry and flags any contract with matching metadata that doesn't match.
- Can Solana tokens change their metadata after launch?
- Yes — if update authority is retained. A token deployed with one name and symbol can be renamed and re-imaged to impersonate any other project. Renounced update authority (set to null) is required for trustable SPL tokens.
How to detect copycat token risk
- Token metadata (name, symbol, image) matches a known legitimate project
- Contract address does not match the canonical address for that symbol
- Token deployed after the project it's imitating
- Solana: update authority retained + metadata swap history
- Not on Jupiter Strict List / CoinGecko / CMC canonical registry
Historical copycat token incidents
- Fake USDC deployments on every chain — common bridge wrapper target
- Post-announcement fake AI agent tokens on Base (Virtuals, AIXBT imitators)
- pump.fun launches reusing hot ticker symbols within hours of graduation