A Beginner’s Guide to Web3 Security: How to Avoid Airdrop Scams

SlowMist
7 min readAug 15, 2024

--

Background

In our previous guide on Web3 security, we covered the topic of multisig phishing, discussing the mechanics of multisig wallets, how attackers exploit them, and how to safeguard your wallet from malicious signatures. In this installment, we’ll delve into a widely used marketing tactic in both traditional and crypto industries — airdrops.

Airdrops can quickly propel a project from obscurity into the spotlight, helping it rapidly build a user base and enhance market visibility. Typically, users participate in Web3 projects by clicking links and interacting with the project to claim airdropped tokens. However, from counterfeit websites to tools laced with backdoors, hackers have set traps throughout the airdrop process. This guide will analyze common airdrop scams to help you avoid these pitfalls.

What is an Airdrop?

An airdrop occurs when a Web3 project distributes free tokens to specific wallet addresses to increase its visibility and attract early users. This is one of the most direct methods for projects to gain a user base. Airdrops can generally be categorized into the following types based on how they are claimed:

- Task-Based: Completing tasks specified by the project, such as sharing content or liking posts.

- Interaction-Based: Performing actions like token swaps, sending/receiving tokens, or cross-chain operations.

- Holding-Based: Holding specified tokens from the project to qualify for the airdrop.

- Staking-Based: Earning airdropped tokens through single or dual-asset staking, providing liquidity, or long-term token lock-up.

Risks in Claiming Airdrops

Fake Airdrop Scams

These scams can be broken down into several types:

1. Hijacked Official Accounts: Hackers may take control of a project’s official account and post fake airdrop announcements. For instance, it’s common to see alerts on news platforms like “The X or Discord account of Project Y has been hacked; do not click on phishing links shared by the hacker.” According to our 2024 Mid-Year Blockchain Security and Anti-Money Laundering Report, there were 27 such incidents in the first half of 2024 alone. Users, trusting the official account, might click on these links and be redirected to phishing sites disguised as airdrop pages. If they enter their private keys, seed phrases, or grant permissions, hackers can steal their assets.

2. Impersonation in Comment Sections: Hackers often create fake project accounts and post in the comments of the real project’s social media channels, claiming to offer airdrops. Users who are not careful might follow these links to phishing sites. For example, the SlowMist security team has previously analyzed these tactics and provided recommendations in an article titled “Beware of Impersonation in Comment Sections.” Additionally, after a legitimate airdrop is announced, hackers quickly respond by posting phishing links using fake accounts that resemble the official ones. Many users have been tricked into installing malicious apps or signing transactions on phishing sites.

3. Social Engineering Attacks: In some cases, scammers infiltrate Web3 project groups, target specific users, and use social engineering techniques to deceive them. They may pose as support staff or helpful community members, offering to guide users through the process of claiming an airdrop, only to steal their assets. Users should remain vigilant and not trust unsolicited offers of help from individuals claiming to be official representatives.

“Free” Airdrop Tokens

While most airdrops require users to complete tasks, there are instances where tokens appear in your wallet without any action on your part. Hackers often airdrop worthless tokens to your wallet, hoping you will interact with them by transferring, viewing, or attempting to trade them on a decentralized exchange. However, when attempting to interact with these Scam NFTs, you may encounter an error message prompting you to visit a website to “unlock your item.” This is a trap that leads to a phishing site.

If a user visits the phishing website linked by a Scam NFT, the hacker may perform the following actions:

- Conduct a “zero-cost purchase” of valuable NFTs (refer to the “zero-cost purchase” NFT phishing analysis).

- Steal high-value tokens through Approve authorization or Permit signatures.

- Take away native assets.

Next, let’s examine how hackers can steal users’ gas fees through a carefully designed malicious contract.

First, the hacker created a malicious contract named GPT on the Binance Smart Chain (BSC) (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) and lured users to interact with it by airdropping tokens.

When users interact with this malicious contract, they are prompted to approve the contract’s use of tokens in their wallet. If the user approves this request, the malicious contract automatically increases the gas limit based on the user’s wallet balance, leading to higher gas consumption in subsequent transactions.

By exploiting the high gas limit provided by the user, the malicious contract uses the excess gas to mint CHI tokens (CHI tokens can be used for gas compensation). After accumulating a large number of CHI tokens, the hacker can burn these tokens to receive a gas refund when the contract is destroyed.

https://x.com/SlowMist_Team/status/1640614440294035456

Through this method, the hacker cleverly profits from the user’s gas fees, while the user may be unaware that they have paid extra gas fees. The user initially expected to profit from selling the airdropped tokens but ended up losing their native assets instead.

Backdoor Tools

https://x.com/evilcos/status/1593525621992599552

During the process of claiming airdrops, some users need to download plugins for tasks such as translation or checking the rarity of tokens. However, the security of these plugins is questionable, and some users do not download them from official sources, significantly increasing the risk of downloading plugins with backdoors.

Additionally, we’ve noticed online services that sell scripts for claiming airdrops, claiming to automate batch interactions efficiently. However, please be aware that downloading and running unverified and unreviewed scripts is extremely risky, as you cannot be certain of the script’s source or its actual functions. These scripts may contain malicious code, posing potential threats such as stealing private keys or seed phrases, or performing other unauthorized actions. Moreover, some users, when engaging in these types of risky operations, either do not have antivirus software installed or have it disabled, which can prevent them from detecting if their device has been compromised by malware, leading to further damage.

Conclusion

In this guide, we’ve highlighted the various risks associated with claiming airdrops by analyzing common scam tactics. Airdrops are a popular marketing strategy, but users can reduce the risk of asset loss during the process by taking the following precautions:

- Verify Thoroughly: Always double-check URLs when visiting airdrop websites. Confirm them through official accounts or announcements, and consider installing phishing risk detection plugins like Scam Sniffer.

- Use Segregated Wallets: Keep only small amounts of funds in wallets used for airdrops, while storing larger amounts in a cold wallet.

- Be Cautious with Unknown Airdrops: Do not interact with or approve transactions involving airdrop tokens from unknown sources.

- Check Gas Limits: Always review the gas limit before confirming a transaction, especially if it seems unusually high.

- Use Reputable Antivirus Software: Keep real-time protection enabled and regularly update your antivirus software to ensure the latest threats are blocked.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.