"Claim your free airdrop" might be the most expensive free thing on-chain. Fake airdrops don't just prey on greed — they exploit the fact that most people genuinely can't read the string of confirmation text their wallet pops up. You think you're claiming a token; what you're actually doing is signing a consent form that says "from now on, feel free to move my USDT." This piece skips the deep wallet internals and nails down one thing: why that "approve" button is so dangerous, and how not to get caught by it.
- The core of an airdrop drainer isn't "tricking you into a transfer" — it's tricking you into signing an approval (approve). Once granted, the scammer can move that token at any later time.
- Most approvals default to an unlimited amount with no expiry, so a single signature is enough to let one token get drained slowly — or all at once.
- A token that appears in your wallet from nowhere is bait nine times out of ten — don't "claim" or "swap" it. Use a separate burner wallet for airdrops, and keep large holdings in cold storage.
What the fake-airdrop scam actually is
Airdrops are a real thing: some projects hand out free tokens to early users or qualifying wallets as a way to promote and distribute. The problem is, scammers copied this good thing wholesale and turned it into bait.
The fake-airdrop script usually goes like this: in some group, a tweet, or a DM you see "the XX project airdrop is open, first come first served," or you open your wallet and find a token mysteriously sitting there with a respectable-looking name. You follow the prompt to a claim page that asks you to "connect your wallet" — still no harm done at this point. The trap is the next step: it pops up a confirmation window labeled "claim," "activate," or "verify eligibility," and the moment you tap it, what you're actually signing is an approval transaction.
From that instant, the scammer needs neither your private key nor your seed phrase to move the matching token out of your wallet. The whole time you feel like "but I didn't transfer anything out" — right, you didn't. You just gave someone else permission to do the transferring.
First, "approve" in plain English
Tokens in your wallet (USDT, various ERC-20 tokens) work on a mechanism: when you want to use a token inside a decentralized application (DApp) — to trade, to stake — you first have to "approve" that app's contract to move that token of yours, after which it can transfer it on your behalf when you initiate an action. This is a normal, necessary step for DeFi to function; it isn't a bad thing in itself.
Here's a loose but useful analogy: an approval is like opening a direct-debit authorization on a card to some merchant. Once you do, that merchant can pull money from your card within the agreed terms without you re-entering a password each time. And here's the catch —
The real killers are "amount" and "expiry"
Many approval requests default to an unlimited amount (you'll see an absurdly long string of digits, or simply "unlimited") with no expiry date. In plain terms: you didn't set up "debit up to $100" — you set up "this kind of money in this card, take as much as you want, forever." If the party you granted permission to is a scammer's contract, when it comes to sweep your token away is entirely up to it.
This is why so many people get "drained out of nowhere after months of not doing anything" — the approval was signed months ago, and the scammer just picked a moment to harvest. An approval doesn't expire on its own with time; until you actively revoke it, it just sits there, live.
Signature vs approval — what's the difference, exactly
A lot of people lump every wallet confirmation under "signing," but they aren't the same thing, and the danger levels differ.
| Ordinary off-chain signature | Approval / transaction (approve) | |
|---|---|---|
| Common use | Proving "this wallet is mine," e.g. logging into a DApp, joining an allowlist | Granting a contract permission to move a token of yours |
| On-chain? | Mostly off-chain, no network fee | On-chain, costs a network fee (gas) |
| Moves assets directly? | Normally no | After approval, the other party can move the matching token within the permission |
| Risk when phished | Scammers craft "harmless-looking" signatures that are functionally an approval or transfer | With unlimited amount + no expiry, one signature is enough to drain a token |
Note: different wallets and chains display signatures and approvals slightly differently. There's one universal safety rule — never confirm anything you don't understand; figure out what it's actually requesting first.
One thing not to get complacent about: "off-chain signatures don't go on-chain and cost nothing" does not equal definitely safe. Scammers can wrap a request that's functionally "permission to move your assets" inside an innocent-looking signature popup (no gas, no "approve" text) to get you to drop your guard and tap. So the test isn't "does it cost money" — it's whether you understood what it's requesting and whether the other party is an address you trust. The Permit and Permit2 signature phishing that has cost real victims real money works exactly this way.
Three forms the theft takes
It's all fake airdrops, but the hook that reels you in differs. Recognizing the shapes helps you brake early.
① A fake claim page that lures you into signing an approval
The most common. A "claim page" made to look just like a project's official site pops a confirmation the instant you connect your wallet. It looks like you're "claiming a token," but what it's actually requesting is approval over the USDT or mainstream tokens in your wallet. The page often uses a countdown or "only N spots left" to rush you past reading it.
② A fake token / fake NFT airdropped into your wallet to lure you to interact
You did nothing, yet a token or NFT appears in your wallet from nowhere. Its name or image often has a web address embedded, as if shouting "come to this site to claim / swap me." The moment you go interact at that site, the real approval trap is waiting. The asset sitting in your wallet can't hurt you — going to that site to interact is what does.
③ A fake "remove risk / check approvals" page
This one targets people who've already gotten cautious. It poses as an "approval safety scanner" or "one-click revoke risky approvals" tool, claiming to scan and revoke dangerous approvals for you. But the "revoke" you tap is itself a fresh malicious approval. Flying a safety banner, doing the exact opposite.
See these signals and stop
The more of these fit, the more wary you should be
- A token or NFT you never bought or interacted with appears from nowhere in your wallet, with a web address in its name.
- "Claiming the airdrop" requires you to connect your wallet and sign a confirmation you don't understand, especially one involving approve, unlimited, or a long string of huge numbers.
- The page uses a countdown, limited spots, or "activate now or it's void" to rush you past reading it.
- The link came from a stranger's DM, a group "admin," or a shortened URL — not an official channel you found yourself.
- It claims to "detect / remove risky approvals" for you, but asks you to sign once more.
One rule worth filing on its own: real project teams don't rush you. Even a legitimate airdrop with a claim window won't use "tap now or it's gone" to pressure you into connecting your wallet and signing something in three seconds. The harder the rush, the higher the odds it's a setup.
How to do airdrops safely
This isn't "swear off airdrops forever" — it's arranging things in advance so that "if I do get caught, the loss is contained."
- Keep a separate burner wallet just for chasing airdrops and testing new projects, holding only money you can afford to lose — never your main assets.
- Before signing anything, read the popup: is it a signature or an approval? Which contract address is on the other side? Is the amount unlimited? If you can't read it, cancel.
- When you can set the amount, set a sufficient-but-capped allowance — don't default to letting unlimited through.
- Periodically review and revoke old approvals with a tool like Revoke.cash or your block explorer's Token Approvals page — clear out permissions for DApps you no longer use and contracts of unknown origin. Don't leave them dangling.
- Keep genuinely valuable assets in a cold (hardware) wallet, physically separated from the hot wallet you interact with daily — even if the hot wallet gets hit, it can't reach the cold one.
- Anything that shows up in your wallet from nowhere — treat it as nonexistent: don't tap, don't claim, don't swap.
The one-line rule
The real dividing line in wallet safety isn't "will I get scammed" — it's "before I confirm any transaction, did I understand what it was requesting?" Make "if I can't read it, I cancel" pure muscle memory, and the vast majority of approval drainers never get in.
Already signed an approval — do this now
If you just realized you may have signed an approval on a suspicious page, don't agonize over "will something actually happen" — just run the order below, the faster the better.
Rescue large assets first
If there's significant money in the wallet, your first move isn't researching how to revoke — it's immediately moving the valuable assets to a brand-new wallet that has never interacted with the suspicious site. Revoking takes time; moving assets is more direct.
Revoke the suspicious approval
Use a revoke tool (Revoke.cash, or your block explorer's Token Approvals) to find the approval to the suspicious address and revoke it. Note: revoking is itself an on-chain transaction that costs a network fee; when the network is congested, set a sufficient fee so the revoke doesn't get stuck.
While you're at it, clear all suspicious approvals
Since you're already in there, revoke every approval of unknown origin or one you no longer use, so you don't miss another hidden risk.
Downgrade this wallet from now on
A wallet that has signed something on a suspicious site is now lower-trust. Manage important assets in a new wallet, and keep this old one around for small experiments and test transactions.
Keep evidence and report if needed
Screenshot the suspicious site's domain, the transaction hash, and chat logs. For how to gather evidence, limit losses, and report after a theft — in the US, file with the FBI IC3 at ic3.gov and the FTC at reportfraud.ftc.gov; in the UK, report to Action Fraud. See what to do after you've been scammed.
Don't take the "we'll recover it" second-wave scam
Once word gets out that your wallet was drained, people will DM you fast: "I can recover your stolen assets," "just pay a small fee first." These are almost all second-wave scams hunting victims. See our breakdown of USDT recovery / unfreeze scams.
FAQ
A token appeared in my wallet out of nowhere — can I sell it?
Don't touch it, and definitely don't go to any page to "claim" or "swap" it. Tokens that appear from nowhere are usually bait — the name often contains a web address luring you to a phishing site to connect your wallet and sign an approval. As long as you never interact, it's just a number sitting in your wallet and can't make you lose funds; the danger only starts once you're lured to that site and sign an approval.
What's the difference between a signature (signature) and an approval (approve)?
An ordinary off-chain signature usually just proves "this wallet is mine" — e.g. logging into a DApp — and doesn't directly move your assets. An approval (approve) is an on-chain transaction that grants a contract address permission to "move a certain token in your wallet from now on." The danger is that an approval can be set unlimited and long-lived, so once a scammer holds it they can move the matching token without you noticing. Phishing sites also craft special signatures that look harmless but are functionally an approval or transfer — so never confirm a signature you don't understand.
I already signed an approval on a suspicious page but nothing's gone yet — is there time?
Possibly, and speed is the key. Immediately use a revoke tool to revoke the approval to that suspicious address, and move your valuable assets to a brand-new wallet that has never interacted with the suspicious site. Revoking is itself an on-chain transaction that costs a network fee. If your holdings are large, the safest order is to transfer the assets out first, then handle the revoke.
Does a hardware (cold) wallet make me safe from approval drainers?
A hardware wallet protects your private key from being stolen, but it can't stop a malicious approval you sign with your own hands — if you connect a hardware wallet to a phishing site and confirm an unlimited approval, the other party can still move the matching token. The correct use of a cold wallet is to only hold assets and interact as little as possible; if you really want to roam and test on-chain, use an isolated little hot wallet.
Instead of signing approvals you can't read all over the chain, keep the bulk of your assets in a regulated channel
Approval drainers are so common because so many people keep their entire net worth in one hot wallet they interact with everywhere, every day. A steadier approach: use a separate burner wallet for everyday tinkering, and manage assets you intend to hold long term through a major, regulated exchange's official channel. OKX is one mainstream exchange; you can reach it through the official sign-up link below, and its official domain is okx.com.
Read these next
- Cloned phishing sites and fake exchanges — a fake airdrop's claim page is, at heart, a kind of cloned phishing site.
- Address poisoning (swapped transfer addresses) — also happens on-chain, also after the assets in your wallet.
- Fake presales & rug pulls — also on-chain, but it goes after your principal rather than an approval.
- What to do after you've been scammed — the full loss-control, evidence, and reporting process after an approval theft.