What are crypto airdrop scams and how do you avoid them?

The rise of crypto airdrop scams

Airdrop farming is popular because some projects distribute tokens to build awareness or reward users. Not all airdrops are legitimate, though. This guide explains what crypto airdrop scams are, common types to watch for, how to recognise warning signs, and the steps to take if you’ve been targeted.

What are airdrop scams?

Airdrop scams are fraudulent schemes that claim to distribute free tokens but aim to capture sensitive information or gain access to wallets. Scammers often mimic the look and tone of genuine campaigns run by real projects.

Legitimate airdrops may ask users to complete simple tasks (e.g., follow an official account, join a community, hold an eligible token). By contrast, scam campaigns try to collect private keys, seed phrases, passwords, or request actions that lead to wallet drainage or unauthorised payments. The sophistication varies, but the objective is the same: separate users from their data and funds.

Common types of airdrop scams

1. Phishing airdrops

Scammers build look-alike websites or profiles and share links by email, direct messages (DM), or posts. The page asks for wallet details or prompts a sign-in with a malicious connector. Entering information on these pages can hand over control of your accounts.

Example: Phish warning for TON coin

2. ‘Advance payment’ or ‘verification fee’ scams

A bogus campaign asks you to send a small amount of crypto to ‘verify’ your address or ‘cover gas fees’. After you pay, the promised tokens never arrive, or you are directed to connect your wallet to a malicious contract that can approve unlimited spending.

Example: NIGI warning about connecting to a malicious smart contract

3. Malware airdrops

Victims are persuaded to download a fake airdrop app, wallet, or tooling. The software may capture keystrokes, export seed phrases, or install remote-access malware.

Example: Official warning from Floki on X about scam airdrops

4. Impersonation scams

Attackers impersonate project teams, founders, or influencers to announce ‘exclusive airdrops’. They may use hacked or newly created accounts with similar handles and logos to appear authentic.

Example: Warning about a fake TON page

How to avoid airdrop scams

1. Verify authenticity

Check the official website and verified social channels of the project. Reputable campaigns are usually announced in multiple official places. If you saw the airdrop in a DM or community repost, find the original announcement yourself.

2. Never share private keys or seed phrases

No genuine airdrop will ever ask for these. Your seed phrase grants full control of your wallet. Sharing it can result in immediate loss of funds.

3. Research the project

Look for team transparency, a history of delivery, and a credible community presence. Be cautious with newly created domains or accounts with limited history.

4. Be wary of unsolicited messages

Treat surprise emails and DMs with care, especially those pushing you to act quickly. Cross-check any claim on the project’s official channels.

5. Use security software and safe browsing habits

Keep devices updated, use reputable antivirus or anti-malware tools, and consider a browser with strong phishing protection.

6. Check the URL and connection

Confirm the domain (spelling and characters), and look for HTTPS. Encrypted connections (sometimes known as SSL) alone does not guarantee legitimacy; malicious sites can also use it, so rely on official links.

7. Trust your instincts

If rewards seem unusually high or the tone is unusually urgent, step back and reassess.

What to do if you've been scammed

1. Report the incident

Inform the project’s official support, the platform where you encountered the scam (e.g., social network), and relevant consumer-protection or cyber-crime channels in your jurisdiction. Reporting helps others avoid harm.

2. Change passwords and strengthen sign-In

Update passwords for email, exchanges, and any linked services. Enable two-factor authentication (2FA) wherever possible. Where supported, consider moving to passkeys.

3. Revoke risky permissions

If you have connected your wallet, use your wallet’s permissions manager (or a reputable block explorer tool) to revoke suspicious token approvals and dapp access. Do this promptly.

4. Monitor accounts and wallets

Review recent activity for unauthorised transactions. If you see anything unusual, contact your wallet provider or exchange immediately.

5. Seek professional guidance

A security professional or relevant authority may be able to suggest further steps, including securing devices and documenting evidence.

6. Learn and share

Familiarise yourself with common tactics, and consider sharing a neutral account of what happened. Public awareness reduces the success rate of similar scams.

Scam red-flag checklist

Due diligence and do your own research

All examples listed in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, cybersecurity, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation.

Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.