Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Raydium Airdrop Scam: How Crypto Drainers Are Targeting Solana DeFi Users
A new crypto scam targeting Raydium users has emerged, causing significant financial losses in the Solana ecosystem. This week, our security team identified multiple fake Raydium airdrop websites designed to drain cryptocurrency wallets. One victim lost over $15,000 in SOL and SPL tokens after connecting their wallet to what appeared to be an official Raydium promotion. Here’s what you need to know to protect your assets and identify these increasingly sophisticated attacks.
Threat Summary
- Threat Name: Raydium Airdrop crypto drainer
- Type: Cryptocurrency drainer, Phishing scam
- Target: Raydium and Solana blockchain users
- Primary Domain: raydium-usa[.]xyz (many variations exist)
- Disguise: Fake token airdrop or liquidity mining rewards
- Risk Level: High (permanent financial loss)
- Detection: Multiple security vendors flag these domains as phishing
- Confirmation: GridinSoft reputation score: 1/100 (Dangerous)
What Is the Raydium Airdrop Scam?
Raydium is a popular legitimate decentralized exchange (DEX) built on the Solana blockchain. Real Raydium (raydium.io) provides automated market making, liquidity pools, and yield farming services for Solana users. The platform has processed billions in trading volume and is a central piece of Solana’s DeFi ecosystem.
The scam we’ve identified involves counterfeit websites that precisely mimic the official Raydium interface. These fake sites primarily promote a non-existent “airdrop” of RAY tokens (Raydium’s native token) or other Solana-based cryptocurrencies. Visitors are prompted to connect their wallets to “verify eligibility” or “claim tokens” – but this connection actually initiates scripts designed to drain assets from the connected wallet.
Multiple security vendors, including GridinSoft, have confirmed that domains like raydium-usa[.]xyz are dangerous cryptocurrency scams. Technical analysis reveals these domains are typically registered just weeks before launching their attacks, with raydium-usa[.]xyz specifically created on February 11, 2025 through WEBCC registrar with privacy protection enabled to hide the true operators.
Source: Analysis of reported cryptocurrency scams in 2024, based on data from FTC, Chainanalysis, and GridinSoft Threat Research Lab
How the Scam Works: Technical Analysis
Our technical investigation revealed a sophisticated operation involving multiple components:
- Domain typosquatting – The attackers register domains like “raydium-usa[.]xyz”, “raydium-airdrop[.]com”, or “raydium-rewards[.]net” that look legitimate at a glance.
- Recent registration patterns – Technical analysis from GridinSoft confirms raydium-usa[.]xyz was registered on February 11, 2025, just months before launching attacks. This recent registration is a classic red flag.
- Privacy protection abuse – The domain uses Whoisprotection.cc to mask the true owner’s identity, with the registrar listed as WEBCC (IANA ID: 460).
- Strategic hosting – The site is hosted on Cloudflare (IP: 104.21.50.137), which helps the scammers hide their actual server location and provides DDoS protection for their operation.
- Pixel-perfect cloning – Using code scraped from the legitimate Raydium site, scammers create an identical-looking interface, including working menus and buttons.
- Wallet draining scripts – When a wallet is connected, malicious JavaScript executes that:
- Extracts wallet authorization tokens
- Creates and signs transaction requests to transfer funds
- Prioritizes high-value tokens (SOL, RAY, USDC, USDT) first
- Transmits funds to attacker-controlled wallets, often through a series of intermediaries
- Smart distribution network – The fake sites are promoted through:
- Compromised social media accounts
- Paid crypto influencers (sometimes unwitting)
- Discord/Telegram bot spam
- Google/Twitter ads using misspelled keywords
Technical Analysis: raydium-usa[.]xyz
| Indicator | Details | Risk Signal |
|---|---|---|
| Domain Age | Registered February 11, 2025 (recent) | High Risk |
| Reputation Score | 1/100 (GridinSoft rating) | Critical Risk |
| Hosting Provider | Cloudflare, Inc. (AS13335) | Neutral |
| IP Address | 104.21.50.137 | Monitoring |
| Domain Privacy | Whoisprotection.cc | Suspicious |
| Similar Malicious Domains | Multiple variations detected | High Risk |
Source: GridinSoft Security Analysis, April 2025
Real Code Sample: How the Drainer Works
// Snippet of actual drainer code (sanitized for safety)// This executes when a wallet is connected to the fake siteasync function drainWallet(provider) { try { // First, check wallet balance to prioritize tokens const connection = new Connection('https://api.mainnet-beta.solana.com'); const publicKey = provider.publicKey; // Get SOL balance const solBalance = await connection.getBalance(publicKey); // Get token accounts (SPL tokens like USDC, RAY, etc) const tokenAccounts = await connection.getParsedTokenAccountsByOwner( publicKey, { programId: TOKEN_PROGRAM_ID } ); // First drain high value SPL tokens for (const tokenAccount of tokenAccounts.value) { const accountData = tokenAccount.account.data.parsed.info; const mintAddress = accountData.mint; const tokenBalance = accountData.tokenAmount.uiAmount; // Only process if balance exists if (tokenBalance > 0) { // Send to attacker wallet (actual code removed) console.log(`Draining ${tokenBalance} of token ${mintAddress}`); // drainSpecificToken(connection, provider, tokenAccount, attackerWallet); } } // Finally, drain remaining SOL balance minus fee if (solBalance > 0.001 * LAMPORTS_PER_SOL) { // Send to attacker wallet (actual code removed) console.log(`Draining ${solBalance/LAMPORTS_PER_SOL} SOL`); // drainSOL(connection, provider, attackerWallet); } // Show success message to victim while draining happens displayFakeSuccessMessage(); } catch (error) { // Silent error handling to avoid alerting victim console.error(error); }} |
How to Identify Fake Raydium Sites
To protect yourself from these scams, watch for these warning signs:
- Check the URL carefully – The only legitimate Raydium website is raydium.io. Any variation like “raydium-usa.xyz” or “raydium-airdrop.com” is fraudulent.
- Verify domain age – Use WHOIS lookup tools to check when a domain was registered. As confirmed by GridinSoft, scam domains like raydium-usa.xyz are typically only months or even days old.
- Use reputation checkers – Tools like Website Reputation Checker can immediately identify dangerous sites (raydium-usa.xyz scores just 1/100).
- Verify all airdrops – Legitimate airdrops are always announced on official social media channels and never require you to send funds or pay fees.
- Be skeptical of high returns – The fake sites often promise unrealistic rewards like “3x your tokens” or “guaranteed 200% APY” that exceed normal market conditions.
- Check for wallet connection requests – Be extremely cautious about connecting your wallet to any site, especially one promising free tokens.
- Look for poor grammar or design inconsistencies – While many scam sites are well-made, they often contain subtle errors in text or functionality.
Real-World Impact: Victim Case Study
Mark (name changed), a 28-year-old software developer from Seattle, lost approximately $15,600 after connecting his wallet to what he thought was a legitimate Raydium liquidity mining program. He found the site through a Twitter post that appeared to come from a verified crypto influencer account (which had likely been compromised).
“I’ve been using Raydium for over a year, so the interface looked completely normal to me,” Mark explained. “The site asked me to connect my wallet to ‘verify eligibility’ for their new liquidity mining program. Within seconds of approval, I watched helplessly as transactions started firing off, draining my SOL, RAY, and USDC.”
This case highlights how even experienced crypto users can fall victim to these sophisticated scams. The transactions on Mark’s wallet were executed within 15 seconds of connection, leaving no time to revoke permissions.
Protection Steps: How to Secure Your Crypto
Follow these security practices to protect yourself from crypto drainers and similar threats:
| Security Measure | Implementation |
|---|---|
| Use a hardware wallet | Hardware wallets like Ledger or Trezor require physical confirmation for all transactions, preventing automatic draining |
| Create a separate “hot wallet” for browsing | Keep minimal funds in wallets that you connect to DeFi sites; use a separate secure wallet for long-term holdings |
| Verify through multiple channels | Cross-check promotions on the project’s official Twitter, Discord, and Medium accounts before taking action |
| Use bookmark navigation | Bookmark official sites like raydium.io and always use these bookmarks instead of clicking links |
| Install wallet protection tools | Consider security tools like Trojan Killer that can flag suspicious sites |
| Install Web3 security extensions | Browser extensions like PocketUniverse or Wallet Guard can help identify malicious transactions |
| Regularly revoke permissions | Use tools like revoke.cash to audit and revoke wallet permissions you’ve previously granted |
What to Do If You’ve Been Scammed
If you believe you’ve fallen victim to a crypto drainer scam:
- Act immediately – Transfer any remaining funds to a new wallet using a different, secure device.
- Document everything – Record the website URL, transaction hashes, and any other details that might help with investigation.
- Report the scam – File reports with:
- The FBI’s Internet Crime Complaint Center (IC3)
- The Federal Trade Commission (FTC)
- Your country’s financial regulatory authority
- Alert the community – Report the scam on crypto security platforms like CryptoScamDB and chain explorers to help warn others.
- Check for malware – Scan your computer with reputable security software like Trojan Killer as the initial interaction may have installed additional threats.
Unfortunately, due to the irreversible nature of blockchain transactions, stolen funds are typically unrecoverable once transferred.
Similar Crypto Draining Scams to Watch For
The Raydium airdrop scam is part of a broader trend targeting DeFi users. Be vigilant about these related scams:
- DeXe Protocol scam – Mimics the DeXe platform to drain connected wallets
- HEUR Trojan Script – Generic script-based trojans often used in crypto theft
Conclusion: The Evolving Threat Landscape
Cryptocurrency scams have evolved significantly from simple phishing emails to sophisticated drainers that mimic legitimate platforms with near-perfect accuracy. The Raydium airdrop scam demonstrates how attackers are targeting specific DeFi ecosystems with precision attacks that exploit user familiarity and trust.
As blockchain technology and DeFi adoption continue to grow, we can expect these scams to become even more refined. The fundamental principle of crypto security remains the same: verify everything, trust minimally, and approach “free money” offers with extreme skepticism.
Stay vigilant, verify URLs carefully, and remember that in the cryptocurrency world, if something seems too good to be true, it invariably is.
Frequently Asked Questions
Are these Raydium Airdrop scams associated with the real Raydium platform?
No. These scams have no association with the legitimate Raydium DEX (raydium.io). They are fraudulent sites created by scammers who clone the official website’s appearance to trick users.
Can I recover funds lost to a crypto drainer?
Unfortunately, recovery is generally not possible. Cryptocurrency transactions are irreversible by design, and once funds have been transferred to the scammer’s wallet, they are typically moved rapidly through multiple wallets and cross-chain bridges to obscure their trail.
How do I know if an airdrop is legitimate?
Legitimate airdrops are always announced through official channels (the project’s verified Twitter, official Discord, and website). They never require you to send funds first or pay fees to claim tokens. When in doubt, visit the official website directly (not through links) and verify the information.
Why can’t my antivirus detect these scam sites?
Many crypto drainer sites use sophisticated techniques to evade detection. They may load malicious code only after a wallet connection is made, use obfuscation to hide their true nature, or operate from newly registered domains that haven’t yet been added to security blacklists.
How do scammers distribute these fake websites?
Scammers promote fake Raydium sites through multiple channels: compromised social media accounts, paid ads with misspelled keywords, bot spam in crypto communities, and occasionally through compromising legitimate crypto news sites. They may also use SEO techniques to appear in search results for terms like “Raydium airdrop” or “free RAY tokens”.
How reliable are website reputation checkers for identifying crypto scams?
Website reputation checker can be highly effective at identifying crypto scams. In the case of raydium-usa[.]xyz, the site received the lowest possible reputation score (1/100), immediately flagging it as dangerous. These tools analyze multiple factors including domain age, hosting patterns, user reports, and known malicious indicators to provide an overall safety assessment.
How quickly do these scam domains appear and disappear?
Crypto scam domains operate on rapid timelines. Analysis shows that domains like raydium-usa[.]xyz are registered just weeks or months before launching their campaigns. Once reported or after they’ve successfully scammed enough victims, operators often abandon these domains and create new ones with slight variations. This pattern of “pop-up” domains makes them particularly dangerous and difficult to track.
