Short answer
If you connected your wallet to a fake airdrop claim page and signed a transaction, the funds are almost always gone. The blockchain is irreversible, and the attacker drains immediately or schedules the drain for a low-attention moment. Recovery is essentially impossible. The action now is damage control: revoke any remaining approvals at revoke.cash, monitor the wallet for further activity, consider migrating remaining assets to a fresh seed, and report to the FBI IC3 for the statistical record (rarely produces recovery but matters for insurance claims).
The attack pattern
The user sees a tweet, Discord announcement, or Google ad promoting a "free airdrop" from a real-sounding project (Uniswap, Arbitrum, recent Layer 2). The link goes to a clone of the real project's site. The user connects their wallet, clicks "Claim," and is prompted to sign a transaction or signature.
The transaction is not an airdrop claim — it's a setApprovalForAll or Permit2 signature that grants the attacker permission to drain the wallet's tokens. The user signs, expecting tokens to arrive, but instead the wallet drains immediately or within hours.
By Chainalysis's 2025 mid-year report, approval-phishing including fake airdrops accounted for roughly $2 billion in crypto losses globally in 2024.
Immediate cleanup steps
1. Go to revoke.cash immediately. Connect the affected wallet. Revoke every approval you don't recognize. Especially revoke any unlimited approvals to addresses that aren't well-known dApps. Cost: gas for the revoke transaction(s).
2. Check transaction history on Etherscan. Look for "transfer" or "transferFrom" transactions you didn't initiate. These confirm the drain happened.
3. If significant funds remain, migrate. Generate a fresh seed phrase on a clean device, transfer remaining tokens to the new wallet's addresses. The old wallet is potentially still compromised — the attacker may have additional approvals you missed.
4. Set up monitoring. Etherscan email alerts for the old wallet. If any unexpected transaction occurs, you'll know within hours.
What about reporting?
For US holders: file a complaint with FBI IC3 at ic3.gov. Report to the FTC if the scam was advertised on Google or social media. For losses above $100K, retain a crypto-litigation lawyer — there are known investigation paths via Chainalysis Reactor and TRM Labs that occasionally identify attackers and result in fund seizure, though this is slow and rarely produces full recovery.
For tax purposes: a documented theft (police report + IC3 complaint) can be claimed as a casualty loss on US federal taxes for the loss amount, partially offsetting the financial damage.
The hardest part: accepting the loss
Most US holders who lose to fake airdrops spend months chasing "recovery services" advertised on Reddit, Telegram, or Google ads. Every one of these is a secondary scam — they take upfront fees ($500-5,000) and disappear, or worse, ask for your remaining wallet's private keys.
The blockchain has no chargeback. Once funds are drained by an authorized signature, the only entity who can return them is the attacker. They won't.
Further reading: Phishing, revoke.cash, setApprovalForAll.