What is the real Stable.xyz?

Before talking about the scam, the legitimate project. Stable.xyz (also marketed as StableChain) is a USDT-native Layer 1 chain that launched in 2026 as part of a broader trend toward "stablecoin-first" settlement layers. Other chains in this category include Arc (Circle's chain) and Tempo (Stripe's chain). The thesis: dedicated infrastructure for stablecoin payments is faster and cheaper than running stablecoin transfers on a general-purpose chain like Ethereum or Solana.

The real site is stable.xyz. The real Twitter/X account uses the same handle. Anything else, even one character off, is a phishing imitation.

The post-launch phishing wave (a pattern, not a one-off)

Every newly launched chain or DeFi protocol goes through the same lifecycle. Within 72 hours of mainnet launch or token airdrop announcement, drainer operators register dozens of lookalike domains and run paid Google and X ads to outrank the real site. Group-IB and Chainalysis have documented this pattern across more than 100 protocol launches since 2023.

For Stable.xyz specifically, the lookalike sites we have seen and that user searches show high volume on include patterns like stable-xyz.com, stablechain.xyz, stable-claim.xyz, stable-airdrop.com, stable-revoke.xyz, and stable-migration.app. Each one renders a UI that looks identical to the real stable.xyz: same colors, same fonts, same logo, same "Connect Wallet" button. The only difference is what happens after you click connect.

The trap in 4 steps

Step 1: Discovery

You see a tweet, a Telegram post, a Discord message, or a Google ad about a stable.xyz airdrop, USDT bonus, or "urgent" revoke-approvals notice. The link looks correct (stable.xyz) but the underlying URL is a typosquat. Sometimes the attacker uses Unicode homoglyphs - Cyrillic letters that look identical to Latin ones - making the URL visually indistinguishable in the browser bar.

Step 2: Connect wallet

The fake site shows a beautiful landing page. You click "Connect Wallet" and pick MetaMask, Phantom, Rabby, or whatever you use. The wallet asks for permission to view your address, which you grant - that step alone is harmless. Your wallet stays in your control at this point. The fake site now knows your address and balances.

Step 3: Sign one transaction

The fake site shows a "Claim airdrop" or "Revoke malicious approvals" or "Migrate to new contract" button. You click it. Your wallet pops up a signature request. The request looks technical and normal - most users do not read the actual contents. The signature is one of three variants:

  • Permit2 PermitBatch - pre-approves the drainer contract to move every token you hold up to uint256.max for the next 1,000 years
  • setApprovalForAll - gives the drainer contract permission to move every NFT in your wallet
  • eth_signTypedData with malicious typed-data fields - a signed message that the drainer's contract interprets as authorization to transfer tokens

Step 4: The drain

The signature itself does not move any funds. It just creates an on-chain permission. The drainer's bot watches for your signature, then immediately calls transferFrom (or the Permit2 equivalent) on every token you hold above a threshold. Within seconds, USDT, USDC, ETH, SOL, and any other approved token is in the drainer's wallet. Lower-value tokens are usually ignored to keep gas costs profitable.

Total elapsed time from "Connect Wallet" to empty wallet: typically under 30 seconds.

How the drainer JavaScript actually works

The drainer code on the fake site is one of five major commercial kits: Inferno Drainer, Angel Drainer, MS Drainer, Atomic Drainer, or (until recently) Pink Drainer. Inferno is the most common in 2026. The full attack runs in 3 stages inside a single JavaScript bundle loaded on the fake site:

  1. Address profiling. The script reads your wallet address, queries a balance API (often Alchemy or Etherscan with a free API key) to know what tokens you hold and across which chains. The drainer then dynamically picks the most profitable signature type based on what you have.
  2. Signature construction. The script crafts a Permit2 PermitBatch payload or a typed-data message that, when signed, authorizes the drainer contract on the chain where you hold the most value.
  3. Race execution. A backend monitoring service watches the chain. The moment your signature is broadcast (or even just submitted to a mempool), the drainer's wallet calls the matching transferFrom with calldata that pulls every approved token to the attacker's wallet. Gas is paid by the drainer.

This is why "I never broadcast a transaction, I just signed a message" is not protection. The signature IS the authorization, and the drainer broadcasts the follow-up transaction immediately.

The 5-second verification that beats it

You only need to do one thing reliably: type the URL manually, never click a link. Specifically:

  1. If you see a "stable.xyz airdrop" link anywhere (Twitter, Telegram, Discord, Google ads), do not click it.
  2. Open a new browser tab. Type stable.xyz manually. Press Enter.
  3. If a real airdrop or revoke exists, it will be on the real site's homepage or in their official docs section. If you cannot find it on the manually-typed site, it does not exist.
  4. Cross-check on the real Stable.xyz Twitter/X account (verify the handle and account age before trusting any post).
  5. If you must use a "revoke approvals" tool, use revoke.cash - that is a real, well-known revoke service, NOT something served by a project's own lookalike site.

This single behavior change blocks 95% of drainer attacks regardless of which kit is used.

If you already signed

Speed matters. The drainer's bot runs within seconds, but human reaction may still beat it. Try in this order:

  1. Disconnect the wallet immediately from the fake site (MetaMask Connections, Phantom Connected Apps, Rabby Connected Sites).
  2. Open revoke.cash on a clean tab, connect your wallet, and look at the recent approvals. Revoke any contract you do not recognize, especially any approval issued in the last 5 minutes.
  3. Move remaining funds to a fresh wallet generated from a new seed phrase if anything still remains. A wallet that has signed a malicious Permit2 message should be considered burned - even if revoked, you cannot prove the attacker did not capture residual approvals.
  4. Report the drainer contract address to Chainalysis (chainabuse.com), MetaMask Snaps lists (Pocket Universe), and Etherscan tag system. Faster reports = faster public warnings for others.
  5. File a report at ic3.gov if the loss is significant. Crypto recovery is rare but creates a paper trail for tax write-offs.

Why new chains are the favorite phishing target

Three structural reasons:

  • Curious wallets. New chains generate excitement. People who do not normally interact with random sites suddenly try the new chain because of fear of missing an airdrop.
  • Empty mental model. Users do not have a memorized "what the real Stable.xyz site looks like" because the site is new. Anything that has the right colors and logo passes the visual check.
  • Mass-distributed seed. Airdrop announcements get thousands of retweets within hours. Drainers piggyback on the same traffic by impersonating official accounts.

This pattern is not unique to Stable.xyz. The same playbook was used against Hyperliquid (we covered the eligibility-checker variant in a separate post), against MegaETH at launch, against the Farcaster client Hypria (typosquatted to hyrpia.xyz with an r-p swap), and against every L2 token launch of the past 18 months. Stable.xyz is just the latest.

How browser-layer defense catches stable.xyz lookalikes

The fake sites rotate domains daily. Email and DNS-based filters are slow to catch them because the domains are registered minutes before the attack starts. The defense that works is at the browser level: when you click a stable.xyz lookalike, a browser-layer scanner can recognize that the page is showing "Stable.xyz / StableChain" branding on a non-stable.xyz domain and block the page before your wallet ever connects.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. Its detection has three layers: a 550+ brand database that includes Stable.xyz, JavaScript signature detection that catches Inferno, Angel, MS, Atomic drainer code, and AI content analysis in 100+ languages for sites we have not seen before. When it detects a stable.xyz lookalike, it shows a full-screen warning. Install SafeBrowz free.

Frequently asked questions

How do I verify the real Stable.xyz?

Type stable.xyz manually in a fresh browser tab. Do not Google it (the top result during peak phishing is sometimes a paid ad pointing to a typosquat). Once on the real site, bookmark it. The real project's Twitter/X handle, Discord, and contract addresses are all listed in their official docs section.

I signed a message but no transaction was sent. Am I safe?

No. The signature is the authorization. The drainer's bot broadcasts the follow-up transaction. Even if you do not see any transaction in your wallet history, the drainer has the on-chain permission to pull your tokens. Revoke immediately on revoke.cash.

Does my hardware wallet protect me from a fake stable.xyz site?

Partially. The hardware wallet forces you to physically press a button to confirm a signature. This gives you a moment to read the request - but only if you read it. If you press Confirm without reading, the hardware wallet is no help. Use the extra moment to read what you are signing.

The lookalike URL contained "stable.xyz" - how was it a fake?

The substring "stable.xyz" appearing somewhere in a URL does not mean the URL is on stable.xyz. The real domain is whatever comes immediately before the first single slash after https://. A URL like stable.xyz.airdrop-claim.com is hosted on airdrop-claim.com, NOT stable.xyz.

Why do drainers target stablecoin chains specifically?

Stablecoin holders have, by definition, dollar-denominated balances they intend to spend or hold. Drainers prefer stablecoins because the value does not fluctuate during the time between the drain and the cash-out. USDT and USDC are also fungible and easy to launder through DEXes. A drainer hitting a stablecoin-heavy wallet gets predictable dollar value.

Should I avoid Stable.xyz entirely because of the phishing risk?

No. The phishing risk is around the project, not from it. If you want to use real Stable.xyz, type the URL manually and verify you are on the official site. This applies to every newly launched chain. The chain itself is fine. The lookalikes are the problem.

Related reading

Bottom line: Stable.xyz is a real, legitimate project. Stable.xyz lookalikes are not. Type the URL manually. Slow down on signatures. Use revoke.cash, not whatever "revoke" page a tweet links to. And add a browser-layer scanner like SafeBrowz as the second line of defense for the moments when you forget.