XRPL NFT Scam Tracker

The hook. The attacker first social-engineers the victim with a fake airdrop, reward, staking, or token-claim opportunity, usually framed with urgency ("limited slots", "ends in 1 hour", "verify in the next 10 minutes"). The lure links to a phishing page that prompts you to connect your wallet. Connecting alone does not drain anything: the wallet just shares its address so the attacker can scan your balances. The drain only happens once you sign a transaction the attacker pushes to your wallet.

The same operator group runs multiple acquisition funnels in parallel:

• X / Twitter spam. Dozens of fake accounts posing as Xaman support, Xaman developers, or admins of trending projects. Profiles are padded with purchased followers and bot engagement (likes, replies, retweets) to look legitimate at a glance. They reply to real users in trending XRPL threads with "verification" instructions linking to the bait.
• Targeted impersonation. The dominant lure is Xaman("your wallet needs verification"), including fake events such as"Xaman Community Day" (no such event exists). Variants impersonate community-favorite projects like PHNIX, FuzzyBear, and other meme or DeFi tokens currently in the spotlight. The same drain mechanic adapts to whichever brand the victim trusts.
• Telegram & Discord DMs. After a user posts a support question or joins a project channel, attackers DM them within minutes claiming to be a "support agent" or "moderator". Attackers will also pose as fellow community members, striking up casual conversation to build rapport before pivoting to social engineering. They funnel the conversation off the official server and into a one-on-one DM where they push the verification link or terminal-paste command.
• "Exclusive group" bait. Inside a project's own Telegram or Discord, the target is invited to a privileged sub-group — a "whale group", an "OG holders" room, or a private alpha channel. Entry is gated behind a "membership verification": only after they agree to join are they asked to verify with their wallet — the same sign-to-drain trap. The exclusivity lowers the victim's guard because the invitation comes from inside a community they already trust.
• Google search hijacking. The campaign runs typo-squatted domains and pays for Google Ads slots that appear above the real result when users search for XRPL wallets, marketplaces, or token names. A single character difference in the URL bar (or just clicking the top "Sponsored" result) lands them on a clone site that runs the same scripts.

Common thread: the attacker's only goal is to get the victim onto a page they control, or to get them to sign a transaction or paste a terminal command without reading it. The on-chain drain or the malware payload then follows automatically.

End-to-end path from first contact to drained wallet:

The attacker pre-targets the victim. After scanning their wallet, the attacker mints one NFT per asset the victim holds: XRP, LP tokens, IOUs, everything. Each NFT's URI encodes that specific balance, e.g. https://xrpl-api.com/api/nft/metadata?amount=11432359&asset=CSC%3ArCSCManTZ8ME…. The phishing endpoint dynamically returns matching metadata so each NFT renders in the victim's wallet as a stand-in for that exact balance, often dressed up to impersonate Xaman, XRPL.org, or a known marketplace.

The attacker then creates NFTokenCreateOffers with memos like "Verification: Safe XRPL verify message" plus "Info: idx:0;len:11". The wallet UI shows what looks like a routine verification, but each signature actually authorizes a sale of the targeted balance. Signing N "verifications" hands the attacker N specific assets: XRP first, then every held token.

When the victim signs, they are handing their XRP and tokens directly to the attacker. On-chain, the scammer has simply sold them an NFT. The attacker accepts the offer, the transfer settles as a normal on-chain payment indistinguishable from a legitimate trade, and the victim is left holding a worthless bait NFT. There is no path to reverse it.

How the attack got here. The earliest version of this campaign was crude: the attacker simply spammed NFTokenCreateOffer transactions at every wallet on the ledger, hoping a few victims would tap "accept" on whatever showed up in their inbox. Once wallets started flagging unsolicited offers as spam and hiding them by default, the operator shifted up the stack. The current variant abuses the wallet sign-in / push-notification flow: instead of pushing offers directly, the attacker lures the victim to a web app they control, where the page triggers a "verification" sign request that the wallet renders as a routine notification. The malicious payload is now wrapped in a UX the victim already trusts.

Evolving evasion. As detection has tightened across XRPL platforms and wallets, the campaign has shifted. The most recent variants mint blankNFTs with minimal or no on-chain metadata (no URI, no memo, sometimes no name), so URI and memo classifiers have nothing to match. We catch these by issuer-level reputation: any wallet that has ever produced a confirmed scam is auto-flagged on every subsequent mint and offer, URI or not. The list refreshes live and is published as scamIssuersList in the /api/nft/scam response so wallets can mirror it client-side.

The same operators run a parallel attack that never touches the ledger. The bait NFT or a linked page prompts the user to "complete verification" by copying a string and pasting it into their desktop terminal (PowerShell on Windows, Terminal on macOS). The pasted line fetches a payload from a short-lived host (e.g. mmzzxcca.xyz/update3.zip) which deploys HijackLoaderplus SnappyClient, a commodity-stealer combo that exfiltrates browser cookies, saved passwords, and cryptocurrency wallet files, and installs persistence via a Run key plus DLL injection into SysWOW64\input.dll. See the public sandbox detonation at tria.ge/260505-k76d4afx2j (severity 10/10).

There is no XRPL signature involved: the loss happens entirely on the victim's machine, and the attacker can sweep funds from any wallet whose seed or session cookie was stored locally. Never paste anything from an NFT, Discord, Twitter, or website prompt into a terminal. No legitimate XRPL service ever asks you to do this.

Current on-chain holdings of every scam wallet, XRP plus IOU/LP tokens at market value. Compare against the 1.84M XRP-equiv drained from victims: 99% has already been moved off-chain (cashed out, bridged, or pushed through a tumbler).

Snapshot from the last cron run (37s ago). Top 20 wallets shown. XRP cash Tokens LP chip

Aggregate token positions across all 138 scam wallets. If any of these tokens see a large market sell, the scammers are likely behind it. Sorted by current XRP-equivalent.

Top 10 by current XRP-equivalent. 40 distinct tokens total.

Value in XRP uses current market price for regular tokens, or AMM pool reserves for LP tokens. - means no price feed (illiquid or delisted).

Each row links to the on-chain transaction and the bait NFT. Hover any abbreviated value to see the full ID.

Drains ≥ 10,000 XRP highlighted in red. Scammer wallets in red, victims in blue.

• Never sign an NFTokenCreateOffer, or any transaction, you didn't deliberately start.
• Treat memos like "Verification", "Safe XRPL verify", or "idx:N;len:N" as red flags. No legitimate XRPL service uses those.
• If an NFT in your wallet shows a huge balance you never bought, do not click it (don't interact with things you do not understand). Check the URI: anything pointing to xrpl-api.com or xrp-api.com is the drain campaign.
• Burn or hide suspect NFTs from your wallet instead of interacting with them.
• Never paste a "verification" code into your terminal. If an NFT description, linked page, Discord/Twitter DM, or "support agent" tells you to open PowerShell/Terminal and paste a command, it is HijackLoader/SnappyClient or an equivalent commodity stealer. It will exfiltrate your browser cookies, saved passwords, wallet files, and stage persistence on your machine. No real XRPL service ever requires this.
• If you've been drained on-chain, the transfer cannot be reversed. If your machine was compromised (terminal-paste variant), assume cookies + saved credentials + locally stored wallet seeds are all leaked: rotate exchange/email/social passwords from a clean device, revoke any active wallet sessions, and move XRPL funds to a fresh seed generated offline on hardware you trust.

If you connected your Xaman wallet to one of the phishing sites and are now being spammed with NFT offers, cancelling each offer does not stop the attack. The attacker holds an active third-party app permission on your wallet and will keep pushing offers until you revoke it.

1. Open Xaman → Settings → Third-party apps.
2. Look for an app you don't recognise. Most commonly the malicious entry is labelled "XPMarket", but the attacker can rename it to anything (Xaman, FuzzyBear, RLUSD, an XRPL marketplace, etc.). The displayed name is not verified.
3. Tap the suspicious app.
4. Scroll to the bottom and tap Revoke access.

After revoking, the attacker can no longer create offers on your behalf. If you signed anything during the session, or if you can't remember exactly what you authorized, move remaining XRP, tokens, and any LP positions to a fresh seed generated offline.

Two free public endpoints cover the full integration surface. No API key required; data updates every minute.

Already part of the standard NFT API. Returns the full NFT document; check the scam: true and scamType fields before rendering or accepting an offer.

curl https://api.xrpl.to/api/nft/00090000560ABF36DE406A9E7EE3B37CBBE047629EC1C40E956828E50634B54A
# → { "_id": "0009...", "scam": true, "scamType": "phishing_uri_domain", "issuer": "r3qAz...", ... }

Single endpoint with everything: aggregate stats, monthly timeline, top scammers/victims, recent drains, and a flat scamIssuersList (466 addresses today) for client-side filtering. Cache locally and filter incoming NFTs by issuer against the list; pre-empts any per-NFT round-trip for known-bad wallets. Refresh every few minutes.

curl https://api.xrpl.to/api/nft/scam
# → { "totals": { ... }, "monthlyTimeline": [ ... ], "topScammers": [ ... ],
#     "tokensDrained": [ ... ], "recentDrains": [ ... ],
#     "scamIssuersList": ["r3qAz...", "rGhwR5...", ...], ... }

Suggested integration: on app load, fetch /api/nft/scam once and cache the scamIssuersList. For each NFT before rendering, check nft.issuer ∈ scamIssuersList first (O(1) client-side). If the issuer is clean but you want to verify the specific NFT, follow up with GET /api/nft/<NFTokenID>and check scam in the response. Detection is already live; flags appear on-chain within seconds of a new mint or offer.

The full XRPL.to API surface (tokens, AMM pools, NFTs, traders, OHLC, holders, search, and more) is documented at xrpl.to/docs. Free, no API key required for read endpoints, no rate-limit headaches for normal use. A modern alternative to the Ripple Data API with deeper filtering and richer query parameters.