Physical-Mail QR Airdrop: The Postcard That Drained an NFT Wallet

The QR code that arrived by mail

October 2024. A holder in Portland receives an unsolicited postcard featuring a polished crypto logo and the message "You qualify for the OmniChain airdrop — scan QR to claim your 500 OMNI tokens." The QR code resolves to a wallet-connect page that looks legitimate. He connects his MetaMask, approves a "verification signature." The signature is a setApprovalForAll on his entire NFT portfolio. Drained in 90 seconds.

Why physical-mail airdrops feel real

Email phishing has trained most holders to be skeptical. A physical card in the mailbox triggers a different mental category — "official document," "actual mail," "someone paid for postage." The conversion rate on physical-mail crypto phishing is multiples higher than email, justifying the higher cost per attempt.

The four hard rules

• No legitimate airdrop is delivered by physical mail. Real airdrops are claimed via on-chain transactions, signaled through the project's own X/Discord, and require holding a specific token or completing a specific on-chain action. Nothing in that workflow requires the project to know your physical address.
• QR codes on unsolicited mail are phishing. Same threat model as email links — the QR resolves to a URL the attacker controls. Treat physical QR codes with the same skepticism as suspicious links.
• Wallet-connect from an unknown URL is the trap. Once a malicious site has your wallet's session, every signature prompt is the attacker's choice. The defense is to never connect to a URL you did not type yourself.
• "Verification signatures" are the universal scam payload. Real protocols never need you to sign a "verification" — they verify by checking what addresses already hold what tokens. A signature request labeled "verify ownership" is the drainer.

If you signed

Go to revoke.cash immediately and revoke every approval to non-mainstream contracts. Move every NFT and high-value token to a fresh wallet you control. The attacker may not have moved fast enough — most attacks happen within 5–15 minutes of the signature, so if it has been longer than an hour, check the wallet before panicking; you may have escaped because the attacker had higher-priority targets in queue.

What I do with these cards

Shred them. The address is now known to the scammer, and "no response" itself is information — it tells them you are skeptical, and they may try a more sophisticated approach next. But the QR code on the card is non-actionable trash.