Crypto Market

Fake Airdrops and Token-Approval Scams: How a 'Free' Token Drains Your Wallet

Free tokens are the bait; a token approval is the hook. Scammers seed wallets with worthless tokens whose 'claim' site asks you to approve a transaction that hands over your real assets. Here is how fake airdrops and approval scams work, and how to revoke the access that puts you at risk.

3 min read
Table of Contents

You open your wallet and find a token you never bought, seemingly worth a few hundred dollars, with a website in its name inviting you to "claim" it. It feels like a lucky break. It is bait — and the trap is a permission you are about to grant without realizing it.

First, what a token approval is

To trade or use tokens in DeFi, you grant smart contracts an approval — permission to move a specific token on your behalf. It is a normal, necessary mechanism, explained in the official Ethereum documentation. Scammers weaponize it: instead of stealing your keys, they get you to approve them.

How the fake airdrop works

  1. 1

    The seed

    A worthless token appears in your wallet, named after a real project or a claim site to make you curious.

  2. 2

    The claim page

    Its name or a linked site invites you to 'claim rewards' or 'unlock' the token's value. You connect your wallet.

  3. 3

    The signature

    The site asks you to approve a transaction. It is framed as claiming — but it grants a contract permission to move your real assets.

  4. 4

    The drain

    With approval in hand, the contract transfers out your valuable tokens. Nothing was ever free.

Receiving a token is harmless — interacting is the risk

An unexpected token simply sitting in your wallet cannot hurt you. The danger begins only when you interact with it — visit its site, connect, or approve anything. A related trick, address poisoning, drops a token from a look-alike address into your history, hoping you will later copy that address and pay the scammer by mistake.

The main variants

VariantThe mechanism
Fake airdrop claim"Claim" grants a draining approval
Address poisoningA look-alike address salted into your history
Fake mint / DEXA cloned site that requests malicious approvals
Unlimited "increase allowance"Approving far more than the task needs
setApprovalForAll (NFTs)One signature hands over an entire collection

Some of these overlap with counterfeit sites and tokens covered in fake trading platforms and rug pulls; the common thread is a signature you should never have given.

The dangerous permissions to watch for

Two approvals do outsized damage. An unlimited token allowance lets a contract move as much of that token as it likes, for as long as the approval stands. setApprovalForAll grants control over an entire NFT collection in a single signature. Legitimate apps sometimes request these, so read every prompt — and when in doubt, reject and verify.

How to protect yourself

  • Never interact with tokens you did not expect. Do not visit their site, connect, or "claim."
  • Use a burner wallet for any mint or airdrop, holding nothing valuable.
  • Read what you sign. Your wallet shows the contract and permission — if it does not match the task, cancel.
  • Prefer limited approvals over unlimited ones where you have the choice.
  • Bookmark real project sites and ignore the URL embedded in a mystery token.

This is the approval side of the same problem covered in seed phrase phishing and wallet drainers, and it shares the wider red flags of a crypto scam.

Revoke your approvals

You can review and cancel the permissions your wallet has granted. Tools like Etherscan's Token Approvals checker (and the equivalent explorer for your chain) let you see every active approval and revoke any you do not recognize. Doing this periodically closes doors you forgot were open. Revoking costs a small network fee but can save everything behind that door.

If your wallet was drained

Treat the wallet as compromised: move remaining assets to a new wallet, revoke the malicious approval, save the transaction hashes, and report it with our reporting guide. The stolen funds can still be traced on-chain.

Frequently asked questions

A token I never bought is in my wallet — was I hacked?

No. Receiving a token is passive and harmless on its own. You are only at risk if you interact with it — visiting its site, connecting your wallet, or approving a transaction. Leave it alone.

What does setApprovalForAll mean?

It is a single permission that lets a contract move every NFT in a collection you own. Legitimate marketplaces use it, but scammers rely on it too — so only approve it on a site you have independently verified.

How do I revoke an approval?

Open a token-approval checker such as Etherscan's, connect your wallet, review the active approvals, and revoke any you do not recognize or no longer need. Each revocation is a small on-chain transaction.

Key takeaways

  • Fake airdrops bait you into approving a transaction that drains your real assets.
  • Receiving a mystery token is harmless; interacting with it is the danger.
  • Unlimited allowances and setApprovalForAll do the most damage — read prompts.
  • Use a burner wallet for mints and revoke stale approvals regularly.
  • If drained, move to a new wallet, revoke access, preserve hashes, and report.

Know someone who needs this? Share it.

Scambulance will never ask for your private keys, passwords, or seed phrases. Anyone promising guaranteed fund recovery is likely a scammer.

Were you the victim of a crypto scam?

Knowledge is your first defense — but if it has already happened, the most important step is reporting it properly. Scambulance guides you through every step, free.