What is AirdropIn the cryptocurrency industry, to increase project visibility and attract initial users, project teams often give users a portion of project tokens for free, a practice known as “airdrop.” Depending on how the airdrop is acquired, common types include task-based airdrops, content interaction airdrops, holder airdrops, and staking airdrops. Airdrop is a widely used marketing strategy in the cryptocurrency industry, where project teams distribute their tokens to users who meet certain conditions to increase awareness and promote the new token.
Common Airdrop ScamsFake AirdropsSome sophisticated hackers can steal official accounts of project teams to conduct fake airdrops. We often see security alerts on information platforms saying, “Account X of a certain project has been compromised, please do not click on phishing links posted by hackers.” According to statistics, in just the first half of 2024, there have been 27 incidents of project account breaches. Unaware users tend to trust official accounts and do not suspect their authenticity, leading to falling victim to scams.Furthermore, scam teams also use fake accounts to post false information in the comments section of official accounts, enticing users to participate in claiming fake airdrops. Sometimes, after the official announcement of an airdrop, these fake accounts immediately follow up by posting numerous updates containing phishing links, luring users to click. If users enter their private keys or grant permissions on phishing websites, their assets may be at risk of being stolen.Source:Ray80230
Private Key ExposureA private key is a string of characters used to control encrypted assets, and anyone possessing the private key has full control over the corresponding encrypted assets. If a private key is compromised, attackers can access, transfer, and manage a user’s assets without authorization, leading to financial losses for the user.Many scam teams lurk within Web3 project groups, targeting users under the guise of teaching them how to “claim airdrops” as bait. They induce users to download Trojan software to steal private keys. These software forms include but are not limited to mining scripts, games, conference software, unofficial scripts, airdrop bots, and more.Additionally, some scam teams establish fake communities or impersonate customer service in official communities, proactively reaching out to users under the pretext of teaching to coax them into revealing their private keys.Source:WoAS_Necksus
Unexpected WindfallsIn most projects, users typically need to meet certain conditions to receive airdrops. However, occasionally, there are instances of “unexpected windfalls,” which are often lures thrown by scam teams.Some scam teams airdrop tokens of no actual value into users’ wallets. When users see these tokens in their wallets, they might mistakenly believe it to be an unexpected windfall and attempt to interact with them. Since these tokens are often untraceable on legitimate platforms, users seeking to cash out may visit the so-called project’s official website. Following the website’s instructions and authorizing their wallets, users expect to sell these tokens. However, once authorized, all assets in the wallet are immediately stolen.Source: RallyHarry24
Malicious ContractsDuring airdrop campaigns, scam groups may create enticing airdrop contracts to lure users into participating. Once users interact with these malicious contracts, they could exploit the asset information in the user’s wallet, automatically adjusting the gas limit. This results in users paying higher gas fees, which can be difficult to detect promptly.Source:misttrack
Similar AddressesDue to the common practice of users relying on transaction histories for transfers and the length of wallet addresses, users typically only verify the beginning and end. Scam teams exploit this by creating addresses with matching initial and final digits to a user’s associated address through address collision. They then conduct zero-value or very small transactions with users who have been making frequent recent transfers, contaminating their transaction history. This tactic aims to trick users into copying the incorrect address from their transaction history for future transfers.Source:misttrack
Fraud Prevention GuideWhile most legitimate exchange platforms are equipped with security technologies to ensure users’ transaction safety, such as anomaly detection, intrusion detection, unfamiliar URL identification, and automated threat response, the landscape of airdrop projects is varied. Some projects have not yet been listed on reputable exchange platforms, and participation in airdrops often requires the use of multiple tools, leading to a higher probability of encountering risks. Therefore, users participating in airdrops can pay attention to the following points to safeguard their assets.
Wallet SecurityWhen engaging in cryptocurrency transactions, it is crucial to never expose wallet private keys or mnemonic phrases under any circumstances. Users can back up wallet private keys and mnemonic phrases in secure locations, such as offline or encrypted storage, and should avoid entering private keys and mnemonic phrases in suspicious circumstances.
Wallet SeparationTo mitigate risks, it is advisable to create a separate wallet for small transactions, specifically for airdrops, rather than store all assets in a single wallet.Depending on the type and purpose of assets, users can choose suitable wallet types, such as hardware wallets, software wallets, cold wallets, and hot wallets. Additionally, for managing substantial assets, consider using a multi-signature wallet to enhance security.Moreover, users can implement operational environment separation. If multiple devices are available, users can manage different wallets on different devices to prevent a security issue on one device from affecting all wallets.
Phishing PreventionWhen visiting airdrop websites, users should verify the correctness of the URL through the project’s official accounts or announcement channels. When installing software, downloading from official channels, checking the software’s source of download and avoiding installation packages from third-party websites. Furthermore, users can install anti-phishing plugins and antivirus software to assist in identifying and monitoring phishing website activities.