"High-priced" airdrops set up cryptocurrency traps, authorization operations require caution

Author: Kyle

Editor: Wenda

Since DeFi protocols like Uniswap, 1inch, and dydx started distributing airdrop rewards to interactive users, on-chain users have become accustomed to the existence of airdrops. However, some unknown airdrops may drain users' wallets.

On September 10, investor A Fei encountered an airdrop scam. He discovered 750,000 Zepe tokens in his wallet, which was valued at over $100,000. A Fei thought it was a windfall, but when he found he couldn't sell them on a decentralized exchange, he logged onto the token's official website and authorized a transaction, only to have all the assets in his address drained.

On social networks, several users also reported falling into the same trap, with some losing as much as 70,000 USDT. Hive Finance found that the address accepting tokens from the Zepe contract recently transferred out 165,000 USDC and 13 BNB, suspected to be proceeds from the scam.

In fact, similar airdrop scams have been frequent recently, with many users discovering a large number of unknown tokens in their wallet addresses. Blockchain security firm PeckShield informed Hive Finance that these tokens typically fail to trade on commonly used DEXs, prompting users to visit the official website for exchanges. When users authorize transactions, they often grant the smart contract permission to transfer their account assets, leading to theft.

PeckShield advises users not to over-authorize when interacting with on-chain protocols, and to regularly revoke authorizations for infrequently used Dapps, while being cautious of fraudsters "changing their identities" to avoid asset loss.

Multiple Users Fall Victim to Zepe Airdrop Scam, Wallets Drained

On September 8, the decentralized derivatives protocol dYdX opened claims for airdrops to early users. As the DYDX token rose above $10, airdrop recipients saw considerable profits. Just as the wealth effect from dYdX was brewing on social networks, a trap baited with airdrops was quietly set.

Two days later, investor A Fei recounted his unfortunate experience of falling into the trap in a community. On September 10, when A Fei opened his blockchain wallet, he unexpectedly found 750,000 tokens named Zepe, which were valued at over $100,000.

Unaware of the danger, A Fei opened the website associated with the token and connected his wallet. According to other users, the token could not be sold on decentralized trading platforms, but the token's associated website provided a swap-like exchange page that supported converting Zepe.io into BNB. A Fei stated that after linking his wallet and authorizing the transaction, he did not receive any tokens, while thousands of CHESS tokens in his wallet were instead transferred away. It was only after noticing the missing tokens that A Fei realized he had fallen for a scam.

Fake exchange page of Zepe.io

What he thought was a windfall from the airdrop turned out to be a wallet drained. On social networks, multiple users also reported falling into the same airdrop trap, with some claiming to have lost assets totaling up to 70,000 USDT. Statistics show that the scammers cast a wide net, distributing tokens to numerous addresses across multiple blockchain networks such as BSC, HECO, and Matic, with many users reporting receiving the airdrop.

According to a review by blockchain security firm Armors, the contract corresponding to the token had not undergone code verification, and all authorization and transfer transactions failed. All failure notes required users to visit the corresponding website for withdrawals, and once users logged in to authorize their wallets, the tokens would be stolen.

Hive Finance found through blockchain explorers that the scammers' receiving address recently transferred out 165,000 USDC and 13 BNB, suspected to be proceeds from the scam.

In reality, there have been multiple airdrop scams recently. Many investors have reported a large number of unknown tokens appearing in their blockchain wallets, characterized by their large quantities and eye-catching nature. If users authorize contracts while attempting to sell these tokens, they may inadvertently grant the token issuer permission to transfer funds from their wallets, resulting in asset loss.

After successfully executing their scams, perpetrators often choose to mix tokens on decentralized exchanges and transfer them to other addresses for cashing out. Victims of similar scams often find it difficult to recover their funds.

Airdrop Scams Continually Evolve, Users Must Be Cautious with Contract Authorizations

Since blockchain is a public and transparent network, although all users' wallet addresses are anonymous, they are fully visible on the network, allowing anyone to send tokens to them. Generally, receiving tokens does not lead to wallet theft, but if users wish to sell the tokens, they may be drained at some step due to authorizing asset transfer permissions or exposing private keys.

In fact, similar scams have existed since 2019. At that time, a scam involving the airdrop of OMG tokens circulated on Telegram, where scammers claimed that users with ETH and OMG in their wallets could claim OMG airdrops for free based on their ETH balance at a ratio of 1:32 and OMG at 1:0.3. Many were tempted.

When users followed the steps to open the airdrop claim website, the page asked them to input their Ethereum wallet address and balance, which would not lead to asset theft. However, the page would then prompt users to enter their Ethereum wallet's private key to prove ownership of the wallet. The page also stated, "This is safe; we will not use, store, or collect your personal data (such as private keys), and no one can access your wallet." As a result, many users who entered their private keys soon found their assets transferred away. Clearly, this was a complete scam.

Fake airdrop website asking users to input their private keys

Today, with the development of DeFi, more and more users are starting to use on-chain wallets to manage their assets. Experienced users already know the common sense that "exposing private keys means losing exclusive control over the wallet," so scams asking for private keys have become less common. However, the perpetrators have not disappeared; instead, they have upgraded and evolved various scams, making it difficult for both new and old users to guard against.

Recently, some users encountered fake wallet scams. Scammers first create a pseudo-decentralized wallet resembling common wallets, and when users download and import their private keys, the private key information is leaked. Others lure users to transfer funds by offering high prices for tokens in communities. When users scan the QR code of the wallet provided, they are redirected to a third-party website. If they initiate a transfer and authorize on that site, their accounts will be stolen.

After several incidents of funds being stolen from addresses, many users have developed a sense of caution, typically not leaking their private keys and downloading blockchain wallets and exchanges only from official websites. However, as new users continuously enter the blockchain space, they often lack basic technical knowledge and are not well-versed in code contracts. When participating in DeFi projects or attempting to sell airdropped tokens, they often authorize unfamiliar contracts, and if scammers exploit the contracts, users are likely to lose all assets in their addresses.

So, how do scammers transfer users' assets through contracts?

Blockchain security firm PeckShield informed Hive Finance that the token authorization operation mainly consists of two steps. The first step is authorization for trading, which informs the ERC-20 Token contract that a future target contract address may transfer a certain amount of tokens from the authorized wallet account. The second step is executing the transaction; when the logic in the target contract requires trading that token, the contract will actively trigger the transfer of the user-authorized tokens.

Taking the Zepe.io airdrop scam as an example, the scammers first create the token and complete the airdrop, adding the token to a DEX to increase liquidity, giving the token value. Some users, seeing "valuable" airdrop tokens in their accounts, want to exchange them on the DEX. However, this authorization transaction typically fails, but after failing, an error prompts users to visit its official website for exchange. The trap appears at this moment; when users authorize transactions on the specified page, their valuable tokens will be transferred away.

PeckShield states that similar airdrop scams share a common characteristic: the token names are mostly website addresses, such as ShibaDrop.io, AirStack.net, BNBw.me, etc. When users receive similar tokens, they need to be cautious. The security firm advises users not to over-authorize when interacting with on-chain protocols, such as setting a specific amount for token trading authorization instead of a maximum amount. Additionally, users should regularly revoke authorizations for infrequently used Dapps and be wary of fraudsters "changing their identities."

For on-chain users, the blockchain network is a relatively free but risk-filled world. Users must remember to manage their private keys well and avoid easily authorizing unfamiliar contracts out of greed, which could lead to asset loss. Remember, the old saying "there's no such thing as a free lunch" applies equally in the blockchain world.