Background

In our previous guide on Web3 security, we covered the topic of multisig phishing, discussing the mechanics of multisig wallets, how attackers exploit them, and how to safeguard your wallet from malicious signatures. In this installment, we’ll delve into a widely used marketing tactic in both traditional and crypto industries — airdrops.

Airdrops can quickly propel a project from obscurity into the spotlight, helping it rapidly build a user base and enhance market visibility. Typically, users participate in Web3 projects by clicking links and interacting with the project to claim airdropped tokens. However, from counterfeit websites to tools laced with backdoors, hackers have set traps throughout the airdrop process. This guide will analyze common airdrop scams to help you avoid these pitfalls.

What is an Airdrop?

An airdrop occurs when a Web3 project distributes free tokens to specific wallet addresses to increase its visibility and attract early users. This is one of the most direct methods for projects to gain a user base. Airdrops can generally be categorized into the following types based on how they are claimed:

• Task-Based: Completing tasks specified by the project, such as sharing content or liking posts.

• Interaction-Based: Performing actions like token swaps, sending/receiving tokens, or cross-chain operations.

• Holding-Based: Holding specified tokens from the project to qualify for the airdrop.

• Staking-Based: Earning airdropped tokens through single or dual-asset staking, providing liquidity, or long-term token lock-up.

Risks in Claiming Airdrops

Fake Airdrop Scams

These scams can be broken down into several types:

1. Hijacked Official Accounts: Hackers may take control of a project’s official account and post fake airdrop announcements. For instance, it’s common to see alerts on news platforms like “The X or Discord account of Project Y has been hacked; do not click on phishing links shared by the hacker.” According to our 2024 Mid-Year Blockchain Security and Anti-Money Laundering Report, there were 27 such incidents in the first half of 2024 alone. Users, trusting the official account, might click on these links and be redirected to phishing sites disguised as airdrop pages. If they enter their private keys, seed phrases, or grant permissions, hackers can steal their assets.

1. Impersonation in Comment Sections: Hackers often create fake project accounts and post in the comments of the real project’s social media channels, claiming to offer airdrops. Users who are not careful might follow these links to phishing sites. For example, the SlowMist security team has previously analyzed these tactics and provided recommendations in an article titled “Beware of Impersonation in Comment Sections.” Additionally, after a legitimate airdrop is announced, hackers quickly respond by posting phishing links using fake accounts that resemble the official ones. Many users have been tricked into installing malicious apps or signing transactions on phishing sites.

1. Social Engineering Attacks: In some cases, scammers infiltrate Web3 project groups, target specific users, and use social engineering techniques to deceive them. They may pose as support staff or helpful community members, offering to guide users through the process of claiming an airdrop, only to steal their assets. Users should remain vigilant and not trust unsolicited offers of help from individuals claiming to be official representatives.

“Free” Airdrop Tokens

While most airdrops require users to complete tasks, there are instances where tokens appear in your wallet without any action on your part. Hackers often airdrop worthless tokens to your wallet, hoping you will interact with them by transferring, viewing, or attempting to trade them on a decentralized exchange. However, when attempting to interact with these Scam NFTs, you may encounter an error message prompting you to visit a website to “unlock your item.” This is a trap that leads to a phishing site.

If a user visits the phishing website linked by a Scam NFT, the hacker may perform the following actions:

• Conduct a “zero-cost purchase” of valuable NFTs (refer to the “zero-cost purchase” NFT phishing analysis).

• Steal high-value tokens through Approve authorization or Permit signatures.

• Take away native assets.

Next, let’s examine how hackers can steal users’ gas fees through a carefully designed malicious contract.

First, the hacker created a malicious contract named GPT on the Binance Smart Chain (BSC) (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) and lured users to interact with it by airdropping tokens.

When users interact with this malicious contract, they are prompted to approve the contract’s use of tokens in their wallet. If the user approves this request, the malicious contract automatically increases the gas limit based on the user’s wallet balance, leading to higher gas consumption in subsequent transactions.

By exploiting the high gas limit provided by the user, the malicious contract uses the excess gas to mint CHI tokens (CHI tokens can be used for gas compensation). After accumulating a large number of CHI tokens, the hacker can burn these tokens to receive a gas refund when the contract is destroyed.

https://x.com/SlowMist_Team/status/1640614440294035456

Through this method, the hacker cleverly profits from the user’s gas fees, while the user may be unaware that they have paid extra gas fees. The user initially expected to profit from selling the airdropped tokens but ended up losing their native assets instead.

Backdoor Tools

https://x.com/evilcos/status/1593525621992599552

During the process of claiming airdrops, some users need to download plugins for tasks such as translation or checking the rarity of tokens. However, the security of these plugins is questionable, and some users do not download them from official sources, significantly increasing the risk of downloading plugins with backdoors.

Additionally, we’ve noticed online services that sell scripts for claiming airdrops, claiming to automate batch interactions efficiently. However, please be aware that downloading and running unverified and unreviewed scripts is extremely risky, as you cannot be certain of the script’s source or its actual functions. These scripts may contain malicious code, posing potential threats such as stealing private keys or seed phrases, or performing other unauthorized actions. Moreover, some users, when engaging in these types of risky operations, either do not have antivirus software installed or have it disabled, which can prevent them from detecting if their device has been compromised by malware, leading to further damage.

Conclusion

In this guide, we’ve highlighted the various risks associated with claiming airdrops by analyzing common scam tactics. Airdrops are a popular marketing strategy, but users can reduce the risk of asset loss during the process by taking the following precautions:

• Verify Thoroughly: Always double-check URLs when visiting airdrop websites. Confirm them through official accounts or announcements, and consider installing phishing risk detection plugins like Scam Sniffer.

• Use Segregated Wallets: Keep only small amounts of funds in wallets used for airdrops, while storing larger amounts in a cold wallet.

• Be Cautious with Unknown Airdrops: Do not interact with or approve transactions involving airdrop tokens from unknown sources.

• Check Gas Limits: Always review the gas limit before confirming a transaction, especially if it seems unusually high.

• Use Reputable Antivirus Software: Keep real-time protection enabled and regularly update your antivirus software to ensure the latest threats are blocked.

Disclaimer：

1. This article is reprinted from [SunSec], All copyrights belong to the original author [SlowMist]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.