THREAT REPORT - WALLET DRAINER

Fake XRP airdrops and Xaman wallet drainer sites: the 2026 scam wave

In May 2026, Xaman founder Wietse Wind and Ripple CTO David Schwartz both went public with the same blunt message: there is no XRP airdrop, and there is no official Xaman desktop wallet. The fake versions exist only to empty your XRP the moment you connect your wallet.

SB

SafeBrowz Threat Research Security ResearchJune 13, 20269 min read

What Wietse Wind and David Schwartz actually warned about

This is not a rumor. The people who build XRP infrastructure said it out loud.

On May 24-25, 2026, Wietse Wind, the founder of Xaman (the wallet formerly known as XUMM) and a long-time XRP Ledger developer, posted a fresh warning to XRP holders. His team had spent entire weekends fighting a flood of impersonation. He counted more than 20 fake X/Twitter accounts and over 10 scam domains being created to impersonate Xaman, all pushing two lies: a "Xaman desktop wallet" you can download, and an "XRP airdrop" you can claim. His clarification was as direct as it gets. There is no official Xaman desktop wallet. There is no XRP airdrop.

Days earlier, on May 14, 2026, Ripple CTO David Schwartz warned his followers about a sharper version of the same wave: AI deepfake videos cloning his face and voice on TikTok and YouTube to promote fake giveaways and airdrops. He said plainly that anyone impersonating him on Instagram, Telegram, or similar platforms is "likely a scammer." Multiple holders had already reported wallet drains after talking to fake "Xaman support" accounts that mimicked the real team's tone, then escalated to phone calls and walked victims into signing malicious requests or revealing their recovery phrase.

The pattern is the same one we have tracked across crypto all year, from the fake Jupiter cJUP airdrop to the Hyperliquid eligibility checker. A high-attention community, a too-good offer, a "connect wallet" button, and a drained wallet. Only the logo changes.

What the fake XRPL DeFi site looks like

The most common version is a slick landing page styled as an "XRPL DeFi protocol." It promises yield. The copy is engineered to make you move fast: "earn XRP rewards," "+12% APY," "rewards distributed daily," "LIMITED TIME." There is a countdown timer. There is a number that ticks up, pretending to be total XRP already "claimed."

In the middle sits a single big button: Connect Wallet. Click it and you get a list of real wallet names: XUMM / Xaman, GemWallet, Crossmark, and sometimes MetaMask for the EVM sidechain. The names are real. The site is not. A domain like ripple-swap.com is a real example of this scam class. It is on the SafeBrowz blocklist and scans as DANGER. (Try it in the checker below.) The real, official surfaces are xrpl.org, ripple.com, xaman.app, and gemwallet.app.

When you connect and then click "Claim" or "Stake," the site asks your wallet to sign a request. On the XRP Ledger that request is usually a Payment straight to the attacker, a TrustSet that authorizes a worthless token line they later abuse, or in the worst case a SetRegularKey that hands an attacker-controlled key full signing authority over your account. The reassuring marketing text on the page has nothing to do with what you are actually signing.

The "secret phrase" version is even simpler

Some variants skip the signature trick entirely and ask you to do the work for them. The fake "Xaman desktop wallet" download, or a "restore your wallet to claim the airdrop" page, asks you to import your wallet by typing your secret, your family seed, or your 24-word recovery phrase into a box.

That is the whole attack. On the XRP Ledger, anyone who holds your secret can sign any transaction exactly as you can. There is no second factor, no reversal, no support desk that can claw it back. The moment your phrase touches that box, the attacker imports your account on their own device and moves everything out.

Burn this rule in: no legitimate wallet, exchange, airdrop, or support agent ever asks for your secret recovery phrase. Not to "verify" you, not to "sync" a desktop app, not to "claim" anything. A request for your seed is, by itself, proof of a scam. We walk through the exact same trap with hardware wallets in the fake Ledger email warning.

Why the fakes look so convincing in 2026

Three things stack up to make this wave land harder than older XRP scams.

AI deepfakes of real people. Schwartz's warning was specifically about cloned video. A retail holder scrolling TikTok sees what looks like Ripple's CTO personally announcing a giveaway. The voice matches. The face matches. The "claim site" in the caption feels endorsed. None of it is.

Industrial domain rotation. Wind counted ten-plus domains in a single weekend. When one lookalike gets reported and taken down, the next is already live. Reputation blocklists that catalogue exact URLs always lag a fresh domain by hours, and hours is all a drainer needs.

Real wallet names as bait. Listing XUMM/Xaman, GemWallet, and Crossmark on the connect screen borrows their trust. A new holder who just installed Xaman recognizes the name and assumes the site is part of the ecosystem. The wallet picker is genuine code talking to genuine wallets. The transaction it asks you to sign is the hostile part.

Red flags that should stop the click

• It promises an XRP airdrop or giveaway. There is no XRP airdrop. Wind said it directly. Schwartz said it directly. Any page or DM offering one is a scam, full stop.
• It offers a "Xaman desktop wallet" download. There is no official Xaman desktop wallet. Xaman is a mobile app, reachable only from xaman.app.
• It asks for your secret, family seed, or recovery phrase. No legitimate site or person ever does. This single flag is enough to walk away.
• Yield that is too good. "+12% APY," "rewards distributed daily," a countdown timer, a fake "already claimed" counter. Urgency plus guaranteed yield is the drainer signature.
• The domain is not an official one. Real XRPL surfaces are xrpl.org and ripple.com; real wallets are xaman.app and gemwallet.app. A "ripple-swap" or "xrp-rewards" style host is not.
• "Support" reached out to you. Real Xaman support does not DM you first, does not call you, and does not ask you to sign anything to "fix" your account.
• A sign request you did not expect. If you only wanted to "claim," and the wallet pops a Payment, TrustSet, or SetRegularKey you did not initiate, reject it and close the tab.

What to do if you already connected or signed

Move fast. The order matters.

If you only connected your wallet but signed nothing, you are probably fine. A read-only connection does not move funds on the XRP Ledger. Disconnect, close the tab, and watch the account on a real explorer like xrpscan.com for any transaction you did not authorize.

If you signed a request, check your account immediately. Open your account on xrpscan.com or bithomp.com and look at the most recent transactions. A surprise Payment out is a direct theft. A TrustSet you did not make is a hostile token line. The dangerous one is a SetRegularKey: if an attacker set a regular key on your account, they can keep signing as you. If you still control the master key, set a new regular key yourself or disable the hostile one, and move your XRP to a fresh account.

If you typed your secret or seed phrase anywhere, treat the account as fully compromised. Do not "fix" it. Create a brand-new account with a brand-new secret on a clean device, and move whatever is left immediately. The old account can be signed by the attacker forever.

Report the scam domain and the fake accounts to Xaman and to the XRPL community channels so the takedown pipeline catches up, and file with FBI IC3 if you are in the US. Recovery of moved funds is rare, but reports speed up domain takedowns. Our wallet-drained recovery guide has the full 24-hour and 7-day checklist, and beware anyone promising guaranteed "fund recovery" for a fee, that is a second scam stacked on the first.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The important part for this scam is that our detection does not trust the page's reassuring marketing text. It reads the signals the attacker cannot fake away.

• Layer 1 - Local detection: 60+ URL patterns and a 550+ brand database run in the browser before the page renders. A fake XRPL site trips several signals at once: a brand or keyword (Xaman, XUMM, XRP, Ripple) sitting on a domain that is not the official one, a "connect wallet" prompt next to multiple wallet-provider names (XUMM, GemWallet, Crossmark, MetaMask), and lookalike or newly-registered hosts. Known drainer domains like ripple-swap.com are flagged red outright.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists server-side. Fresh airdrop-drainer domains surface on these feeds within hours of going live, and the API tier picks them up automatically. A brand-new domain with no history is itself a weighted signal.
• Layer 3 - AI deep scan (Premium): AI content analysis (via our proxy, 100+ languages) catches novel variants that no blocklist has yet. It weighs the too-good yield offer ("+12% APY," "rewards distributed daily"), the connect-wallet-plus-many-providers pattern, the brand-on-wrong-domain mismatch, and, server-side, an obfuscated wallet-drainer script bundle, then returns a danger verdict in seconds rather than believing the page's "official XRP staking" copy.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

Is the XRP airdrop real?

No. There is no XRP airdrop. Xaman founder Wietse Wind stated this directly in his May 2026 warning, and Ripple CTO David Schwartz repeated it while warning about AI deepfake videos promoting fake giveaways. Every page, video, or DM offering a "claim your XRP airdrop" link is a scam designed to drain your wallet when you connect it or to steal your secret phrase. Ripple and the XRPL do not run surprise airdrops you claim by connecting a wallet to a third-party site.

Is there an official Xaman desktop wallet?

No. Wietse Wind, the founder of Xaman (formerly XUMM), said there is no official Xaman desktop wallet. Xaman is a mobile app. Any "Xaman desktop" download you find through an ad, a search result, or a DM is a fake built to steal your secret recovery phrase or drain your account. The only legitimate place to get Xaman is xaman.app, which links to the official mobile app stores.

How does a fake XRPL DeFi site drain my XRP?

It shows a "Connect Wallet" button listing real wallets (XUMM/Xaman, GemWallet, Crossmark, sometimes MetaMask). After you connect, clicking "Claim" or "Stake" asks your wallet to sign a transaction. On the XRP Ledger that is often a Payment straight to the attacker, a TrustSet that abuses a token line, or a SetRegularKey that hands an attacker-controlled key full signing power over your account. Some variants skip this and just ask you to paste your secret recovery phrase, which lets the attacker import your account directly. The page's "+12% APY" marketing is unrelated to what you are actually signing.

What happens if I connected my wallet to one of these sites?

If you only connected and signed nothing, you are likely fine, because a read-only connection does not move funds on the XRP Ledger. Disconnect and watch your account on a real explorer like xrpscan.com. If you signed a request, check your recent transactions immediately for a surprise Payment, an unexpected TrustSet, or a SetRegularKey. A hostile regular key lets the attacker keep signing as you, so disable it and move funds to a fresh account if you still hold the master key. If you typed your secret or seed phrase, the account is fully compromised, create a new one and move everything out now.

Will any real service ever ask for my XRP secret or seed phrase?

Never. No legitimate wallet, exchange, airdrop, or support agent will ever ask for your secret, family seed, or recovery phrase, not to verify you, not to sync a desktop app, not to claim a reward. Anyone who holds your XRP secret can sign any transaction as you, and there is no reversal. A request for your seed phrase is, by itself, definitive proof of a scam. Walk away and report it.

How do I know I am on the real Xaman or XRPL site?

Reach the XRP Ledger only at xrpl.org, Ripple at ripple.com, Xaman at xaman.app, and GemWallet at gemwallet.app. Bookmark these and reach them from the bookmark, never from an ad, a search-result link, a video caption, or a DM. If a site uses a name like "ripple-swap" or "xrp-rewards," lists multiple wallet providers behind a connect button, promises guaranteed yield, or runs a countdown timer, it is a drainer. You can paste any suspicious URL into the SafeBrowz checker on this page to get a 3-layer verdict before you connect anything.

Last updated 2026-06-13