Wallet drainer attacks stripped $83.85 million from 106,106 crypto holders in 2025, according to Scam Sniffer’s annual report, even as total losses fell 83% and victim counts dropped 68% from 2024’s peak. Most drains landed during airdrop claim attempts. The procedural protocol below covers wallet hygiene, source verification, contract checking, Sybil-detection awareness, and tax handling for legitimate participation across Ethereum and Solana ecosystems.
The ruling treats airdropped cryptocurrency as ordinary income equal to its fair market value when the recipient gains dominion and control over the tokens.
Key Takeaways
- Scam Sniffer recorded $83.85 million in wallet-drainer losses across 106,106 victims in 2025, down 83% from the prior year.
- Permit and Permit2 signatures accounted for 3 cases totaling $8.72 million in 2025’s largest drains, with the single biggest loss reaching $6.5 million in September.
- Arbitrum’s airdrop rules subtracted one eligibility point from any wallet whose transactions all occurred within a 48-hour period, and another point from wallets holding less than 0.005 ETH that had interacted with only one smart contract.
- LayerZero identified over 800,000 suspected Sybil addresses and offered self-reporters 15% of their original allocation if they admitted within a 14-day window.
- Optimism removed 17,000 Sybil addresses from Airdrop 1 and redistributed over 14 million OP tokens proportionally to eligible users.
- The IRS measures airdrop income at fair market value on the date of receipt, and that figure becomes the cost basis for any later sale.
- The FBI’s Internet Crime Complaint Center logged 181,565 cryptocurrency complaints in 2025 with total reported losses of $11.36 billion and an average loss of $62,604 per case.
Step 1: Set Up a Dedicated Airdrop Wallet
Scam Sniffer’s 2025 annual report logged a single $6.5 million Permit-signature drain against stETH and aEthWBTC in September, the largest individual loss of the year. A separate wallet funded only with gas would have capped that exposure at roughly $50, which is why the dedicated-wallet pattern is the highest-leverage step a claimer can take.
The architecture has three layers:
- Layer 1. Hot farming wallet: a freshly generated MetaMask or Phantom wallet funded only with the gas needed to qualify and claim. Never holds long-term assets.
- Layer 2. Cold storage: a hardware wallet holding the bulk of holdings. Never connects to Airdrop claim sites.
- Layer 3. Receiving wallet: a separate hardware-backed address that the farming wallet transfers tokens to after a successful claim.
Ledger’s Secure Element chip handles transaction reading, screen display, and signing inside the same isolated hardware module, while Trezor splits those functions between a Secure Element for key protection and a main processor for transaction handling. Both devices force physical transaction confirmation, killing remote-drain attacks that rely on hot-wallet signatures.
Step 2: Source Legitimate Airdrops From Verified Channels
DefiLlama lists over 200 tokenless DeFi protocols that can be sorted by total value locked, an additional cross-check for whether an airdrop candidate has organic usage. Triangulate every claim site across official project communications, aggregator trackers, and on-chain activity before connecting a wallet. Single-channel sourcing fails too often to typo-squat domains and impersonator ads.
Three official-channel verification points worth using together:
- The project’s verified X (Twitter) account, reached by typing the project domain into the browser and clicking the X link from the official site
- The project’s Discord or Telegram, joined only via a link published on the official website, never via a DM, search result, or third-party tweet
- The project’s official blog or governance forum
DefiLlama maintains an airdrop tracker listing over 200 tokenless DeFi protocols across lending, DEXs, derivatives, yield, and infrastructure categories, with sort and filter controls for total value locked. Airdrops.io publishes a daily-updated list of over 600 active airdrops across Solana, Ethereum, and emerging blockchains, including retroactive drops, testnet incentives, and point campaigns. Aggregator listings are a discovery layer, not verification. Cross-check every entry against the project’s official site before connecting.
Step 3: Qualify Without Overspending on Gas
Uniswap‘s UNI airdrop made 400 UNI claimable by every address that had interacted with Uniswap contracts before September 1, 2020, including approximately 12,000 addresses that had submitted only failed transactions. That distribution shows how snapshot-based qualifying often rewards modest, organic activity rather than expensive gas spending. Per Uniswap Labs’ published eligibility documentation, many qualifying actions cost nothing or nearly nothing.
Uniswap’s UNI airdrop snapshot on September 1, 2020, made 400 UNI claimable by every address that had interacted with Uniswap contracts before that date, including approximately 12,000 addresses that had submitted only failed transactions.
EigenLayer’s Season 2 stakedrop allocated approximately 87 million EIGEN tokens, around 5.2% of the initial supply, calculated based on a staker’s pro-rata share of ETH-hours measured at the August 15, 2024, snapshot. Time-weighted formulas reward sustained engagement over last-minute farming, which is why a wallet that interacts steadily for months tends to outperform one spun up just before a snapshot.
A practical qualification ranking by gas cost:
| Qualification Type | Typical Gas Cost (USD) | Effort | Sybil Risk |
|---|---|---|---|
| Testnet usage | Free (testnet tokens) | Low | Low if mixed with mainnet activity |
| Governance voting (snapshot.org) | Free (off-chain signing) | Low | Low |
| Single mainnet swap (DEX) | $5-30 per swap | Low | Medium if only action |
| NFT mint or hold | $20-200 per mint | Medium | Low if held long-term |
| Liquidity provision | $30-100 entry + impermanent loss risk | High | Low |
| Cross-chain bridge usage | $10-50 per bridge | Medium | Medium if patterned |
Source: Etherscan gas tracker, project documentation
A qualification stack should look like organic user behaviour, not a one-weekend checklist.
Step 4: Verify the Claim Contract Before Signing
Chainalysis estimated as much as $17 billion in crypto was lost to scams worldwide in 2025, with impersonation scams growing approximately 1,400% year-over-year as attackers used AI-generated voice and video. Four contract-level checks cut most of that risk before a signature commits funds. Run all four every time, regardless of how the claim site was sourced.
Check 1. URL provenance: reach the claim site by typing the project’s official domain into the browser, not by clicking a tweet, DM, search result, or sponsored ad. Chainalysis estimated that as much as $17 billion in crypto was lost to scams worldwide in 2025, with impersonation scams growing approximately 1,400% year-over-year as attackers used AI-generated voice and video to mimic founders, support staff, and executives.
Check 2. Contract verification on the relevant explorer: Etherscan’s contract verification tool allows developers to prove and publish the source code of contracts deployed on-chain by matching the compiled code against the bytecode on the blockchain. A claim contract not source-verified on Etherscan, Solscan, or the equivalent explorer is a stop sign.
Check 3. Transaction simulation: MetaMask and Phantom both surface expected token movements, contract calls, and approval scope before signing.
Check 4. Approval scope: Blind signing means approving a transaction when the wallet only shows a hash or “Data Present” instead of readable details, and Ledger’s documentation warns that attackers can hide unlimited token approvals or NFT-sweeping commands inside such requests. Never approve unlimited token spend during a claim.
Even a correctly verified contract is useless if the claim link itself is fake.
Step 5: Recognize and Defend Against Phishing Sites
Scam Sniffer logged $83.85 million in 2025 wallet-drainer losses across 106,106 victims, with Permit and Permit2 signatures accounting for three cases totaling $8.72 million. Phishing accounts for most airdrop-related losses through one shared mechanism: the claimer signs a transaction without understanding what it does. The attack surface has four shapes:
- Typo-squat domains: un1swap.org instead of uniswap.org; arbitrumdrop.io instead of arbitrum.foundation; visually identical Cyrillic-character substitutions in the address bar
- Sponsored search ads: paid Google or Bing ads pointing to a domain that displays the real project URL in the preview but redirects to a drainer site on click
- Unsolicited DMs: Discord, Telegram, or X direct messages claiming the user is eligible and linking to a “claim portal”
- Dust airdrops: unsolicited tokens deposited into a wallet with metadata pointing to a fake claim site
Scam Sniffer’s 2025 breakdown attributed 3 cases totaling $8.72 million to Permit and Permit2 signature attacks, 3 cases totaling $5.62 million to Approve and increaseApproval calls, and 2 cases totaling $2.54 million to EIP-7702 batch transactions. All three vectors share one failure: the victim signed without simulating.
Revoke.cash lets users inspect all contracts they have approved to spend tokens on their behalf and revoke access from contracts no longer needed, including the unlimited allowances that scam sites trick claimers into granting. Treat revocation as part of the claim, not an optional follow-up. Unsolicited DMs claiming airdrop eligibility are scams; legitimate projects announce drops on official channels.
The Phishing Loss Math: When Claiming Is Net-Negative
Scam Sniffer’s 2025 annual report logged $83.85 million in total losses across 106,106 victims, which translates to an average drained-wallet loss for the year. The resulting per-victim figure sits at roughly $790 of average loss, the right denominator for an expected-value comparison against a typical retail allocation. The FBI Internet Crime Complaint Center logged a much higher average of $62,604 per cryptocurrency complaint in 2025, reflecting that reported complaints skew toward larger losses, with nearly 18,600 complainants each losing more than $100,000.
For a typical retail claimer:
| Outcome | Approximate Value |
|---|---|
| Median airdrop value (historical retail allocation) | $200-$1,200 |
| Average phishing-attempt loss (Scam Sniffer 2025 mean) | ~$790 |
| Average reported FBI complaint (skewed higher by reporting selection) | $62,604 |
| Probability of phishing exposure per claim attempt (industry estimate) | <1% for verified-channel claims; >50% for unsolicited-link claims |
Source: Scam Sniffer, FBI Internet Crime Complaint Center
Below roughly $800 in expected airdrop value, skipping the verification step turns the expected return negative. The fix is doing the security work once and claiming freely inside that framework, where per-claim downside collapses to gas cost.
Sybil Detection: How Legitimate Users Get Mis-Flagged
Arbitrum’s published anti-Sybil rules subtracted one eligibility point if all of a wallet’s transactions occurred within a 48-hour period, one point if the wallet balance was less than 0.005 ETH and the wallet had interacted with only one smart contract, and disqualified any wallet flagged as Sybil during the Hop protocol bounty program. Silent disqualification is the slower companion risk to phishing. Projects run Sybil-detection algorithms that occasionally catch legitimate users whose activity pattern looks automated by accident.
LayerZero identified over 800,000 suspected Sybil addresses across its airdrop campaign and offered self-reporters 15% of their original allocation within a 14-day window, while bounty hunters who flagged Sybil addresses received 10% of those addresses’ expected allocations. Optimism removed 17,000 Sybil addresses from Airdrop 1, with nearly 9,000 flagged by suspicious L1 activity, more than 11,000 by suspicious L2 activity, and almost 2,100 reported by community members; the recovered over 14 million OP tokens were redistributed proportionally to eligible users.
Most coverage frames Sybil filtering as a fight between projects and farmers; CoinLaw’s tracking across exchange and wallet data shows the false-positive zone catches genuine retail participants too.
Behavioural advice for legitimate participants:
- Spread activity across weeks or months, not a single 48-hour window
- Maintain a wallet balance above 0.005 ETH at all times during the qualifying period
- Interact with multiple distinct protocols, not only the target project
- Fund each separate wallet from a different on-ramp, where possible. Sequential funding from a single source wallet to a series of identical addresses is the signature Sybil pattern
- Avoid bridging from a single source to dozens of receiving addresses on the same day
These are descriptions of real wallet usage, not gaming tactics. The point is to keep a legitimate participant’s pattern outside the cluster algorithm’s target.
Step 6: Report Airdrops Correctly on Your Taxes
Per the IRS published FAQ, airdropped cryptocurrency received after a hard fork creates ordinary income equal to the fair market value of the new cryptocurrency when the transaction is recorded on the distributed ledger. That fair market value becomes the cost basis for any later disposal. The exposure begins at receipt, not at sale.
| Jurisdiction | Treatment at Receipt | Treatment on Disposal | Source |
|---|---|---|---|
| United States | Ordinary income at fair market value when recipient gains dominion and control | Capital gain or loss against cost basis equal to receipt-date FMV | IRS Revenue Ruling 2019-24 |
| United Kingdom (earned airdrop) | Income tax at receipt if recipient did something to earn (e.g., social post, protocol use) | Capital gains tax on later disposal | HMRC CRYPTO21250 |
| United Kingdom (unearned airdrop) | No income tax at receipt; zero cost basis | Full proceeds taxable as capital gain | HMRC CRYPTO21250 |
| Germany | Generally tax-free at receipt for passive airdrops | Subject to §23 EStG one-year holding rule for private sale | German §23 EStG |
Source: IRS, HMRC, German Income Tax Act
United States: Per IRS Revenue Ruling 2019-24, airdropped cryptocurrency received after a hard fork creates ordinary income equal to the fair market value of the new cryptocurrency on the date the recipient obtains dominion and control. The basis of the airdropped cryptocurrency equals the amount included in income on the federal income tax return. Practically: log the receipt date, the token quantity, and the fair market value in USD on that date. That figure is the income now and the cost basis for any later disposal.
United Kingdom: HMRC’s Cryptoassets Manual treats airdrops as taxable income at the point they are received if the recipient did something to earn the tokens, such as sharing a social media post or using a given protocol; airdrops where the recipient did nothing to earn them carry a zero cost basis for any later disposal. The UK’s Cryptoasset Reporting Framework applies from 1 January 2026 for in-scope reporting cryptoasset service providers, with the first reporting cycle covering the calendar year 2026. Capital gains tax may apply on subsequent disposal.
Basis tracking is what most claimers skip. A token worth $1,000 on receipt produces $1,000 of ordinary income now and a $1,000 cost basis later; selling for $1,400 triggers $400 of capital gain.
Tax treatment varies by country and personal circumstances. The pattern above covers IRS and HMRC; German, French, and EU treatment differs in detail. Consult a qualified tax professional before filing.
Common Pitfalls That Drain Wallets
Scam Sniffer’s 2025 attribution placed $8.72 million in losses across just three Permit signature attacks, the single largest category in the year’s drainer breakdown. Six recurring claim-time mistakes account for most preventable losses beyond the structural steps already covered:
- Approving unlimited token spend during a claim. A legitimate claim transfers tokens TO the wallet. Anything that requests a blanket allowance OVER tokens the wallet already holds is the attack pattern.
- Signing blind transactions on a hardware wallet. The device’s “Blind signing” toggle exists for advanced users on specific protocols; turning it on for an unsolicited claim is the same as removing the lock from the front door.
- Paying “claim fees” or “gas-only” payments to a third-party address. Real claims pay gas to the network, not a wallet. Any flow that asks the claimer to send ETH, USDC, or any token to an address as a prerequisite for receiving an airdrop is a drain.
- Claiming from a wallet that holds long-term assets. The dedicated-wallet rule in Step 1 exists precisely because attacks compromise everything the wallet has signing access to.
- Skipping the post-claim revocation pass. Approvals granted during qualification, especially “approve max” prompts to DEXs and bridges, remain active until explicitly revoked.
- Treating the airdrop date as the qualifying-activity date. Snapshot dates are typically weeks or months before the announced claim; activity after the snapshot does not qualify.
Tools That Reduce Airdrop Risk
Revoke.cash lets users inspect every contract approved to spend tokens on their behalf and revoke access from contracts no longer needed, including the unlimited allowances that scam sites trick claimers into granting. Five specific tools meaningfully reduce risk during the claim cycle, with each covering a different failure mode:
- MetaMask (Ethereum and EVM chains) and Phantom (Solana), both show transaction previews that surface unexpected token movements before signing
- Ledger and Trezor hardware wallets, where the physical confirmation step kills remote-drain attacks.
- Etherscan and Solscan, where contract verification badges and read/write contract interfaces let claimers inspect exactly what a claim contract exposes
- Revoke.cash, for periodic approval audits across over a hundred networks at a roughly monthly cadence
- ScamSniffer and Chainabuse, extension- and database-level warnings against known phishing domains and reported scam contracts
The defensive stack is layered, and each tool neutralises a specific attack class.
Frequently Asked Questions (FAQs)
The FBI Internet Crime Complaint Center logged 181,565 cryptocurrency complaints in 2025 with total reported losses of $11.36 billion and an average loss of $62,604 per case, with nearly 18,600 complainants each losing more than $100,000. The questions below answer the recurring concerns that surface across that complaint volume, from legality and tax handling to recovery after a compromised approval.
Participating in airdrops is legal in most major jurisdictions, including the US and UK, but the received tokens are taxable. The IRS and HMRC both treat airdropped tokens as ordinary income at fair market value on the receipt date, with later sales triggering capital gains rules. Sanctions and KYC restrictions may apply for specific projects.
A hardware wallet is recommended for any wallet receiving or holding more than $1,000 of expected value. For low-value claims, a fresh software wallet with no other holdings reduces exposure adequately. The single most important rule is separation: never claim from a wallet holding long-term assets, regardless of wallet type.
Cross-verify the claim site against the project’s official website, X account, and Discord. Confirm the contract is source-verified on Etherscan or Solscan. Simulate the transaction in MetaMask or Phantom before signing. Refuse any flow that requests unlimited token approval or a gas-only payment to a third-party address.
Move any remaining tokens out of the affected wallet to a fresh address immediately. Then visit Revoke.cash and revoke the suspicious approval, paying the gas fee for the revocation transaction. Report the contract to ScamSniffer and Chainabuse. Assume any tokens still in the original wallet are at risk until proven otherwise.
Yes. Sybil-detection algorithms occasionally flag legitimate users whose activity patterns happen to resemble automated farming, such as activity compressed into a 48-hour window, low ETH balances below 0.005, or interaction with only the target protocol. Spreading qualifying actions across weeks and multiple protocols reduces false-positive risk.
Log the receipt date, token quantity, and USD fair market value of the tokens on the receipt date. That fair market value is the ordinary income to report, and it becomes the cost basis for any later sale. UK recipients use HMRC’s distinction between earned airdrops (income) and unearned airdrops (zero cost basis). Consult a qualified tax professional for jurisdiction-specific filing.
Conclusion
Scam Sniffer’s 2025 annual report logged $83.85 million stolen across 106,106 victims, an 83% year-on-year decline from 2024. The defensive protocol is procedural: a dedicated farming wallet, official-channel sourcing, contract verification before signing, transaction simulation, post-claim revocation, and structured tax tracking. CoinLaw’s crypto exchange volume data tracks how holders shift assets off exchanges in response to drainer incidents.
Sub-$1,000 retail claimers benefit most from this framework. The discipline reduces downside enough that the upside becomes worth pursuing; past airdrops are not predictive, and the guidance here is harm reduction, not absolute protection.
