Share
CRYPTO DRAINER

Fake ETH Genesis airdrop: the connect error that steals your seed phrase

A site called genesispool[.]org claims an "Ethereum Genesis" token event with a $25M community pool. It shows a normal wallet-connect dialog. Pick "Other Wallet" and it fakes a "connection too busy" error, then asks you to type your recovery phrase to keep going. That phrase is the whole wallet. PCRisk and Gridinsoft flagged this around June 19, 2026. Here is how the new trick works and why no real airdrop ever asks for your seed phrase.

SafeBrowz Threat Research

Verdict: scam / wallet drainer

The "Ethereum Genesis" airdrop on genesispool[.]org is a scam and a wallet drainer. Ethereum has no Genesis token, no Genesis pool, and no Genesis airdrop. PCRisk and Gridinsoft flagged the site around June 19, 2026, and Gridinsoft's reputation checker scores it 1 out of 100. The page fakes legitimacy with invented numbers, a $25M community pool, 12.5M tokens, and 184,000 wallets, then shows a wallet-connect dialog listing MetaMask, Trust Wallet, Coinbase Wallet and Ledger plus an "Other Wallet" button. Choose "Other Wallet" and the site stalls, throws a fake "connection too busy" error, and offers to let you skip the wait by typing your recovery phrase straight into the page. That is the trap. A seed phrase handed to a website is total, permanent control of every address it derives, so the wallet is emptied the moment you submit it. The real Ethereum site is ethereum.org, the Ethereum Foundation does not run airdrops through third-party sites, and no legitimate airdrop or wallet ever needs your 12 or 24 word seed phrase. The same do-not-claim rule covers the fake Hyperliquid eligibility airdrop and every other surprise-token campaign on every chain.

Why a fake "Ethereum Genesis" airdrop works

Ethereum has a real, famous history with the word "genesis." The genesis block is the very first block of the chain, and the 2014 presale that funded the network is part of crypto folklore. Scammers borrow that weight. "Ethereum Genesis" sounds like an early-community reward, a thank-you to the people who were there at the start. It is convincing precisely because it is vague and historic, and because most people never check whether such a distribution actually exists.

It does not. There is no Ethereum Genesis token, no GES or GEN pool tied to the Ethereum Foundation, and no official Genesis airdrop. Ether is ETH. The Ethereum Foundation does not hand out new tokens through claim sites, and its scam-help page is explicit that it does not run giveaways or distributions on third-party domains. Anything telling you to "claim your Ethereum Genesis allocation" on a site that is not ethereum.org is fabricated.

This campaign is not unique in its goal, only in its delivery. Crypto-fraud trackers like Scam Sniffer and Chainabuse have logged thousands of fake-airdrop drainer pages, and Chainalysis has reported that approval-based and credential phishing remains one of the largest sources of crypto theft. What makes genesispool[.]org worth a closer look is the specific new twist it uses to get your seed phrase out of you.

What the genesispool[.]org scam looks like, step by step

The page is built to feel like a real token launch, then funnel you into one fatal action. Knowing the shape is most of the defense.

  1. Manufactured legitimacy. The site claims a $25M community pool, 12.5M tokens to distribute, and 184,000 wallets already participating. Those numbers are invented. They exist only to make the offer feel real and to push you to act before you think.
  2. A "Claim your tokens" button. You are told you are eligible for an early-community allocation. A countdown or "limited" framing nudges you to hurry.
  3. A familiar wallet-connect dialog. Clicking claim opens a connect screen offering MetaMask, Trust Wallet, Coinbase Wallet and Ledger, plus a generic "Other Wallet" option. It looks exactly like the real WalletConnect-style chooser you have seen on legitimate dApps.
  4. The "Other Wallet" trap. Select "Other Wallet" and the site shows a brief loading spinner, then claims its "connection system is too busy" to complete the link right now.
  5. The fake fix: type your seed phrase. To "bypass the wait" and claim anyway, the page invites you to enter your wallet recovery phrase directly into a text box on the site. This is the entire attack dressed up as a workaround.
  6. Instant, total drain. A seed phrase typed into a website hands the operator every private key it generates. There is no further popup to approve and nothing to undo. The attacker imports your phrase and sweeps every asset across every address, often within minutes.

The live drainer in this campaign is genesispool[.]org (do not visit it). The real Ethereum site is ethereum.org, and it will never ask you to connect a wallet or type a seed phrase to "claim a Genesis allocation," because no such allocation exists.

๐Ÿ›ก LIVE CHECK

Test that airdrop link before you connect

Saw an "Ethereum Genesis" claim page, a wallet-connect popup, or any airdrop link and not sure about it? Paste it below before you connect a wallet or type anything. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

The new twist: a fake error that asks for your recovery phrase

Most wallet drainers want a signature. They get you to a copycat page, you connect, and a wallet popup asks you to approve a token allowance or sign a Permit2 message. The drain happens when you sign. That attack is dangerous, but it still runs through your wallet software, which at least shows a popup and gives a careful user a chance to read it.

The Genesis page skips all of that. By faking a connection failure on the "Other Wallet" path, it manufactures a reason for you to abandon the safe route and do something you would normally never do: type your seed phrase into a web form. There is no malicious signature to spot, because there is no signature at all. You simply hand over the master key.

This is worse than a signature attack in one specific way. A bad approval can sometimes be revoked before the drainer moves, and it only affects the assets and chains you approved. A seed phrase is everything. It regenerates every private key for every address that wallet has ever held or will ever hold, on every chain. Once it is submitted, there is nothing to revoke, because the thief now holds the wallet itself, not a permission you granted to it. That is why "type your phrase to verify" is the most expensive sentence in crypto.

Why no real airdrop or wallet ever asks for your seed phrase

Your recovery phrase is the wallet. It is the human-readable form of the master seed that every private key is derived from. Whoever has the 12 or 24 words can recreate the wallet on any device and move everything in it. That is why the rule is absolute, with no exceptions for "verification," "syncing," "claiming," or "unlocking rewards."

  • Legitimate airdrops never need it. A real airdrop either lands in your wallet on its own or is claimed by you, on the project's official site, by connecting and signing one clear transaction. None of that ever requires your seed phrase.
  • Wallet apps never need it. MetaMask, Trust Wallet, Coinbase Wallet and Ledger store your phrase locally and never ask you to enter it on a website. Their official sites are metamask.io, trustwallet.com, coinbase.com/wallet and ledger.com. A Ledger in particular never reveals or asks for the phrase outside the device screen itself.
  • Support agents never need it. No real support team, on any platform, will ask for your recovery phrase. Anyone who does is a thief, full stop.
  • Any seed-phrase prompt is a stop sign. A page, popup, chat, or "connection error" that routes you toward typing your phrase has exactly one purpose. Close the tab. Do not finish the form. Do not "just check if it works."

Red flags of the Genesis airdrop drainer

  • It asks for your seed phrase. The single biggest tell. Nothing legitimate ever does. A "connection too busy, enter your phrase to continue" message is the attack itself.
  • The token does not exist. Ethereum has no Genesis token, pool, or airdrop. ETH is the only Ethereum asset, and the Foundation does not distribute new tokens through claim sites.
  • The domain is not ethereum.org. genesispool[.]org and any other "genesis pool" or "ETH genesis claim" domain is a lookalike, not Ethereum.
  • Invented social proof. A precise-sounding $25M pool, 12.5M tokens, and 184,000 wallets, none of it verifiable anywhere, is there to manufacture trust and urgency.
  • The "Other Wallet" detour. A standard wallet-connect chooser that "fails" only on the generic option, then steers you to type your phrase, is a scripted funnel, not a glitch.
  • It rushes you. Countdowns, "limited eligibility," and "claim before it expires" exist to stop you from checking whether any of this is real.
  • The reward is a paper number. A "Genesis allocation" worth a lot that you cannot find on any real market is bait, not value.

What to do if you land on the Genesis page

  1. Do not type your seed phrase. Ever. No matter what error the page shows or what it promises, never enter your recovery phrase into any website. If a page asks, that alone proves it is a scam.
  2. Close the tab without connecting. Do not click "Other Wallet," do not connect MetaMask or any wallet, do not sign anything. A page you only looked at cannot touch your funds.
  3. Verify Ethereum by typing the address yourself. Go to ethereum.org by typing it, not by clicking. There is no Genesis airdrop to find there, which is the point.
  4. Verify your wallet on its real domain only. Reach your wallet through metamask.io, trustwallet.com, coinbase.com/wallet or ledger.com, typed yourself, never through an airdrop link.
  5. Check your existing approvals as a precaution. Even if you did nothing here, review what your wallet has already authorized. On EVM chains, use revoke.cash to see and revoke token approvals, especially old unlimited ones. Revoking a stale approval closes a door an earlier scam may have left open.

I entered my recovery phrase on the Genesis site. What now?

If you typed your seed phrase into genesispool[.]org or any page like it, treat it as an active, total theft and move immediately. Speed matters, but understand the hard limit: once a phrase is exposed, that wallet can never be trusted again.

  1. Assume the wallet is fully compromised right now. The attacker can import your phrase at any moment and take everything. You cannot "revoke" a seed phrase, because it is the wallet itself, not a permission you granted.
  2. Create a brand-new wallet with a new seed, on a clean device. Generate a fresh recovery phrase that has never touched any website. A hardware wallet from ledger.com is the strongest option for the assets you move.
  3. Move whatever is left, most valuable first. If the drainer has not swept everything yet, transfer your remaining assets to the new wallet immediately. Send the high-value tokens and NFTs first, then the rest. Watch out for sweeper bots that auto-grab any incoming gas.
  4. Stop using the old wallet for anything of value. It is burned. Do not move new funds in, do not "test" it, do not reuse that phrase anywhere.
  5. Revoke approvals if you also signed anything. If you connected and approved before typing the phrase, use revoke.cash from the new clean device to cut any spending allowances on the old wallet.
  6. Ignore "recovery" services that contact you. Anyone promising to get your funds back for an upfront fee is a second scam targeting victims of the first. See what to do when your seed phrase is stolen for the full playbook.

How to report it

  • Report the page to Gridinsoft and PCRisk-style trackers and to Google Safe Browsing. Getting genesispool[.]org blacklisted protects the next person who is sent the link. Report the domain to its registrar too.
  • Report the drainer addresses to on-chain investigators. Trace your funds with a block explorer like etherscan.io and report the receiving addresses so exchanges and investigators can flag them.
  • In the US, report financial loss to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov. They track crypto-theft complaints.
  • Use Ethereum's own scam-reporting page. ethereum.org maintains guidance and reporting channels for fake-giveaway and impersonation scams.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Ethereum, MetaMask, Trust Wallet, Coinbase, Ledger included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike claim domains where a non-ethereum.org site serves an Ethereum-styled "Genesis" airdrop page.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already known to be malicious, which covers drainer claim domains as they get reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches a brand-new claim page in seconds, including a fresh "Ethereum Genesis" rewards site that copies real styling, fakes a wallet-connect chooser, and pushes a seed-phrase input box.

Honest scope: SafeBrowz flags the lookalike airdrop and claim page, and the seed-phrase-input phishing page, before you type. What it cannot do is reverse a seed phrase you have already given away, because that key is now in the attacker's hands. If you have already submitted your phrase, move your funds to a fresh wallet immediately. The defense is catching the page first.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

The seed-phrase box is the last possible line, and by then the page has already talked a real person into doing the one thing they were told never to do. Browser-layer scanning catches the step before that: the claim page itself. When an Ethereum-styled airdrop renders on a domain that is not ethereum.org, a brand-aware scanner flags the impersonation before you ever click "Other Wallet." SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Learn how to tell if a website is a scam, install SafeBrowz, and pair it with the one rule that beats this whole category: no airdrop and no wallet ever needs your seed phrase, and you reach a real project only by typing its address yourself.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is the ETH Genesis airdrop (genesispool.org) legit?

No. The "Ethereum Genesis" airdrop on genesispool.org is a scam and a wallet drainer. PCRisk and Gridinsoft flagged it around June 19, 2026, and Gridinsoft's reputation checker scores the site 1 out of 100. It fabricates a $25M community pool, 12.5M tokens and 184,000 wallets to look real, then funnels you toward typing your recovery phrase. The only official Ethereum site is ethereum.org, and the Ethereum Foundation does not run airdrops through third-party sites.

Does Ethereum have a Genesis token airdrop?

No. Ethereum has no Genesis token, no Genesis pool, and no Genesis airdrop. The only Ethereum asset is ETH. The word "genesis" refers to the chain's first block and the 2014 presale, not a current token distribution. Any site offering to let you "claim your Ethereum Genesis allocation" is fabricated. Verify by typing ethereum.org yourself; there is nothing of the sort to claim there.

A site asked me to enter my seed phrase to claim. Is that safe?

No. It is never safe. No legitimate airdrop, wallet app, exchange, or support agent ever asks for your 12 or 24 word recovery phrase. Your seed phrase is the wallet itself; typing it into any website hands the operator complete, permanent control of every address it derives. A "connection too busy, enter your phrase to continue" message, like the one on genesispool.org, is the attack. Close the tab and do not submit anything.

I entered my recovery phrase on the Genesis site. What now?

Treat the wallet as fully compromised immediately. You cannot revoke a seed phrase, so the only fix is to move everything out fast. Create a brand-new wallet with a new seed on a clean device, ideally a hardware wallet from ledger.com, and transfer your remaining assets there, most valuable first. Stop using the old wallet for anything of value, revoke approvals with revoke.cash if you also signed something, and ignore anyone offering paid "fund recovery," which is a second scam. See our guide on what to do when your seed phrase is stolen.

Related SafeBrowz coverage

Bottom line: The "Ethereum Genesis" airdrop on genesispool[.]org is a wallet drainer with a new twist. It fakes a wallet-connect failure, then asks you to type your recovery phrase to keep going, which is a direct, total handover of your wallet. Ethereum has no Genesis token or airdrop, the only Ethereum site is ethereum.org, and no airdrop or wallet ever needs your seed phrase. Never type your phrase into a website, and put SafeBrowz on your browser so the fake claim page never loads in the first place.