In March 2024, a fake airdrop claim site impersonating Wormhole — a cross-chain bridge protocol that had just launched its $W token — appeared in Google search results and was promoted by compromised X (Twitter) accounts. Users who connected their wallets and clicked “Claim” were prompted to sign what looked like a routine verification message. It was not. It was an EIP-2612 permit signature granting unlimited spending approval to the scammer’s contract. Within minutes, their ERC-20 tokens — USDC, USDT, ETH — were drained to attacker-controlled wallets. Over a single weekend, this and similar fake claim sites linked to the wallet-draining group “Inferno Drainer” extracted an estimated $80 million from more than 100,000 victims before the group publicly announced their shutdown.
Airdrop scams are one of the most prolific attack vectors in crypto. They are effective because they exploit a genuine mechanic — airdrops distribute real tokens worth thousands of dollars to real users — and wrap it in social engineering designed to make you act before you think. The combination of free-money psychology, fake urgency, and wallet-draining smart contracts creates a trap that catches both newcomers and experienced users.
This guide breaks down how airdrop scams work, the specific attack patterns scammers use, and how to verify whether an airdrop is legitimate before you connect your wallet.
BLUF: Airdrop scams fall into three categories: (1) Fake claim sites that impersonate legitimate projects and trick you into signing malicious transactions or permit signatures — these are responsible for the vast majority of losses and are powered by wallet-draining kits like Inferno Drainer, Pink Drainer, and Angel Drainer; (2) Unsolicited token airdrops (also called dusting attacks) that send scam tokens directly to your wallet, hoping you will interact with them and trigger a hidden smart-contract trap; (3) Impersonation airdrops promoted by fake social media accounts, hacked Discord servers, or typosquatted domains. The three verification rules that prevent nearly all airdrop scam losses: (1) Only claim from URLs found in the project’s official documentation or verified X account — never from a link in a DM, email, or search ad; (2) Never sign a message or transaction on an unfamiliar site — if you see
spenderandvaluefields in an EIP-712 prompt, reject immediately; (3) Never interact with unsolicited tokens in your wallet — do not swap, transfer, or approve unknown tokens, as some contain malicious contracts that drain on interaction. If you suspect a scam, disconnect your wallet, move assets to a fresh address, and revoke all approvals on revoke.cash.
How Airdrop Scams Work
Airdrop scams do not exploit smart contract vulnerabilities. They exploit human behavior. The attack chain follows a predictable pattern:
1. Attacker identifies an upcoming or ongoing legitimate airdrop
2. Creates a fake claim site mimicking the project's UI
3. Promotes the fake site via:
- Compromised X/Discord accounts with real followers
- Google Ads targeting the project's keywords
- Typosquatted domains (e.g., "arbirtum-claim.com")
- Phishing DMs in project Discord servers
4. Victim connects wallet to the fake site
5. Site triggers a malicious signature or transaction
6. Drainer contract transfers victim's tokens to attacker
Attack Type 1: Fake Claim Sites (Most Dangerous)
This is the primary attack vector and the one responsible for the largest losses. The scammer builds a website that visually replicates the legitimate project’s claim page — same logo, same colors, same layout, sometimes even copying the HTML directly. The URL is the only visible difference, but scammers register convincing typosquats: claim-arbitrum.com instead of arbitrum.foundation, or wormhole-airdrop.io instead of wormhole.com.
Once a victim connects their wallet, the site deploys a wallet drainer — a smart contract designed to move tokens out of connected wallets. The drainer uses several techniques:
Token approval phishing: The site asks the user to approve a transaction that grants the drainer contract spending permission over their tokens. Many users blindly approve because they expect a claim transaction. Once approved, the drainer calls transferFrom() and moves all approved tokens to its own address. Learn more in our token approval safety guide.
Permit signature phishing: More sophisticated than approval phishing, this technique uses the EIP-2612 permit standard. The site asks the user to “sign a message to verify eligibility” — but the message is actually a permit granting unlimited token spending rights to the attacker. Because permits are signed off-chain, there is no gas cost and no visible transaction, making them nearly invisible. The attacker submits the permit on-chain later, paying their own gas to drain the wallet. Read our detailed breakdown of permit signature phishing for the technical mechanics.
Permit2 exploitation: If the victim has previously used Uniswap or any dApp integrated with Permit2, a single malicious signature can grant the attacker spending rights over all tokens the victim has ever approved through Permit2 — not just one token. This is the most devastating variant: one click drains everything.
| Drain Method | What Victim Sees | Gas Paid By | Speed | Reversible? |
|---|---|---|---|---|
| Token Approval | Transaction confirmation | Victim | Slow (victim must confirm) | Yes (can revoke before drain) |
| Permit Signature | ”Verify eligibility” message | Attacker | Fast (attacker acts immediately) | No (permit already valid) |
| Permit2 Exploit | ”Sign to connect” message | Attacker | Instant | No (drains all Permit2 tokens) |
| Native ETH Drain | Transaction confirmation | Victim | Instant | No |
Attack Type 2: Unsolicited Token Airdrops (Dusting)
Not all airdrop scams require you to visit a website. Some come to you — directly into your wallet.
Scammers send small amounts of worthless tokens to thousands of addresses using on-chain transfers. These tokens often have names mimicking real projects: a fake “$UNI” token, an “$ARB-claim” token, or a token whose name is literally a URL like “visit-claim-arbitrum.com.” The goal is to bait you into interacting with the token — swapping it on a DEX, transferring it, or clicking an associated link.
The danger is twofold:
-
Hidden contract traps: Some scam tokens are smart contracts with malicious
transfer()functions. When you attempt to swap or transfer the token, the function triggers an approval or transfer of your legitimate tokens to the attacker. The token is a Trojan horse — touching it activates the trap. -
Bait to phishing sites: The token name or a message field contains a URL. Curious users visit the site expecting to claim more tokens, landing on a fake claim page that deploys the drain techniques described above.
This technique overlaps with dusting attacks, where tiny amounts of crypto are sent to addresses for tracking or deanonymization purposes — but in the scam variant, the intent is theft rather than surveillance.
Attack Type 3: Social Engineering Airdrops
The third category does not rely on sophisticated smart contracts at all. It relies entirely on social engineering:
Compromised accounts: Scammers hijack X accounts with large followings — often crypto influencers or even project official accounts — and post airdrop links. In 2024, multiple verified X accounts with hundreds of thousands of followers were compromised and used to promote fake airdrop claim links. The follower count and blue checkmark lend credibility.
Discord server takeovers: Scammers gain moderator access to a project’s Discord (often through social engineering of existing mods or stolen Discord tokens) and pin fake airdrop announcements. Because the message comes from within the official server, members trust it.
Fake Telegram groups: Scammers create Telegram groups with names identical to legitimate projects, then promote fake airdrops to users searching for the project on Telegram.
Email phishing: Scammers send emails that appear to come from the project team, often using lookalike domains (e.g., team@arbitrum-foundation.io vs. team@arbitrum.foundation).
How to Verify a Legitimate Airdrop
The single most effective defense against airdrop scams is verification. Every legitimate airdrop can be confirmed through independent channels. If you cannot verify an airdrop through at least two independent sources, assume it is a scam.
The 4-Source Verification Method
Before connecting your wallet to any claim site, verify the URL through these sources:
| Source | How to Verify | Trust Level |
|---|---|---|
| Official project docs | Find the claim URL in the project’s documentation site (e.g., docs.arbitrum.io) | Highest |
| Verified X/Twitter account | Check the pinned tweet or bio link — but verify the account itself is not compromised | High |
| Blog/announcement page | Legitimate projects announce claims on their official blog with the exact URL | High |
| Community confirmation | Cross-reference in the project’s Discord/Telegram (using caution — these can be compromised) | Medium |
The critical rule: never click a link from an ad, DM, or email to reach a claim page. Always navigate manually. Type the project’s known domain directly into your browser, find the airdrop announcement on their official site, and use the link provided there.
Checking Claim Contracts On-Chain
Legitimate airdrops use publicly verifiable claim contracts. You can — and should — inspect the contract before interacting with it:
- Find the contract address: Legitimate projects publish their claim contract address in documentation or GitHub repos.
- Verify on a block explorer: Paste the address into Etherscan, Arbiscan, or the relevant explorer. Check if the contract is verified (source code published).
- Review the code: Look at the
claim()function. A legitimate claim function transfers tokens from the contract to the caller. It should not callapprove(),permit(), or interact with arbitrary external contracts. - Check the contract’s transaction history: A legitimate claim contract will have many incoming transactions from eligible users. A scam contract may have very few interactions or show transfers going to a single suspicious address.
For a deeper dive into reading contract data on-chain, see our guide on reading smart contract events.
The Burner Wallet Strategy
Even with verification, the safest practice for claiming airdrops is to use a burner wallet:
- Create a fresh wallet with no prior transaction history
- Send only enough gas (e.g., $5 of ETH) to cover the claim transaction
- Claim the airdrop using this wallet
- Transfer the claimed tokens to your main wallet
If the claim site turns out to be a scam, the attacker can only drain the burner wallet — which contains $5 of gas money. Your main holdings remain safe.
Red Flags Checklist
Memorize these signs. If you encounter any of them, close the tab immediately:
| Red Flag | Why It’s Suspicious |
|---|---|
| Claim site URL does not match official domain | Typosquatting is the #1 attack vector |
| Site asks you to sign a message before claiming | May be a permit signature (token approval in disguise) |
Wallet shows EIP-712 fields: spender, value, deadline | These are permit parameters — signing grants token spending rights |
| ”Limited time! Claim now before it expires!” | False urgency prevents careful verification |
| Promoted via Google Ad or unsolicited DM/Email | Legitimate projects do not need ads for airdrop claims |
| Site has no link to official docs/GitHub/Discord | Real projects cross-link their ecosystem pages |
| Token appeared in wallet without action | Unsolicited airdrops are bait — do not interact |
| Discord mod you’ve never seen before posts a link | Discord takeovers are common — verify with known mods |
| Claim requires multiple signatures or approvals | Legitimate claims need one transaction: the claim itself |
| Domain registered recently (check WHOIS) | Scam domains are often registered days before the attack |
Tools for Detecting Airdrop Scams
Several tools help identify malicious sites and tokens before you interact with them:
Browser Extensions
| Tool | What It Does | Cost |
|---|---|---|
| Wallet Guard | Flags known phishing sites and malicious signatures in real-time | Free |
| Pocket Universe | Simulates transactions before you sign, showing exactly what will happen | Free |
| Blockaid | Pre-transaction security scanning integrated into several wallets | Free (wallet-integrated) |
| Rabby Wallet | Built-in transaction simulation that warns about permit phishing and malicious approvals | Free |
| Scam Sniffer Dashboard | Tracks known drainer addresses and phishing domains | Free |
On-Chain Analysis Tools
- Etherscan Token Checker: Before interacting with any token, search its contract address on Etherscan. Check the holder count, transaction volume, and contract source. Scam tokens often have very few holders and suspicious transfer patterns.
- revoke.cash: Review and revoke all token approvals across multiple chains. If you suspect you may have approved a malicious contract, revoke immediately.
- Arkham Intelligence: Trace the flow of funds from suspicious addresses. If a claim contract sends tokens to known scammer wallets, it is compromised.
- Address Risk Scoring: Our address risk scoring tool checks any wallet or contract against known threat databases, including flagged phishing addresses and sanctioned entities. For a detailed walkthrough, see the address risk scoring guide.
For a broader overview of wallet-draining detection methods, see our guide on how to spot wallet drainers.
What to Do If You’ve Been Scammed
If you realize you’ve connected to a fake airdrop site or signed a suspicious transaction, act immediately:
Step 1 — Disconnect: Remove the site’s wallet connection. In MetaMask, go to “Connected sites” and remove it. This stops further automated prompts.
Step 2 — Move assets: Transfer all tokens and ETH from the compromised wallet to a fresh, unused wallet address. If you signed a permit, the attacker can execute it at any time — speed is critical. Do not wait to investigate; move first, investigate later.
Step 3 — Revoke approvals: Go to revoke.cash and revoke all outstanding token approvals on the compromised wallet. Even if you’ve moved assets, revoking prevents the attacker from using any lingering approvals.
Step 4 — Report: Report the scam address to:
- The project’s official security team (via their official Discord/Telegram)
- Chainabuse.com (shared blockchain abuse database)
- Etherscan (flag the address)
- Scam Sniffer (helps others avoid the same drainer)
Step 5 — Trace stolen funds: If tokens were already drained, use on-chain forensics to track where they went. See our guide on how to track stolen crypto for techniques including transaction graph analysis, mixer detection, and exchange cash-out identification.
The Hard Truth About Recovery
Recovering stolen crypto is extremely difficult. Once funds reach a mixer like Tornado Cash or are bridged across multiple chains, tracing becomes exponentially harder. Law enforcement (FBI IC3, local cybercrime units) can subpoena exchange records if stolen funds reach a centralized exchange’s deposit address, but this process takes months and recovery is not guaranteed. The best strategy is prevention.
Limitations of On-Chain Airdrop Scam Detection
On-chain analysis is powerful but not omnipotent. Be aware of these limitations:
- New drainer contracts: Wallet-draining kits deploy fresh contracts constantly. Address blocklists may not catch brand-new scam contracts that have no history.
- Zero-knowledge scams: Some advanced drainers route funds through privacy tools, making on-chain tracing nearly impossible after the initial drain.
- Social engineering bypass: No on-chain tool can detect a perfectly replicated website or a compromised social account. The scam succeeds at the human layer before any on-chain signal is generated.
- Cross-chain complexity: Scammers frequently bridge stolen funds across chains (Ethereum to Solana to a privacy chain), fragmenting the trail across networks with different analysis tools and data availability.
- Gas-focused dusting: Some dusting campaigns are purely for address clustering and deanonymization, not immediate theft — the scam comes later, in a second stage.
Frequently Asked Questions
Q: I received a token I didn’t ask for. What should I do?
A: Nothing. Do not swap it, transfer it, approve it, or click any link in its name. Unsolicited tokens are either dusting attacks (for tracking) or bait for phishing sites. Hide the token in your wallet interface and ignore it. If you want to be safe, use a fresh wallet for future transactions.
Q: How can I tell if an airdrop claim site is real?
A: Verify the URL through the project’s official documentation, blog, or verified X account — not through the link that brought you to the site. Check the domain on WHOIS: legitimate project domains are usually registered months or years in advance; scam domains are registered days before the attack. Cross-reference the contract address on a block explorer with the address published in the project’s GitHub or docs.
Q: I signed a message on an airdrop site. Am I compromised?
A: If the message was a standard authentication sign-in (no EIP-712 typed data with spender/value fields), you are likely fine. If you saw fields like spender, value, or allowed in the signing prompt, or if you are unsure, treat it as compromised: move all assets to a fresh wallet immediately and revoke all approvals on revoke.cash.
Q: Do hardware wallets protect against airdrop scams?
A: Partially. A hardware wallet requires physical button confirmation for transactions and displays signature data on its screen, giving you a chance to review before approving. However, if you approve a malicious permit without reading the on-device display, the attack still succeeds. Hardware wallets add a verification layer but do not replace careful review.
Q: Are airdrops worth the risk?
A: Legitimate airdrops can be highly valuable — retroactive airdrops from projects like Arbitrum, Uniswap, and Jupiter distributed thousands of dollars per eligible wallet. The risk is not in the airdrops themselves but in the scam infrastructure built around them. By following the verification rules above (official sources only, burner wallets, no signing on unfamiliar sites), you can claim legitimate airdrops while keeping your assets safe.
Q: Can I get my money back after an airdrop scam?
A: Recovery is rare. If the stolen funds reach a centralized exchange, law enforcement can potentially freeze them, but this requires filing reports with the FBI (IC3), local cybercrime authorities, and the exchange’s compliance team. The process takes months and success is not guaranteed. Prevention through verification and burner wallets is the only reliable strategy.
Key Takeaways
- Fake claim sites powered by wallet-draining kits (Inferno Drainer, Pink Drainer) are the primary attack vector — they have collectively stolen over $100 million from airdrop seekers.
- Permit signature phishing is the most dangerous technique because it requires no gas and produces no visible transaction — always check for
spenderandvaluefields before signing. - Unsolicited tokens in your wallet are bait — never interact with them.
- Verify through official sources only — never follow links from ads, DMs, or emails to claim pages.
- Use a burner wallet for all airdrop claims to limit exposure to a few dollars of gas money.
- On-chain analysis tools (block explorers, revoke.cash, address risk scoring) add verification layers but cannot replace human caution.
For related reading on protecting yourself in crypto, see our guides on avoiding crypto phishing scams, token approval safety, and address poisoning attacks.