Background

In our last Web3 Security Beginner’s Guide, we focused on phishing attacks involving multi-signatures, including how multi-signatures work, what causes them, and how to prevent your wallet from being exploited. This time, we’ll discuss a popular marketing tactic used in both traditional industries and the cryptocurrency space: airdrops.

Airdrops are a fast way for projects to gain visibility and quickly build a user base. When participating in Web3 projects, users are asked to click on links and interact with the team to claim tokens, but hackers have set up traps throughout the process. From fake websites to hidden malicious tools, the risks are real. In this guide, we’ll break down typical airdrop scams and help you protect yourself.

What is an Airdrop?

An airdrop is when a Web3 project distributes free tokens to specific wallet addresses to increase visibility and attract users. This is a straightforward way for projects to gain traction. Airdrops can be categorized based on how they are claimed:

• Task-based: Complete specific tasks like sharing, liking, or other actions.
• Interactive: Complete actions like exchanging tokens, sending/receiving tokens, or doing cross-chain operations.
• Holding-based: Hold certain tokens to be eligible for airdrops.
• Staking-based: Stake tokens, provide liquidity, or lock assets for a period to earn airdrop tokens.

Risks of Claiming Airdrops

Fake Airdrop Scams

Here are some common types of fake airdrop scams:

1. Hackers hijack a project’s official account to post fake airdrop announcements. We often see alerts like “The X account or Discord account of a certain project has been hacked. Please do not click on the phishing link posted by the hacker.” According to SlowMist’s 2024 report, there were 27 instances of hacked project accounts in the first half of the year alone. Users, trusting official accounts, click on these links and are taken to phishing websites disguised as airdrops. If you enter your private key or seed phrase or authorize any permissions on these sites, hackers can steal your assets.

1. Hackers use high-fidelity copies of project team accounts to post fake messages in the comments section of the official project account, enticing users to click on phishing links. The SlowMist security team previously analyzed this method and provided countermeasures (see Fake Project Teams: Beware of Phishing in the Comment Section of Imitation Accounts). Additionally, after the official project announces an airdrop, hackers quickly follow up by using imitation accounts to post many updates containing phishing links on social platforms. Many users, failing to identify the fake accounts, end up installing fraudulent apps or opening phishing websites where they perform signature authorization operations.

(https://x.com/im23pds/status/1765577919819362702)

1. The third scam method is even worse and is a classic scam. Scammers lurk in Web3 project groups, select target users, and carry out social engineering attacks. Sometimes, they use airdrops as bait, “teaching” users how to transfer tokens to receive airdrops. Users should remain vigilant and not easily trust anyone who contacts them as “official customer service” or claims to “teach” them how to operate. These individuals are most likely scammers. You may think you’re just claiming an airdrop, but end up suffering heavy losses.

“Free” Airdrop Tokens: Understanding the Risks

Airdrops are common in the crypto space, where users typically need to complete certain tasks to earn free tokens. However, there are malicious practices that take advantage of these opportunities. For example, hackers may airdrop tokens with no actual value into users’ wallets. These users may then attempt to interact with these tokens—transferring them, checking their value, or even trading them on decentralized exchanges. But, after reverse engineering a Scam NFT contract, we found that attempts to transfer or list the NFT fail, and an error message appears: “Visit website to unlock your item,” misleading users into visiting a phishing site.

If users fall for this and visit the phishing site, hackers can take several harmful actions:

• Bulk purchase of valuable NFTs through a “zero-cost” mechanism (refer to “Zero-Cost NFT Phishing“ for more details).
• Steal high-value token approvals or signature permits.
• Steal native assets from the user’s wallet.

Next, let’s look at how hackers use a carefully crafted malicious contract to steal users’ Gas fees. First, the hacker creates a malicious contract named GPT (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) on BSC, using airdropped tokens to attract users to interact with it. When users interact with this malicious contract, a request pops up to approve the contract to use tokens in the user’s wallet. If the user approves this request, the malicious contract automatically increases the Gas limit based on the user’s wallet balance, causing subsequent transactions to consume more Gas fees.

Using the high Gas limit provided by the user, the malicious contract uses the extra Gas to mint CHI tokens (CHI tokens can be used for Gas compensation). After accumulating a large amount of CHI tokens, the hacker can burn these tokens to receive Gas compensation when the contract is destroyed.

(https://x.com/SlowMist_Team/status/1640614440294035456)

Through this method, the hacker cleverly profits from the user’s Gas fees, and the user may not even realize that they have paid additional Gas fees. The user initially thought they could profit by selling the airdropped tokens but ended up having their native assets stolen.

Backdoored Tools

(https://x.com/evilcos/status/1593525621992599552)

In the process of claiming airdrops, some users need to download plugins to translate or query token rarity, among other functions. The security of these plugins is questionable, and some users download them from unofficial sources, increasing the risk of downloading backdoored plugins.

Additionally, we’ve noticed online services selling airdrop scripts that claim to automate bulk interactions. While this sounds efficient, users should be cautious because downloading unverified scripts is extremely risky. You can’t be sure of the source or real functionality of the script. It may contain malicious code, potentially threatening to steal private keys or seed phrases or perform other unauthorized actions. Furthermore, some users execute such risky operations without antivirus software, which may lead to undetected Trojan infections, resulting in damage to their devices.

Summary

This guide mainly explained the risks associated with claiming airdrops by analyzing scams. Many projects now use airdrops as a marketing tool. Users can take the following measures to reduce the risk of asset loss during airdrop claims:

• Multi-Verification: When visiting an airdrop website, carefully check the URL. Confirm it through the official project account or announcement channels. You can also install phishing risk-blocking plugins (such as Scam Sniffer) to help identify phishing websites.
• Wallet Segmentation: Use a wallet with small funds for airdrop claims, and store large amounts in a cold wallet.
• Be Cautious with Airdropped Tokens: Be wary of airdropped tokens from unknown sources. Avoid authorizing or signing transactions hastily.
• Check Gas Limits: Pay attention to whether the Gas limit for transactions is unusually high.
• Use Antivirus Software: Use well-known antivirus software (such as Kaspersky, AVG, etc.) to enable real-time protection and ensure that virus definitions are up to date.

Disclaimer:

1. This article is reprinted from SlowMist Technology, copyright belongs to the original author [SlowMist Security Team]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. The Gate Learn team translated the article into other languages. Copying, distributing, or plagiarizing the translated articles is prohibited unless mentioned.