One day an unfamiliar token or NFT appears in your wallet that you never bought. It might be named after a real project and even show a tempting value. Almost always, it's bait — and the safe move is to do nothing.
Why scammers send you tokens
Anyone can send any token to any public address; it costs them almost nothing, and your address is public. The token is a lure designed to make you interact with it. The danger isn't holding it — it's what happens when you try to engage.
How the trap springs
- The "claim" or "swap" link. The token's name or an attached message points to a site to "claim" or sell it. That site is a phishing page that asks you to sign a draining transaction.
- The poisoned swap. Trying to sell a malicious token can prompt an approval that hands a contract control of a real asset.
- Address poisoning. A related trick sends a tiny transfer from an address that looks almost identical to one you use, hoping you'll later copy the wrong address from your history.
The rule: don't touch it
Leave the unknown token alone. Don't visit any site it references, don't try to sell it, don't approve anything for it. An unsolicited token sitting in your wallet is harmless as long as you never interact with it. Most wallets let you hide or mark it as spam, which is fine.
And for real airdrops
Legitimate airdrops exist, but you claim them by going to the project's official site yourself (via a bookmark or verified source), never by following a link from the token itself. If you can't independently verify it, treat it as a scam. When something unexpected shows up promising free money, the default answer is: ignore it.
- Visiting a 'claim' site linked from a surprise token — the core of the trap.
- Trying to sell a mystery token and signing an approval that drains a real asset.
- Copying a payout address from history that was 'poisoned' to look familiar.