“Flare’s XRPFi Distribution Has Started” – Fake Airdrop Scam Targeting $XRP Holders
This one is more dangerous than most. Not because the mechanics are new – they aren’t – but because the execution is polished enough to fool experienced holders.
I documented it live on May 11, 2026. Screenshots are real. The site was still active at time of writing.
What the Scam Looks Like
A post appears on X, replying to a popular XRP account. It reads:
๐ช Flare’s XRPFi distribution has started!
Eligible XRP holders can now claim their drop.
Check your eligibility: ๐
Attached is a professional-looking banner displaying the real logos of Flare, XRP, Uphold, and Xaman – four legitimate, trusted brands in the XRP ecosystem. The banner reads “FXRP Airdrop Distribution – Round 1 Live.” At the bottom of the image, in small text: x-eligibility-portal.pages.dev
That URL is the first red flag. We’ll get to it.
Click the link and you land on a site that looks like this:
- XRP logo in the header
- Flare branding throughout
- A countdown timer: “XRPFi Event for Holders | 04h 19m 08s”
- Headline: “Flare XRP Airdrop Is Now Live”
- Body copy: “eligible holders can now check their allocation and claim FXRP directly to their wallet. Participation is simple, secure, and requires no additional steps beyond wallet verification.”
- A large blue button: Check Eligibility โ
Everything about this page is designed to look like a real project announcement. And every single link on the page – Check Eligibility, Learn More, Contact Us, every footer link – leads to a wallet connection prompt.
Why $XRP Holders Are the Target
This scam works because it exploits real history.
Flare Network actually did distribute FLR tokens to XRP holders – it was one of the most anticipated airdrops in the XRP community, announced years before it happened. Many XRP holders are still aware of Flare and associate it with legitimate distributions they received or were eligible for.
That familiarity is the weapon. When you see “Flare” and “XRP” together in the context of an airdrop, your pattern recognition says this is a real thing that has happened before. The scammers know this and designed every element of the site around that association.
This is a step up from generic fake airdrops. This one is targeted, researched, and credible-looking to exactly the audience it’s trying to drain.
The Red Flags – Dissected
1. pages.dev is a free Cloudflare hosting subdomain
The URL is x-eligibility-portal.pages.dev. Pages.dev is Cloudflare’s free static site hosting โ the equivalent of netlify.app or vercel.app. Anyone can create a site there in minutes for free with no identity verification.
The real Flare Network’s infrastructure lives at flare.network. The real XRP Ledger resources are at xrpl.org. No legitimate airdrop distribution for an asset of this profile runs on a free subdomain.
This is the single fastest check you can do: look at the domain before you do anything else. Free subdomain = stop immediately.
2. The countdown timer
“04h 19m 08s” – a ticking clock displayed prominently at the top of the page. There is no legitimate airdrop that expires in four hours with no prior announcement through official channels. The timer exists for one reason: to make you act before you think.
Real distributions are announced well in advance through official project channels, covered by crypto media, and discussed openly in communities. They do not appear out of nowhere with a four-hour window.
3. Stolen logos from four real projects
The banner uses the real, official logos of Flare, XRP, Uphold, and Xaman. This is not an accident – it’s deliberate trust engineering. Each logo is a borrowed authority signal. None of these projects have any association with this site.
Before trusting any airdrop that uses brand logos, verify through each project’s official channels that they are actually running the promotion. One tweet or announcement from the real account confirms or kills it instantly.
4. “Requires no additional steps beyond wallet verification”
This phrase is worth stopping on. It is designed to make the wallet connection step sound routine and safe. “Wallet verification” is not a real thing in legitimate airdrop distribution. What they are actually describing is: connect your wallet and sign a transaction.
When you sign a transaction on a malicious site, you are authorizing a smart contract to transfer your tokens. The language is chosen specifically to make that action sound administrative rather than dangerous.
5. Every link on the page leads to a wallet connector
This is the clearest possible evidence of intent. A real project site has content – documentation, team pages, blog posts, announcements. When every single navigational element on a site – including the footer links, the “About” section, and the “Contact Us” button – routes to a wallet connection prompt, the site has no other purpose. It is a drainer with a webpage built around it.
How It Spreads
Unlike the DM-based scam documented in our earlier article, this one spreads through public posts on X.
The post appears as a reply to a popular XRP community account. This is deliberate – replies to large accounts are visible to that account’s followers, and users browsing a thread on a hot topic are already in a receptive mindset about the subject.
The scammers are not just sending DMs to individuals anymore. They are embedding themselves into legitimate conversations at scale. A new or casual user scrolling through XRP news sees what looks like an official announcement from inside a thread they were already reading.
The tracking number at the end of the URL – in this case ?597935 – is an individual referral ID. It tells the operator which post or campaign drove the click. This is an organized operation, not a one-off attempt.
What To Do
If you saw the post but didn’t click: Block and report the account that posted it. No further action needed.
If you visited the site but didn’t connect your wallet: You’re fine. Browsing a site without connecting causes no harm. Close it, block the source account, move on.
If you connected your wallet and signed a transaction: Act immediately:
- Go to revoke.cash and revoke all token approvals granted to unknown addresses
- Transfer any remaining assets to a fresh, clean wallet address immediately
- Treat the compromised wallet as burned โ do not continue using it as your primary wallet
- Report the site to Cloudflare’s abuse team at abuse.cloudflare.com
- Notify the real Flare Network and XRP community accounts so they can warn their followers
The Broader Pattern
This is the second documented wallet drainer we have encountered in a short period, and the evolution between the two is notable:
| DM Scam (April 2026) | Fake Airdrop Post (May 2026) | |
|---|---|---|
| Delivery | Private DM | Public X reply |
| Hosting | netlify.app | pages.dev |
| Target | Generic new crypto accounts | Specifically $XRP holders |
| Design quality | Basic | Professional |
| Trust mechanism | Fake moderator persona | Stolen logos from 4 real projects |
| Urgency tactic | Follow-up DM pressure | Countdown timer |
The mechanics are identical. The packaging is getting better.
The only reliable defense is one that does not depend on recognizing the scam in time: keep your main holdings in a hardware wallet. A Ledger or Trezor keeps your private keys completely offline. Even if you connect a compromised software wallet to a malicious site, your cold storage is untouched.
The second line of defense is the habit of verification: before interacting with any airdrop claim, check the official project’s own X account and website directly. If it is not announced there, it does not exist.
Seen a variant of this scam targeting a different token community? Drop it in the comments – documenting these keeps the playbook visible.
Want alerts on real verified airdrops only? Join our Airdrop Alerts list โ no spam, unsubscribe anytime.
Stay Safe Guide ยท DM Scam Dissected ยท Evaluate Projects ยท Real Airdrops
