Share
CRYPTO DRAINER

Fake Jupiter $CJUP airdrop: the token in your wallet is bait

A token called $CJUP appears in your Solana wallet that you never bought and never claimed. Its name and link point to a Jupiter "rewards" site. That is the whole scam. Solana Floor flagged the campaign, the real Jupiter token is $JUP, and the only Jupiter portal is jup.ag. Here is how the drainer works and why an unexpected token is always the trap, never the gift.

SafeBrowz Team Security ResearchJune 6, 20269 min read

Bottom Line First

If a token called $CJUP showed up in your Solana wallet, you did not win anything. It is bait for a wallet drainer. Solana Floor warned about the fake $CJUP airdrop campaign in May 2026: scammers send unsolicited tokens whose on-chain name and metadata embed a phishing link, riding the attention around Jupiter's early-2026 governance vote on future Jupuary airdrops. Visit that link and you reach a copycat "claim" page. Connect your wallet and sign the "claim" transaction, and instead of receiving tokens you approve a transfer that empties your wallet, often within minutes. The real Jupiter token is $JUP, not $CJUP, and the only legitimate Jupiter portal is jup.ag. Never open a link that arrived inside an unexpected token, never connect your wallet to claim a surprise airdrop, and never sign a transaction you did not initiate. The same do-not-claim rule covers the fake Hyperliquid eligibility airdrop and every other surprise-token campaign on every chain.

Why the fake $CJUP airdrop is spreading now

Early in 2026, Jupiter, the largest decentralized exchange aggregator on Solana, held a governance vote about the future of its Jupuary airdrops, the annual community distributions that put its $JUP token in a lot of wallets. Whenever a major protocol has a real, well-publicized airdrop event on the calendar, scammers move in on the attention. People are primed to expect a Jupiter distribution, so a token that looks Jupiter-adjacent does not raise the alarm it should.

Solana Floor, a Solana analytics and news outlet, flagged exactly this around May 2026: a fake $CJUP airdrop campaign impersonating Jupiter. The ticker is the tell. The real token is $JUP. The fake one adds a letter, $CJUP, close enough to read as a Jupiter spinoff at a glance, different enough to be a token the attacker fully controls. The fake token is minted and pushed into thousands of wallets for free, and its on-chain name or metadata carries the hook: a URL that promises you can claim a reward.

This is not a Jupiter-only problem. Scam Sniffer, which tracks crypto wallet drainers, has documented unsolicited-token campaigns across Solana and EVM chains for years, and Chainalysis has reported that approval-based phishing, the exact pattern here, remains one of the largest sources of crypto theft. The Jupiter name is this month's lure. The machinery underneath is the same drainer playbook that has hit MetaMask, Uniswap and Coinbase users.

What the scam looks like, step by step

The campaign has a fixed shape. Knowing the shape is most of the defense.

  1. An unsolicited token appears. You open Phantom, Solflare or another Solana wallet and see a new token you never acquired: $CJUP, with a balance that looks meaningful. You did not buy it. You did not claim it. It is just there.
  2. The token itself is the advertisement. Its name, symbol or metadata embeds a link, something like "Claim your $CJUP at" followed by a domain. The token is a billboard the attacker paid almost nothing to place inside your wallet.
  3. The link goes to a copycat claim site. Follow it and you land on a page styled to look like Jupiter or a Jupiter rewards portal. It tells you that you are eligible, shows a countdown, and presents a "Connect Wallet" button.
  4. Connecting is step one of the drain. You connect. Then the site asks you to sign a transaction or an approval to "claim" or "verify." The signature is not a claim. It is a token approval or a transfer authorization that hands the attacker's contract permission over your assets.
  5. The wallet empties. Once you sign, an automated drainer sweeps your SOL, your SPL tokens and anything else it can reach, sometimes in a single transaction, sometimes across several within minutes. There is no claim. There never was a $CJUP reward.

The illustrative claim domains in these campaigns read like the real thing: jup-claim.com, cjup-airdrop.com, claim-jupiter.net, jupiter-rewards.app (illustrative examples, not real Jupiter domains). None of them is jup.ag. The real Jupiter site is jup.ag, and Jupiter does not deliver a claim by dropping a mystery token with a link into your wallet.

๐Ÿ›ก LIVE CHECK

Test that claim link before you connect

Saw a $CJUP token, a Jupiter "rewards" page, or any airdrop claim link and not sure about it? Paste it below before you connect a wallet. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

How the drainer actually empties the wallet

The dangerous moment is the signature, not the visit. A claim site looks harmless until the wallet popup appears, and that popup is where people lose everything because they treat "claim" as a friendly word.

On Solana, a malicious claim transaction can include instructions that transfer your SOL and SPL tokens out, or set a delegate that lets the attacker's program move tokens on your behalf later. On EVM chains the equivalent is a token approval or a Permit2 signature that grants spending allowance, often for an unlimited amount. Either way, the wallet shows you a request to sign, the styling reassures you, and the actual effect is buried in transaction data most people never read.

This is the engine behind drainer-as-a-service kits. Security researchers at Scam Sniffer, BleepingComputer and Check Point have documented commercial drainer toolkits, families like Inferno and others, that scammers rent and point at whatever brand is trending. The kit handles the wallet connection, builds the malicious approval or transfer, and sweeps the assets the moment you sign. The operator just needs a convincing claim page and a way to get you there. An unsolicited token with a link inside it is one of the cheapest ways to do that, which is why fake airdrops keep coming back. For the full mechanics, see our guide on what crypto wallet drainers are and how they work.

Red flags of a fake airdrop token

  • You never claimed it. A token you did not buy, swap for, or claim appearing in your wallet on its own is the single biggest tell. Real airdrops you actually qualify for are claimed by you, on the project's official site, not pushed to you unannounced.
  • The ticker is almost right. $CJUP instead of $JUP. One added letter. Scammers count on you reading the brand, not the exact symbol.
  • A link lives inside the token. If a token's name, symbol or metadata contains a URL or "claim here" text, it is a scam vehicle. Legitimate tokens do not advertise claim sites in their on-chain name.
  • The claim site is not the official domain. Anything other than jup.ag for Jupiter is suspect. jup-claim, cjup-airdrop, jupiter-rewards and similar are lookalikes, not Jupiter.
  • It rushes you. A countdown, "claim before it expires," "limited eligibility." Urgency is there to stop you checking.
  • The claim asks you to sign or approve. Receiving a real airdrop almost never requires you to approve a token or sign a strange transaction. A claim that demands an approval is a drain.
  • The token has near-zero real liquidity. A "reward" worth thousands that you cannot find on any real market is a paper number designed to make you act.

What to do if a $CJUP token shows up

  1. Do not open the link. Not in the token name, not in any message that came with it. Do not visit the claim site at all. The link is the entire attack.
  2. Do not connect your wallet to anything that token points to. No connection means no signature means no drain. The token sitting in your wallet, by itself, cannot touch your funds.
  3. Leave the token alone or hide it. Most Solana wallets let you hide or mark a token as spam. You can also burn dust tokens through a reputable tool, but the safest move is simply to ignore it. Do not interact with it.
  4. If you want to verify Jupiter, type the address yourself. Go to jup.ag by typing it, not by clicking anything. Real Jupiter governance and any real distribution are announced through its official channels and site, never through a token dropped in your wallet.
  5. Check your existing approvals. Even if you did nothing wrong this time, review what your wallet has already authorized. On EVM chains, use revoke.cash to see and revoke token approvals. On Solana you can review token delegates and revoke them in a wallet like Phantom or Solflare. Revoking a stale unlimited approval closes a door an earlier scam may have left open.

If you already connected and signed

If you visited a claim page, connected, and signed, treat it as an active theft and move fast.

  1. Move any remaining assets to a fresh wallet now. If the drainer has not swept everything yet, get what is left out to a brand-new wallet whose seed phrase has never touched that site. Send the most valuable assets first.
  2. Revoke approvals from the compromised wallet. Use revoke.cash on EVM chains, or your wallet's delegate and approval settings on Solana, to cut any spending permission you granted. Do this from a clean device.
  3. Assume the wallet is burned. Once a drainer has signing-level access or your approvals, stop using that wallet for anything of value. A compromised hot wallet is not something you patch and trust again.
  4. If you ever typed a seed phrase, the whole wallet is gone. A claim page that asked for your seed phrase or private key owns every address it derives. See what to do when your seed phrase is stolen and migrate everything to a new seed immediately.
  5. Trace and report the theft. Use a block explorer like solscan.io on Solana or etherscan.io on EVM chains to see where your funds went, and report the addresses so investigators and exchanges can act.

How to report it

  • Report the scam tokens and pages to Scam Sniffer and on-chain investigators. Crypto-fraud trackers and investigators such as ZachXBT maintain databases of drainer addresses and phishing domains; reporting helps get wallets flagged and sites taken down.
  • Report the phishing domain to the registrar and to Google Safe Browsing. Getting the claim site blacklisted protects the next person who is sent the link.
  • In the US, report financial loss to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov. They track crypto-theft complaints.
  • Flag the token inside your wallet. Most wallets let you report a token as spam or a scam, which feeds their own protective filters.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Jupiter included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike claim domains where a non-jup.ag site serves a Jupiter-styled airdrop page.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already known to be malicious, which covers many drainer claim domains as they get reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new claim pages in seconds, including a fresh Jupiter or $CJUP rewards site that copies the real styling but sits on the wrong domain and pushes a wallet connection.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

A wallet popup is the last line, and it asks you to read transaction data most people cannot parse under pressure. Browser-layer scanning catches the step before that: the claim page itself. When a Jupiter-styled airdrop page renders on a domain that is not jup.ag, a brand-aware scanner flags the impersonation before you ever reach the Connect Wallet button. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the rule that beats this whole category: an unexpected token is bait, never a gift, and you reach a real project only by typing its address yourself. For more on this attack family, see our coverage of the Uniswap AngelDrainer Google Ads campaign and the Pink Drainer shutdown.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

See pricing and Premium features

Frequently asked questions

Is $CJUP a real Jupiter token?

No. The real Jupiter token is $JUP. $CJUP is a fake token created by scammers, with one extra letter to read as Jupiter-adjacent at a glance. Solana Floor flagged the fake $CJUP airdrop campaign around May 2026. The token is airdropped unsolicited and its on-chain name links to a phishing claim site. Jupiter does not distribute tokens by dropping a mystery token with a claim link into your wallet.

A $CJUP token appeared in my wallet. What should I do?

Do not open any link the token points to and do not connect your wallet to its claim site. The token sitting in your wallet cannot move your funds by itself; the danger is only if you visit the link, connect, and sign. Hide or ignore the token in your wallet, and verify anything Jupiter-related by typing jup.ag yourself rather than clicking.

What is the only real Jupiter website?

jup.ag is the official Jupiter portal. Claim domains like jup-claim, cjup-airdrop, claim-jupiter or jupiter-rewards are lookalikes, not Jupiter. Reach Jupiter only by typing jup.ag into your address bar, never through a link in a token, a message, or an ad. Real governance and any real distribution are announced through Jupiter's official channels and site.

How does a fake airdrop drain a wallet?

The unsolicited token lures you to a copycat claim page. When you connect your wallet and sign the "claim" transaction, you are not receiving tokens; you are approving a token transfer or granting a spending allowance, often unlimited, to the attacker's contract. An automated drainer then sweeps your SOL and SPL tokens, sometimes within minutes. The drain happens the moment you sign, not when the token arrives.

I connected my wallet and signed. Can I undo it?

Move fast. If anything is left, transfer it to a brand-new wallet whose seed phrase never touched the site. Revoke approvals using revoke.cash on EVM chains, or your wallet's delegate settings on Solana. Treat the compromised wallet as burned and stop using it for value. If you ever entered a seed phrase, the entire wallet is gone and you must migrate everything to a new seed immediately.

How can I check approvals my wallet has already granted?

On EVM chains, use revoke.cash to see every token approval and revoke any you do not recognize, especially unlimited ones. On Solana, review token delegates and revoke them in a wallet like Phantom or Solflare. Doing this periodically closes doors that older scams may have left open, even if you never interacted with the $CJUP token.

Related SafeBrowz coverage

Bottom line: The fake $CJUP airdrop is a wallet drainer wearing Jupiter's name. An unexpected token in your wallet is bait, the claim link inside it is the trap, and the signature on the claim page is the theft. The real token is $JUP, the only Jupiter portal is jup.ag, and you reach it by typing it yourself. Never connect your wallet or sign to claim a surprise airdrop, and put SafeBrowz on your browser so the fake claim page never loads in the first place.