Share
CRYPTO DRAINER

Fake crypto airdrop drainers on pages.dev: how to spot them in 2026

A throwaway free-host page that says "claim your free tokens" and asks you to connect a wallet is one of the most common ways crypto gets stolen in 2026. PCRisk flagged four live examples this month: fake TokenSight "$TKST", Tonkeeper "TON", "$Bitcat" and "Qubit Inu" airdrops, each on its own throwaway pages.dev site. They all impersonate a real project, wait for you to connect, and the moment you do, a drainer empties the wallet. Here is the pattern and how to spot it before you click claim.

SafeBrowz Threat Research

Verdict: scam / wallet drainer

A "free airdrop, connect your wallet to claim" page hosted on a throwaway free host is a wallet drainer, not an airdrop. PCRisk reported two live in June 2026: a fake TokenSight "$TKST Airdrop Is Here!" page on tkstio.pages[.]dev (June 22) and a fake Tonkeeper "TON airdrop" page on ton-keeper.pages[.]dev (June 19). Both copy a real project's branding, show a Claim button that opens a wallet-connect dialog (MetaMask, WalletConnect, Binance Wallet, all wallets), and the instant you connect, a drainer auto-transfers your tokens and coins to the attacker. No further typing is needed. A pages.dev address is a real, free Cloudflare Pages host that anyone can deploy to in minutes, so it is not automatically a scam, but a wallet-connect "claim" page on one is a classic drainer setup. The real Tonkeeper site is tonkeeper.com, and you verify TokenSight only through its own official site, never a pages.dev claim page. PCRisk flagged two more of the same pattern on June 24: a fake "$Bitcat" airdrop on claim-bitcat.pages[.]dev and a fake "Qubit Inu" airdrop on claim-qubit.pages[.]dev, both pushing a 47-wallet connect dialog aimed at Solana holders. The same do-not-connect rule covers the fake ETH Genesis airdrop, the fake Jupiter $CJUP airdrop, and every other surprise-token campaign on every chain.

Why fake "airdrop, connect to claim" pages work

Airdrops are real. Legitimate crypto projects do hand out tokens to early users, and people who missed one feel the sting. Scammers run on that feeling. They put up a page that says you are eligible for a free allocation, attach a famous project's name and logo, add a countdown, and place a single bright "Claim" button. The page does almost no work. Its whole job is to get you to connect a wallet.

The connect itself is the trap. Modern drainers do not need your seed phrase and do not need a password. Once your wallet is connected, the page presents a transaction or a token approval dressed up as "claiming," and signing it hands the operator the right to move your assets. The better drainers scan what you hold, then craft the single signature that sweeps the most valuable tokens first. To you it looks like one click to claim a reward. To the attacker it is one click to drain the wallet.

The delivery has gotten cheap, which is why you see so many of these. A pages.dev subdomain is a free Cloudflare Pages site. Anyone can sign up, deploy a copy of a project's landing page, and have a live HTTPS URL in minutes, at no cost, with no domain to buy. The same goes for vercel.app, netlify.app and web.app. These are legitimate hosting services used by millions of real developers, so the host alone does not make a site bad. But it does mean a drainer can be stood up and thrown away for free, which is exactly what fake-airdrop operators do. We covered the same playbook on Vercel in our free-hosting wallet drainer breakdown.

Two real examples from June 2026

These were all reported by the malware-analysis site PCRisk this month. All are confirmed wallet drainers. The domains are shown defanged below so you can recognize the pattern, not visit them.

Fake TokenSight "$TKST airdrop"

Reported June 22, 2026. The page on tkstio.pages[.]dev announces "$TKST Airdrop Is Here!" and impersonates the TokenSight project. There is a prominent Claim button. Click it and a wallet-connect dialog opens, offering MetaMask, WalletConnect, Binance Wallet and an "all wallets" option, the exact chooser you see on real dApps. The moment you connect, the embedded drainer auto-transfers your tokens and coins to the attacker. You do not need to fill in anything else. The connect is the whole attack.

Fake Tonkeeper "TON airdrop"

Reported June 19, 2026. The page on ton-keeper.pages[.]dev impersonates Tonkeeper, the legitimate TON wallet, and offers a fake TON airdrop. Note the hyphen in the subdomain, a small change from the real brand name designed to look right at a glance. Same shape: a claim prompt, a connect-wallet step, and a drainer that activates on connection. The real Tonkeeper wallet lives at tonkeeper.com, and the TON Foundation and Tonkeeper do not run airdrops through a random pages.dev page.

Fake "$Bitcat airdrop"

Reported June 24, 2026. The page on claim-bitcat.pages[.]dev advertises a free "$Bitcat" token airdrop. The Claim button opens a wallet-connect dialog that lists 47 wallets, including MetaMask, Phantom, Solflare, Jupiter, Ledger, Trust and BackPack. The spread of Solana wallets like Phantom, Solflare and BackPack is the tell that this wave targets Solana holders, not just EVM. The instant you connect, the drainer transfers your funds to the attacker, usually within seconds of you approving the connection.

Fake "Qubit Inu" airdrop

Reported the same day, June 24, 2026. The page on claim-qubit.pages[.]dev promotes a fake "Qubit Inu" ($Qubit) meme-coin airdrop. The same 47-wallet connect dialog appears, and the same thing happens on connect: the drainer uses the approval to authorize transactions that move your digital assets to a wallet the attackers control. Two different brand names, the same throwaway pages.dev host, the same single-click drain.

Neither of these needs your recovery phrase, which is what makes them dangerous. There is no obvious "type your seed phrase here" box to raise an alarm. It looks like a normal connect-and-claim flow until your wallet is already empty.

๐Ÿ›ก LIVE CHECK

Test that airdrop link before you connect

Saw an airdrop or "claim your tokens" page, a wallet-connect popup, or a link on a pages.dev / vercel.app / netlify.app host and not sure about it? Paste it below before you connect a wallet or sign anything. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

Red flags of a fake airdrop drainer

  • An unsolicited "airdrop" or "claim" promo. You did not go looking for it. It arrived in a DM, a reply, a comment, an ad, or a random tab. Real eligibility is something you check on the project's own site, not something a stranger sends you.
  • It needs "Connect Wallet" just to claim. A page that cannot show you anything until you connect a wallet has one goal: get the connection so it can request the draining signature.
  • It is on a free host. The address ends in pages.dev, vercel.app, netlify.app or web.app. Legitimate projects use their own domain for a token launch, not a free throwaway subdomain.
  • It impersonates a known project on the wrong domain. The branding says Tonkeeper or TokenSight or another real name, but the address is not the project's official domain. A hyphen or extra word in the subdomain (ton-keeper instead of tonkeeper) is the tell.
  • It rushes you. A countdown, "limited eligibility," or "claim before it expires" exists to stop you from checking whether any of this is real.
  • It asks you to sign a transaction or approval to "claim." Claiming a real airdrop is usually one clear, readable transaction on the official site. A vague signature or an unlimited token approval framed as "claiming your reward" is the drain.
  • The reward is a paper number. A big allocation you cannot find quoted on any real market is bait, not value.

What to do

  1. Never connect a wallet to a claim or airdrop page. Not to "check eligibility," not to "verify," not to "claim before it expires." A page you only looked at cannot touch your funds. A page you connected to can.
  2. Verify only on the project's official domain, typed yourself. Go to tonkeeper.com by typing it, or reach a project through its verified official channels, never through an airdrop link someone sent. If there is a real airdrop, the official site will say so.
  3. Treat the host as a warning, not a free pass. A pages.dev or vercel.app address running a connect-wallet airdrop is a stop sign. Close the tab.
  4. If you already connected, move your funds now. Transfer your assets to a fresh wallet with a new seed phrase that has never touched the page, most valuable tokens and NFTs first. Then revoke any approvals you granted at revoke.cash. See what to do right after a scam for the full sequence.
  5. Use a hardware wallet for holdings. A device like a Ledger from ledger.com shows you what you are actually signing on its own screen and keeps your keys offline, which blunts the one-click drainer.

How to report it

  • Report the page to the host and to Google Safe Browsing. Cloudflare Pages, Vercel and Netlify all have abuse-report channels, and getting pages like tkstio.pages[.]dev, ton-keeper.pages[.]dev, claim-bitcat.pages[.]dev and claim-qubit.pages[.]dev taken down protects the next person sent the link.
  • Report the drainer addresses to on-chain investigators. Trace the receiving wallets with a block explorer and report them so exchanges and trackers like Chainabuse and Scam Sniffer can flag them.
  • In the US, report financial loss to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov. They track crypto-theft complaints.
  • Warn the project. Real projects want to know their brand is being used in a drainer so they can post a warning to their own followers.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Tonkeeper, MetaMask, Binance, Ledger and more included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike claim domains where a non-official host like ton-keeper.pages.dev serves a Tonkeeper-styled airdrop page, and it treats free-hosting subdomains as higher risk.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already known to be malicious, which covers drainer claim pages as they get reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches a brand-new claim page in seconds, including a fresh "$TKST airdrop" or "TON airdrop" site that copies real styling, shows a wallet-connect chooser, and pushes a connect-to-claim flow on a throwaway free host.

Honest scope: SafeBrowz flags the fake airdrop and claim page before you connect, so you never reach the draining signature. What it cannot do is reverse funds that are already gone once you have connected and signed, because that transaction is final on-chain. If you have already connected, move your funds to a fresh wallet and revoke approvals immediately. The defense is catching the page first.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

The connect button is the last quiet moment before the drain, and by then a real person has already decided the page is genuine. Browser-layer scanning catches the step before that: the claim page itself. When a Tonkeeper-styled or TokenSight-styled airdrop renders on a pages.dev host that is not the project's domain, a brand-aware scanner flags the impersonation before you ever click connect. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Learn how to tell if a website is a scam, understand how wallet drainers work, install SafeBrowz, and pair it with the one rule that beats this whole category: never connect a wallet to an airdrop you did not seek out on the project's own domain.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is the TokenSight $TKST airdrop on tkstio.pages.dev legit?

No. PCRisk reported tkstio.pages.dev on June 22, 2026 as a wallet drainer impersonating the TokenSight project. The page says "$TKST Airdrop Is Here!" and shows a Claim button that opens a wallet-connect dialog with MetaMask, WalletConnect, Binance Wallet and other options. The moment you connect, a drainer auto-transfers your tokens and coins to the attacker. Verify TokenSight only on its official site, never on a pages.dev claim page.

Is the Tonkeeper TON airdrop on ton-keeper.pages.dev real?

No. PCRisk reported ton-keeper.pages.dev on June 19, 2026 as a wallet drainer impersonating Tonkeeper, the legitimate TON wallet. It offers a fake TON airdrop, asks you to connect a wallet to claim, and runs a drainer on connection. The real Tonkeeper site is tonkeeper.com, and the TON Foundation and Tonkeeper do not run airdrops through a random pages.dev page. The hyphen in "ton-keeper" is the giveaway that it is not the official brand.

Are the $Bitcat and Qubit Inu airdrops on claim-bitcat.pages.dev and claim-qubit.pages.dev legit?

No. PCRisk reported both on June 24, 2026 as wallet drainers. claim-bitcat.pages.dev pushes a fake "$Bitcat" airdrop and claim-qubit.pages.dev a fake "Qubit Inu" ($Qubit) airdrop. Each opens a 47-wallet connect dialog (MetaMask, Phantom, Solflare, Jupiter, Ledger and others), and the moment you connect, a drainer transfers your funds to the attacker within seconds. The wide set of Solana wallets shows this wave is aimed at Solana holders. No real project runs an airdrop from a throwaway pages.dev page, so do not connect a wallet to either.

Is a pages.dev site always a scam?

No. A pages.dev address is a free Cloudflare Pages site used by millions of real developers, so the host alone does not make a site bad. The problem is that anyone can deploy a fake airdrop page on one for free in minutes. A pages.dev (or vercel.app, netlify.app, web.app) page that impersonates a known crypto project and asks you to connect a wallet to claim a reward is a classic drainer pattern. Treat that specific combination as a stop sign.

I connected my wallet to a fake airdrop page. What now?

Act fast. Move your assets to a brand-new wallet with a fresh seed phrase that has never touched the page, sending the most valuable tokens and NFTs first. Then revoke any approvals you granted at revoke.cash from a clean device. Stop using the connected wallet for anything of value. Ignore anyone who offers paid "fund recovery," which is a second scam targeting victims of the first. A hardware wallet from ledger.com is the safest place to move your holdings.

Related SafeBrowz coverage

Bottom line: A free-host page that says "claim your free airdrop" and asks you to connect a wallet is a drainer, not a gift. The June 2026 fakes on tkstio.pages[.]dev and ton-keeper.pages[.]dev empty your wallet the moment you connect, with no seed phrase needed. Verify a real project only on its own domain that you typed yourself, never connect to an airdrop a stranger sent, and keep SafeBrowz on your browser so a fake airdrop claim page is flagged before you connect your wallet.