Airdrop Phishing: Spotting & Avoiding Fake Airdrop Scams
The lure of “free tokens” often hides a phishing trap. Learn fake airdrops, malicious approvals, and ten red flags to stay safe.
Free tokens dropped straight into your wallet sound like the easiest money in crypto. That is exactly why airdrop phishing has become one of the most effective ways for scammers to empty wallets. The bait is greed, the weapon is a single malicious signature, and the result is irreversible: your assets are transferred out the moment you approve a contract you never bothered to read.
This article breaks down the fake-airdrop playbook step by step—how a "claim your reward" page quietly turns into a draining authorization, the ten red flags that should make you close the tab immediately, and exactly how to revoke dangerous approvals before they cost you. Keep one principle in mind throughout: in a phishing attack you rarely "lose" your funds by handing over a password. You lose them by signing something you didn't understand.
How Airdrop Phishing Actually Works
A legitimate airdrop usually requires nothing more than holding a wallet address; the tokens simply appear, and you never sign anything to receive them. A phishing airdrop inverts this. The "claim" is the trap, and the signature you make is the theft.
The typical flow looks like this:
- The hook: You see a tweet, Telegram message, Discord ping, or even a mysterious token already sitting in your wallet, telling you that you're eligible for a valuable airdrop.
- The fake site: A link leads to a slick page that mimics a real project—right logo, right colors, a countdown timer to create urgency.
- Connect wallet: You connect MetaMask or another wallet. So far, nothing is stolen—connecting alone is usually harmless.
- The malicious signature: To "claim," you're asked to sign a transaction or approve a token. This is the kill switch.
- The drain: The approval grants a scammer-controlled contract permission to move your tokens. Minutes or weeks later, an automated bot calls
transferFromand your balance is gone.
The Two Signatures That Drain You
Most airdrop drains rely on one of two mechanisms:
approve/setApprovalForAll: You grant a contract permission to spend a token (or an entire NFT collection) on your behalf. Set to an unlimited amount, this lets the attacker drain that token whenever they choose.Permit/Permit2signatures: A newer trap. Instead of an on-chain approval, you sign an off-chain message. It looks harmless—no gas, no obvious transaction—but it authorizes a transfer just the same. Many victims never realize they "signed" anything dangerous.
Security warning: A signature request that doesn't cost gas is not automatically safe. Off-chain
Permitsignatures are the silent version of an approval and have drained countless wallets. Read every signature prompt; if you can't explain what it does, reject it.
Ten Red Flags of a Fake Airdrop
Memorize these. If a single one is present, slow down. If two or more are present, walk away.
| # | Red Flag | Why It's Dangerous |
|---|---|---|
| 1 | A random token "appears" in your wallet with a website name in it | Dust tokens are bait designed to lure you to a phishing site |
| 2 | You must sign or approve to "claim" | Real airdrops rarely require an approval to receive |
| 3 | Urgent countdown ("expires in 2 hours") | Manufactured urgency to stop you from thinking |
| 4 | Link came via DM, group chat, or comment reply | Scammers flood social channels with cloned links |
| 5 | URL is slightly misspelled or uses a strange domain | Typo-squatting (e.g. uníswap, claim-arbitrum.net) |
| 6 | Asks you to "verify" your wallet or sync your seed phrase | No legitimate site ever needs your seed phrase |
| 7 | Promises a value far higher than realistic | High reward, low effort = bait |
| 8 | The signature popup requests setApprovalForAll or unlimited spend | Grants sweeping control over your assets |
| 9 | "Connect a second wallet to unlock more" | Designed to drain multiple wallets at once |
| 10 | No official announcement from the project's verified accounts | Real airdrops are announced through official channels |
Most of these overlap with the broader patterns covered in The Most Common Crypto Scams and the cloned-site tactics in How to Identify Fake Wallets and Phishing Sites. Airdrop phishing is simply one specialized branch of the same tree.
How to Revoke Malicious Approvals
If you suspect you've signed a bad approval—or you simply want to clean up old ones—revoking is your first line of defense. Revoking removes a contract's permission to spend your tokens.
Step-by-Step Revocation
- Use a trusted approval checker. The most common is revoke.cash; many block explorers (Etherscan, BscScan, Tronscan) also have a built-in "Token Approvals" tab. Always type the URL yourself rather than clicking a search ad.
- Connect your wallet to the approval tool—connecting alone does not grant spending rights.
- Review the list of contracts that currently have permission to move your tokens. Look for unfamiliar contracts and any with unlimited allowances.
- Revoke the suspicious ones. This is an on-chain transaction, so you'll pay a small gas fee for each revocation.
- Confirm in the tool that the allowance now reads zero.
Revoking an approval stops future theft, but it does not reverse a transfer that already happened. If a drainer has already moved your tokens, revoking only prevents further losses on what remains.
When the Wallet Itself Is Compromised
Revoking helps when the attacker only has an approval. But if you ever entered your seed phrase on a fake site, the attacker has full control of the wallet—revoking is pointless. In that case, immediately move all remaining assets to a brand-new wallet whose seed phrase has never touched any site, and abandon the old one. Review the Seed Phrase Backup Guide to understand why a leaked phrase can never be "secured" again.
Safe Habits That Prevent Airdrop Phishing
Prevention is far cheaper than recovery. Build these habits into your routine:
- Treat unexpected tokens as toxic. Don't interact with them, don't visit any site named in them, and don't try to sell them.
- Never sign what you can't read. If a signature prompt is opaque, reject it. Use a wallet that decodes transactions in plain language when possible.
- Avoid unlimited approvals. When you must approve, set a specific amount instead of "unlimited" whenever the interface allows.
- Use a "burner" wallet for airdrop hunting. Keep a separate wallet with minimal funds for connecting to new dApps, and keep your main holdings elsewhere.
- Store long-term assets in cold storage. A hardware wallet that never connects to random sites can't be drained by a phishing approval. See Hot Wallet vs. Cold Wallet for the layered approach.
- Verify announcements at the source. Cross-check any airdrop against the project's official website and verified social accounts before touching it.
- Review your approvals monthly. Make revoke.cash a regular habit, the way you'd review bank statements.
FAQ
Are all airdrops scams?
No. Many legitimate projects have distributed real, valuable airdrops. The danger isn't the concept of airdrops—it's the claim process. A genuine airdrop almost never asks you to sign an approval or connect to an unknown site to receive it. When in doubt, wait, verify through official channels, and never let urgency push you into signing.
I connected my wallet to a suspicious site but didn't sign anything. Am I safe?
In most cases, simply connecting a wallet reveals only your public address—it does not grant spending rights. The danger begins when you approve a token or sign a message. If you only connected and then disconnected without confirming any signature, you are very likely fine. To be safe, check your approvals and watch for any unexpected outgoing transactions.
How can I tell if a signature request is dangerous?
Look at what the wallet popup actually says. Be especially cautious of approve with an unlimited amount, setApprovalForAll, and off-chain Permit / Permit2 messages. If the request is for "claiming" an airdrop yet asks for spending permission over your tokens, that is a contradiction—legitimate claims don't need control over your existing balance. When the wording is unclear, the correct answer is always reject.
Risk note: This article is for security education only and does not constitute investment advice. Airdrop phishing tactics evolve constantly, and once assets leave your wallet the transfer is irreversible. Never sign what you don't understand, keep large holdings in cold storage, and verify every airdrop through official sources before interacting.
This article was written by Lin An (Digital Asset Security Analyst) for LinkUp Crypto. It is for education and reference only and does not constitute investment, financial, or legal advice. Digital-asset prices are highly volatile and investing carries risk — participate responsibly and follow local laws.