The token that wasn't free

September 2024. A holder in Chicago notices a new token in his MetaMask sidebar: "USDT Airdrop Reward — claim 5,000." Etherscan shows the contract has been distributing this token to thousands of wallets that hold USDT. The claim site looks polished, and the projected reward is $5,000 in real USDT after "verification."

The verification page asks for a signature to "prove wallet ownership." The signature is an EIP-712 typed-data message that, when relayed, drains every approved token from the wallet. He had previously approved USDT spending on Uniswap and Aave. Both balances vanish.

The dust-and-bait pattern

Step 1: the attacker sends a worthless token to thousands of wallets, named to mimic a real airdrop. The token shows up in wallet UIs automatically. Step 2: the token's contract metadata points to a "claim" website. Step 3: the claim page exploits the visitor's existing approvals to drain assets — the dropped token itself is never the target.

Three rules

  • Unsolicited tokens are bait, not gifts. If a token appears in your wallet that you did not buy, swap for, or receive from a known source, treat it as a phishing lure. Do not click its contract address.
  • Real airdrops do not require a signature with token-spending scope. A real claim is either a transaction calling claim(amount, proof) or — for retroactive airdrops — a direct transfer that already arrived. No signature needed to "verify ownership."
  • Hide, don't interact. In MetaMask, right-click the spam token and hide it. Do not click its name, do not visit its website, do not let curiosity drive the next move.

The proactive defense

Audit approvals every month at revoke.cash. Most US holders carry 30–80 stale approvals from past DeFi experiments — each one is an open door. Revoke everything you are not actively using. The gas cost is one-time; the security improvement is permanent.

What dust-tokens look like in 2026

Names have evolved: "BlackRock Bitcoin ETF Claim," "USDC Compensation Pool," "Coinbase Layer-2 Bonus." The pattern is the same — exploit a real news event to make the fake token feel plausible.