Fake Crypto Airdrop Scams: How They Work and How to Spot Them
You open your wallet one morning and see $400 worth of tokens you didn't buy. The instinct is to figure out what they are and sell them. That's what the scam is counting on.
Fake airdrop scams are sent to thousands of wallets at once โ often targeting wallets that have interacted with DeFi protocols, because those wallets are more likely to know how to sell tokens and more likely to have larger balances. The tokens look real. Sometimes they show a dollar value. They're designed to create urgency.
The core rule: if you didn't know a token was coming, don't interact with it. Tokens sitting in your wallet are inert. The trap only springs when you try to do something with them.
How fake airdrops actually drain wallets
There are several mechanisms, and they vary in sophistication:
- โขMalicious token contracts โ the token has a custom transfer function that triggers additional logic when you try to sell. Interacting with the contract executes an approval for a drainer.
- โขClaim sites โ the token's description or a metadata URL says "visit [site] to claim more tokens." The site is a phishing page that asks you to connect and sign an approval.
- โขFake DEX listings โ the token appears on DexTools or DexScreener with a chart that looks real. You try to buy more or sell via a link in the token's page. That link goes to a drainer.
- โขSocial engineering follow-up โ the token drop is the first step; someone messages you later pretending to be support for the project, offering to help you claim your "reward."
What legitimate airdrops actually look like
Real airdrops from legitimate projects have a paper trail. Uniswap announced their UNI airdrop on their official blog, with a snapshot date and claim instructions on app.uniswap.org โ a URL that existed before the airdrop. ENS, Optimism, and Arbitrum did the same.
The pattern: project you already use โ public announcement โ tokens claimable at the project's existing official URL. Not: unknown project โ tokens appear โ claim at a new URL you've never heard of.
If you think you might have received a real airdrop from a project you use, find the claim process through the project's official website directly โ not through any link in the token's metadata.
The dust attack variant
A related technique is "dusting" โ sending tiny amounts of a real cryptocurrency (usually well under a dollar) to your wallet. This isn't a direct theft attempt. Instead, if you later consolidate these small amounts with your main balance in a transaction, the attacker can potentially use transaction analysis to link your addresses together and de-anonymize your holdings.
The response is the same: don't interact. The dust amounts are too small to be worth selling anyway.
Frequently asked questions
Can fake airdrop tokens hurt me if I don't touch them?
No. Tokens sitting in your wallet are inert โ they can't do anything on their own. The danger only exists when you try to interact with them. Leave them alone.
How do fake airdrop tokens trigger a drain?
Either through malicious contract logic that executes when you try to swap them, or by directing you to a phishing site that asks for a wallet approval. Both require you to take an action first.
How can I tell if an airdrop is legitimate?
Legit airdrops are from projects you already use, announced on their official channels before distribution, and claimed at a URL that existed before the announcement. Random tokens from unknown projects with new claim sites are scams.
Understand what you're signing before it's too late
GuardianAI explains every MetaMask transaction before you confirm it โ including approvals triggered by fake airdrop claim sites. It tells you who's asking, what they get access to, and whether it looks suspicious. Free Chrome extension.
Get GuardianAI โ It's Free