In our previous guide on Web3 security, we covered the topic of multisig phishing, discussing the mechanics of multisig wallets, how attackers exploit them, and how to safeguard your wallet from malicious signatures. In this installment, we’ll delve into a widely used marketing tactic in both traditional and crypto industries — airdrops.
Airdrops can quickly propel a project from obscurity into the spotlight, helping it rapidly build a user base and enhance market visibility. Typically, users participate in Web3 projects by clicking links and interacting with the project to claim airdropped tokens. However, from counterfeit websites to tools laced with backdoors, hackers have set traps throughout the airdrop process. This guide will analyze common airdrop scams to help you avoid these pitfalls.
An airdrop occurs when a Web3 project distributes free tokens to specific wallet addresses to increase its visibility and attract early users. This is one of the most direct methods for projects to gain a user base. Airdrops can generally be categorized into the following types based on how they are claimed:
Task-Based: Completing tasks specified by the project, such as sharing content or liking posts.
Interaction-Based: Performing actions like token swaps, sending/receiving tokens, or cross-chain operations.
Holding-Based: Holding specified tokens from the project to qualify for the airdrop.
Staking-Based: Earning airdropped tokens through single or dual-asset staking, providing liquidity, or long-term token lock-up.
These scams can be broken down into several types:
“Free” Airdrop Tokens
While most airdrops require users to complete tasks, there are instances where tokens appear in your wallet without any action on your part. Hackers often airdrop worthless tokens to your wallet, hoping you will interact with them by transferring, viewing, or attempting to trade them on a decentralized exchange. However, when attempting to interact with these Scam NFTs, you may encounter an error message prompting you to visit a website to “unlock your item.” This is a trap that leads to a phishing site.
If a user visits the phishing website linked by a Scam NFT, the hacker may perform the following actions:
Conduct a “zero-cost purchase” of valuable NFTs (refer to the “zero-cost purchase” NFT phishing analysis).
Steal high-value tokens through Approve authorization or Permit signatures.
Take away native assets.
Next, let’s examine how hackers can steal users’ gas fees through a carefully designed malicious contract.
First, the hacker created a malicious contract named GPT on the Binance Smart Chain (BSC) (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) and lured users to interact with it by airdropping tokens.
When users interact with this malicious contract, they are prompted to approve the contract’s use of tokens in their wallet. If the user approves this request, the malicious contract automatically increases the gas limit based on the user’s wallet balance, leading to higher gas consumption in subsequent transactions.
By exploiting the high gas limit provided by the user, the malicious contract uses the excess gas to mint CHI tokens (CHI tokens can be used for gas compensation). After accumulating a large number of CHI tokens, the hacker can burn these tokens to receive a gas refund when the contract is destroyed.
https://x.com/SlowMist_Team/status/1640614440294035456
Through this method, the hacker cleverly profits from the user’s gas fees, while the user may be unaware that they have paid extra gas fees. The user initially expected to profit from selling the airdropped tokens but ended up losing their native assets instead.
https://x.com/evilcos/status/1593525621992599552
During the process of claiming airdrops, some users need to download plugins for tasks such as translation or checking the rarity of tokens. However, the security of these plugins is questionable, and some users do not download them from official sources, significantly increasing the risk of downloading plugins with backdoors.
Additionally, we’ve noticed online services that sell scripts for claiming airdrops, claiming to automate batch interactions efficiently. However, please be aware that downloading and running unverified and unreviewed scripts is extremely risky, as you cannot be certain of the script’s source or its actual functions. These scripts may contain malicious code, posing potential threats such as stealing private keys or seed phrases, or performing other unauthorized actions. Moreover, some users, when engaging in these types of risky operations, either do not have antivirus software installed or have it disabled, which can prevent them from detecting if their device has been compromised by malware, leading to further damage.
In this guide, we’ve highlighted the various risks associated with claiming airdrops by analyzing common scam tactics. Airdrops are a popular marketing strategy, but users can reduce the risk of asset loss during the process by taking the following precautions:
Verify Thoroughly: Always double-check URLs when visiting airdrop websites. Confirm them through official accounts or announcements, and consider installing phishing risk detection plugins like Scam Sniffer.
Use Segregated Wallets: Keep only small amounts of funds in wallets used for airdrops, while storing larger amounts in a cold wallet.
Be Cautious with Unknown Airdrops: Do not interact with or approve transactions involving airdrop tokens from unknown sources.
Check Gas Limits: Always review the gas limit before confirming a transaction, especially if it seems unusually high.
Use Reputable Antivirus Software: Keep real-time protection enabled and regularly update your antivirus software to ensure the latest threats are blocked.
In our previous guide on Web3 security, we covered the topic of multisig phishing, discussing the mechanics of multisig wallets, how attackers exploit them, and how to safeguard your wallet from malicious signatures. In this installment, we’ll delve into a widely used marketing tactic in both traditional and crypto industries — airdrops.
Airdrops can quickly propel a project from obscurity into the spotlight, helping it rapidly build a user base and enhance market visibility. Typically, users participate in Web3 projects by clicking links and interacting with the project to claim airdropped tokens. However, from counterfeit websites to tools laced with backdoors, hackers have set traps throughout the airdrop process. This guide will analyze common airdrop scams to help you avoid these pitfalls.
An airdrop occurs when a Web3 project distributes free tokens to specific wallet addresses to increase its visibility and attract early users. This is one of the most direct methods for projects to gain a user base. Airdrops can generally be categorized into the following types based on how they are claimed:
Task-Based: Completing tasks specified by the project, such as sharing content or liking posts.
Interaction-Based: Performing actions like token swaps, sending/receiving tokens, or cross-chain operations.
Holding-Based: Holding specified tokens from the project to qualify for the airdrop.
Staking-Based: Earning airdropped tokens through single or dual-asset staking, providing liquidity, or long-term token lock-up.
These scams can be broken down into several types:
“Free” Airdrop Tokens
While most airdrops require users to complete tasks, there are instances where tokens appear in your wallet without any action on your part. Hackers often airdrop worthless tokens to your wallet, hoping you will interact with them by transferring, viewing, or attempting to trade them on a decentralized exchange. However, when attempting to interact with these Scam NFTs, you may encounter an error message prompting you to visit a website to “unlock your item.” This is a trap that leads to a phishing site.
If a user visits the phishing website linked by a Scam NFT, the hacker may perform the following actions:
Conduct a “zero-cost purchase” of valuable NFTs (refer to the “zero-cost purchase” NFT phishing analysis).
Steal high-value tokens through Approve authorization or Permit signatures.
Take away native assets.
Next, let’s examine how hackers can steal users’ gas fees through a carefully designed malicious contract.
First, the hacker created a malicious contract named GPT on the Binance Smart Chain (BSC) (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) and lured users to interact with it by airdropping tokens.
When users interact with this malicious contract, they are prompted to approve the contract’s use of tokens in their wallet. If the user approves this request, the malicious contract automatically increases the gas limit based on the user’s wallet balance, leading to higher gas consumption in subsequent transactions.
By exploiting the high gas limit provided by the user, the malicious contract uses the excess gas to mint CHI tokens (CHI tokens can be used for gas compensation). After accumulating a large number of CHI tokens, the hacker can burn these tokens to receive a gas refund when the contract is destroyed.
https://x.com/SlowMist_Team/status/1640614440294035456
Through this method, the hacker cleverly profits from the user’s gas fees, while the user may be unaware that they have paid extra gas fees. The user initially expected to profit from selling the airdropped tokens but ended up losing their native assets instead.
https://x.com/evilcos/status/1593525621992599552
During the process of claiming airdrops, some users need to download plugins for tasks such as translation or checking the rarity of tokens. However, the security of these plugins is questionable, and some users do not download them from official sources, significantly increasing the risk of downloading plugins with backdoors.
Additionally, we’ve noticed online services that sell scripts for claiming airdrops, claiming to automate batch interactions efficiently. However, please be aware that downloading and running unverified and unreviewed scripts is extremely risky, as you cannot be certain of the script’s source or its actual functions. These scripts may contain malicious code, posing potential threats such as stealing private keys or seed phrases, or performing other unauthorized actions. Moreover, some users, when engaging in these types of risky operations, either do not have antivirus software installed or have it disabled, which can prevent them from detecting if their device has been compromised by malware, leading to further damage.
In this guide, we’ve highlighted the various risks associated with claiming airdrops by analyzing common scam tactics. Airdrops are a popular marketing strategy, but users can reduce the risk of asset loss during the process by taking the following precautions:
Verify Thoroughly: Always double-check URLs when visiting airdrop websites. Confirm them through official accounts or announcements, and consider installing phishing risk detection plugins like Scam Sniffer.
Use Segregated Wallets: Keep only small amounts of funds in wallets used for airdrops, while storing larger amounts in a cold wallet.
Be Cautious with Unknown Airdrops: Do not interact with or approve transactions involving airdrop tokens from unknown sources.
Check Gas Limits: Always review the gas limit before confirming a transaction, especially if it seems unusually high.
Use Reputable Antivirus Software: Keep real-time protection enabled and regularly update your antivirus software to ensure the latest threats are blocked.