Read this even if you skip everything else

If someone on YouTube, Telegram, Discord, or Reddit shows you a "copy-paste MEV bot" or "slippage arbitrage bot" that earns passive ETH — and tells you to deploy a contract and send ETH to it to "activate" it — it is a scam. Your ETH will be in the scammer's wallet within the same block. There is no bot. There is no profit.

How the Scam Is Set Up

The victim is shown a tutorial — usually a slick YouTube video with thousands of fake views and a seeded comment section — that walks them through a sequence that looks entirely plausible to someone who has heard of MEV without understanding how it actually works at an infrastructure level.

01
Open Remix IDE
The tutorial directs the victim to remix.ethereum.org — a legitimate, widely-used browser-based Solidity development environment. Using a real tool adds credibility.
02
Paste the contract
The scammer provides a Solidity contract described as scanning "the mempool for slippage opportunities." It imports real Uniswap interfaces, uses inline assembly, and has lengthy fake comments. It compiles cleanly.
03
Deploy to mainnet
The victim deploys the contract to Ethereum mainnet, paying gas (typically 0.01–0.03 ETH). The contract is now on-chain. The victim believes they are the owner.
04
Fund the bot's "gas reserve"
The tutorial instructs the victim to send 0.5–2 ETH to the contract as "working capital" so the bot can execute trades. This is the primary loss event. The money is now in the contract.
05
Call start() — money disappears
The victim calls start() via Remix as instructed. The entire contract balance is transferred to the scammer's address in a single transaction. No error. No revert. No indication anything went wrong — the transaction succeeds.

None of steps 1–4 are real. Step 5 is where every wei disappears.

What the Contract Actually Does

Stripped of fake comments, obfuscated helpers, and decorative imports, the malicious logic in start() reduces to exactly one operation:

The real start() — all fake complexity removed Solidity 
function start() public payable {
    payable(owner).transfer(address(this).balance);
    // That's it. Every wei you sent goes to `owner`.
    // The hundred lines above this are theatre.
}

Every wei you deposited gets forwarded to a hardcoded address the scammer controls. The function accepts no arguments, performs no mempool analysis, executes no trades, and interacts with no DEX. The Uniswap interface imports, the checkLiquidity function, the fetchMempoolData helper — none of them are invoked during start(). They exist entirely to make the file look like it does something real.

1
Real operation in start() — transfer balance to scammer
0
DEX calls, mempool reads, or arbitrage operations executed
100+
Lines of fake code surrounding that single transfer call
0
ETH remaining in contract after start() executes

How They Hide the Drain Address

Writing the scammer's address as a plain constant is the one thing that would make the scam obvious to any reviewer. So the address is never written plainly — it is split across multiple string variables and reassembled at runtime, typically using abi.encodePacked or inline assembly:

Runtime address assembly — looks like configuration, is a drain Solidity 
// Looks like innocent configuration variables...
string memory a = "0x7f";
string memory b = "3B9";
string memory c = "1a0";
// ... 5 more fragments scattered across helper functions

// Assembled at runtime — no static analysis tool catches this
address payable owner = parseAddr(concat(a, b, c, ...));

function start() public payable {
    payable(owner).transfer(address(this).balance);
}

This approach defeats three layers of casual review:

The specific variant we analyzed

The template most widely distributed in 2024–2026 splits the drain address across exactly eight helper functions — getMempoolShort(), fetchMempoolEdition(), fetchMempoolVersion(), getMempoolLong(), getMempoolHeight(), getMempoolCode(), getMempoolStart(), and getMempoolLog() — assembling 0xcB692a06Da7CBC9bf8e4464782E1b7a736B6fc52 at runtime. The function names are designed to sound like legitimate mempool-monitoring operations, which is what a real MEV bot would need to do. The EVM cannot read the mempool; those names are purely cosmetic.

Additional Obfuscation Techniques Used in the Wild

The address splitting is the core trick, but production variants layer several additional techniques to make the code appear credible:

Technique 01
Outdated compiler version

pragma solidity ^0.6.6 — a compiler from 2019 — is specified deliberately. It pre-dates many modern security tooling defaults and means Slither, MythX, and similar analysers may not apply their full rule sets or may behave differently than they would against 0.8.x code.

Technique 02
Fake operational functions

Functions named checkLiquidity, loadRouter, fetchMempoolData, findNewContracts, and calcLiquidityInContract are present in the contract but never called from start(). They exist to make the contract look like it has MEV logic. None execute trades.

Technique 03
Decorative interface imports

Full IERC20, IUniswapV2Router02, and IUniswapV2Factory interface definitions are imported at the top of the file. They pad the file length, make it look like a real DeFi integration, and give reviewers something plausible-looking to read before they reach the drain.

Technique 04
Misleading comments

The source includes comments like // Security: prevents front-running, // Optimised for low gas, and // MEV protection layer near the obfuscated drain logic. These are written specifically to disarm skepticism in anyone who reads the source before deploying.

The "Defused" Variant Problem

Some versions of this template circulating in 2025–2026 have had the active drain replaced with a no-op — start() sets a variable and emits a log event but does not transfer funds. These exist for several reasons: the scammer may use them as a demonstration copy, as a base for affiliates to re-arm themselves, or simply because the template was forked and modified by someone who removed the drain but left all the scaffolding intact.

The key point is that a "defused" copy is not safe. The eight fragment functions are still present. The address assembly logic still works. Anyone who forks the contract and restores two lines of code re-arms the drain. If you find one of these contracts online and it "passes" a quick check because start() looks harmless, the underlying template is still a scam vehicle. Do not deploy it; do not fork it.

Red Flags Checklist

Warning signs — any one of these should stop you cold
Tutorial tells you to fund a contract you didn't write and don't understand. If the value proposition requires you to send ETH before you can verify where it goes, you are the product.
Source code uses assembly {} blocks or joins address strings at runtime. Any contract that assembles an Ethereum address from concatenated string fragments is obfuscating a target address.
A start() or init() function that accepts no arguments but is marked payable. A legitimate bot activation function would at minimum take a configuration parameter. A payable no-argument function that immediately runs is a drain trigger.
Contract owner address is not your address. If owner is hardcoded or assembled from strings rather than set to msg.sender in the constructor, you do not control the contract.
Profits are explained only in a video, never in verifiable on-chain history. Ask for a wallet address showing historical profits. No one who has run this "bot" successfully can provide one because the only transfers out of these contracts go to the scammer.
Urgency framing — "the opportunity window closes" or "mempool congestion is low right now." Artificial urgency exists to stop you from taking the time needed to analyse the contract.

How to Check a Contract Before Funding It

  1. Paste it into a local editor and trace every .transfer( and .call{value:. Find every place ETH can leave the contract. Trace exactly what address it goes to. If any transfer target is assembled at runtime from strings, that is your answer.
  2. Check the owner variable. Open the constructor. If owner is not assigned to msg.sender — if it is hardcoded, computed, or assembled from fragments — you do not own this contract and you cannot recover funds sent to it.
  3. Deploy to a testnet first. Deploy to Sepolia, fund it with test ETH, call start(), then open the Sepolia block explorer and check where the balance went. If it goes to an address you don't recognise, the mainnet version will do the same thing with real ETH.
  4. Run a static analyser. Slither (slither contract.sol) will flag unprotected transfer calls, arbitrary send targets, and other high-severity issues immediately. It takes 30 seconds and is free.
  5. Search the function names. Paste getMempoolShort or fetchMempoolData into a code search engine. You will find every known copy of this scam template within seconds. If your contract's source matches, walk away.
The testnet rule

Any smart contract that you intend to fund should be tested on a public testnet (Sepolia) first. Deploy it, send test ETH, call every function you plan to call on mainnet, and verify all fund movements in the block explorer before committing real ETH. This single practice would prevent virtually every drain of this type.

If You Have Already Been Drained

The ETH itself is almost certainly unrecoverable once transferred — the blockchain does not have a reversal mechanism, and by the time most victims discover what happened the funds have already been layered through DEX swaps or bridges. That said, the following actions are still worth taking:

01
Mark the receiving address on Etherscan
Use the "Report" button on the scammer's address page on Etherscan. This adds a scam warning to the address that other users will see, and feeds into Etherscan's risk tagging system.
02
Submit to crypto scam databases
Report the contract address and scammer wallet to cryptoscamdb.net and chainabuse.com. These databases are queried by wallets, exchanges, and AML screening tools — your report helps block the address for future victims.
03
Report the content platform
Report the YouTube channel, Telegram group, or Discord server that promoted the contract. Include the contract address in your report. Platform takedown reduces the scam's reach even after your funds are gone.
04
File with FBI IC3
File a report at ic3.gov (FBI Internet Crime Complaint Center). Individual recovery is unlikely, but IC3 tracks patterns across cases. A sufficient volume of reports on the same scammer address or template does trigger investigation.
Why reporting still matters

Each report on chainabuse.com or cryptoscamdb.net is ingested by compliance screening tools at exchanges and OTC desks. When the scammer's address accumulates enough reports, deposits from that address cluster start triggering enhanced review flags — making it harder to cash out future drain proceeds. Your report protects future victims even if it doesn't recover your ETH.

AML and Compliance Implications

For compliance teams at exchanges, this scam class produces a recognisable on-chain footprint. Drain proceeds arrive at the scammer's address from multiple newly-deployed contracts over days to weeks — a pattern distinct from normal retail accumulation. The subsequent DEX swap and bridge activity follows the same post-exploit layering pattern documented in larger DeFi attack cases.

The QLabs Crypto AML platform applies behavioral detection rules for this pattern: full-balance transfers from newly-deployed contracts to unknown EOAs, flagged independently of whether the specific address has an existing blacklist entry. Because each fork of this scam template generates a fresh drain address, blacklist-only screening consistently misses the first wave of deposits. Behavioral typology detection does not.