Table of Contents
- First, what a token approval is
- How the fake airdrop works
- Receiving a token is harmless — interacting is the risk
- The main variants
- The dangerous permissions to watch for
- How to protect yourself
- Revoke your approvals
- If your wallet was drained
- Frequently asked questions
- A token I never bought is in my wallet — was I hacked?
- What does setApprovalForAll mean?
- How do I revoke an approval?
You open your wallet and find a token you never bought, seemingly worth a few hundred dollars, with a website in its name inviting you to "claim" it. It feels like a lucky break. It is bait — and the trap is a permission you are about to grant without realizing it.
First, what a token approval is
To trade or use tokens in DeFi, you grant smart contracts an approval — permission to move a specific token on your behalf. It is a normal, necessary mechanism, explained in the official Ethereum documentation. Scammers weaponize it: instead of stealing your keys, they get you to approve them.
How the fake airdrop works
- 1
The seed
A worthless token appears in your wallet, named after a real project or a claim site to make you curious.
- 2
The claim page
Its name or a linked site invites you to 'claim rewards' or 'unlock' the token's value. You connect your wallet.
- 3
The signature
The site asks you to approve a transaction. It is framed as claiming — but it grants a contract permission to move your real assets.
- 4
The drain
With approval in hand, the contract transfers out your valuable tokens. Nothing was ever free.
Receiving a token is harmless — interacting is the risk
An unexpected token simply sitting in your wallet cannot hurt you. The danger begins only when you interact with it — visit its site, connect, or approve anything. A related trick, address poisoning, drops a token from a look-alike address into your history, hoping you will later copy that address and pay the scammer by mistake.
The main variants
| Variant | The mechanism |
|---|---|
| Fake airdrop claim | "Claim" grants a draining approval |
| Address poisoning | A look-alike address salted into your history |
| Fake mint / DEX | A cloned site that requests malicious approvals |
| Unlimited "increase allowance" | Approving far more than the task needs |
setApprovalForAll (NFTs) | One signature hands over an entire collection |
Some of these overlap with counterfeit sites and tokens covered in fake trading platforms and rug pulls; the common thread is a signature you should never have given.
The dangerous permissions to watch for
Two approvals do outsized damage. An unlimited token allowance lets a contract move as much of that token as it likes, for as long as the approval stands. setApprovalForAll grants control over an entire NFT collection in a single signature. Legitimate apps sometimes request these, so read every prompt — and when in doubt, reject and verify.
How to protect yourself
- Never interact with tokens you did not expect. Do not visit their site, connect, or "claim."
- Use a burner wallet for any mint or airdrop, holding nothing valuable.
- Read what you sign. Your wallet shows the contract and permission — if it does not match the task, cancel.
- Prefer limited approvals over unlimited ones where you have the choice.
- Bookmark real project sites and ignore the URL embedded in a mystery token.
This is the approval side of the same problem covered in seed phrase phishing and wallet drainers, and it shares the wider red flags of a crypto scam.
Revoke your approvals
You can review and cancel the permissions your wallet has granted. Tools like Etherscan's Token Approvals checker (and the equivalent explorer for your chain) let you see every active approval and revoke any you do not recognize. Doing this periodically closes doors you forgot were open. Revoking costs a small network fee but can save everything behind that door.
If your wallet was drained
Treat the wallet as compromised: move remaining assets to a new wallet, revoke the malicious approval, save the transaction hashes, and report it with our reporting guide. The stolen funds can still be traced on-chain.
Frequently asked questions
A token I never bought is in my wallet — was I hacked?
No. Receiving a token is passive and harmless on its own. You are only at risk if you interact with it — visiting its site, connecting your wallet, or approving a transaction. Leave it alone.
What does setApprovalForAll mean?
It is a single permission that lets a contract move every NFT in a collection you own. Legitimate marketplaces use it, but scammers rely on it too — so only approve it on a site you have independently verified.
How do I revoke an approval?
Open a token-approval checker such as Etherscan's, connect your wallet, review the active approvals, and revoke any you do not recognize or no longer need. Each revocation is a small on-chain transaction.
Key takeaways
- Fake airdrops bait you into approving a transaction that drains your real assets.
- Receiving a mystery token is harmless; interacting with it is the danger.
- Unlimited allowances and setApprovalForAll do the most damage — read prompts.
- Use a burner wallet for mints and revoke stale approvals regularly.
- If drained, move to a new wallet, revoke access, preserve hashes, and report.
Know someone who needs this? Share it.
Scambulance will never ask for your private keys, passwords, or seed phrases. Anyone promising guaranteed fund recovery is likely a scammer.
