This article is for informational purposes only. Always verify information independently before making any decisions.
Scammers are targeting XRP users with fake Xaman airdrop scams spreading across social media platforms in May 2026, according to Finance.biggo.com and Pcrisk.com.
XRPUSD chart: Volatility rises amid security concerns
Finance.biggo.com tracked severe XRPUSD volatility in May 2026. On May 6, 2026—when the first sizable-scale wave of fraud came to light—XRP fell from $0.60 to $0.51, and trading volumes exceeded $1.2 billion as panic gripped the market.
Latest news: Fake Xaman airdrop scams multiply across platforms
Pcrisk.com’s threat analysts observed a wave of new Xaman-themed airdrop scams ramping up from late April 2026 into May, targeting users across dozens of platforms. At least 35 new fake domains mimicking the Xaman wallet brand were registered in a two-week window, per finance.biggo.com.
| Detail | Information |
|---|---|
| May 6, 2026 | First major surge in scam reports logged by support teams. |
| May 9, 2026 | Double the April monthly average of scam help requests in a 24-hour window. |
| May 15, 2026 | Pcrisk.com reports malware payloads embedded in airdrop app downloads. |
| May 19, 2026 | Finance.biggo.com flags deepfake influencer videos promoting scam links as a growing tactic. |
The Xaman development team has repeatedly cautioned users through their verified Twitter account that they never conduct public airdrops and will never request private keys.
About PCrisk: Ongoing effort against crypto malware and fraud
The Xaman Monthly $XRP Release Scam entry on pcrisk.com describes the group’s broader work as a defender against disruptive crypto malware and scam campaigns. Security researchers note that over 60% of all cryptocurrency-focused phishing attacks in Q2 2026 featured airdrop fraud. That means Xaman wallet users and XRP holders remain the primary targets, according to their latest analysis. Most phishing pages draw traffic by hijacking trending Telegram topics and coordinating push notifications in Discord communities during release events.
PCrisk.com also highlights that spike periods correspond to “promo pushes,” with scam sites receiving surges of daily visitors via coordinated bot activity and paid channel boosts. Attackers target Telegram and Discord because crypto audiences there are highly active during significant announcements, and community self-policing can lag behind a new threat’s arrival.
Guides: Recovering from Xaman airdrop malware
Pcrisk.com’s updated guides released in May 2026 offer step-by-step instructions for users compromised by the new Xaman airdrop malware strain.
Malware activity: How scammers exploit XRP users and wallet vulnerabilities
Pcrisk.com’s May 2026 incident logs show that new malware variants targeting XRP users have become substantially more aggressive compared to previous months. According to finance.biggo.com, wallet-draining attacks now siphon XRP within moments after the victim submits their recovery phrase on a fake site. Those attacks often complete in under three minutes between phishing and loss of funds. Several thousand XRP were stolen from user accounts in less than ten days in May, with hot wallets—apps left always-connected to the network—disproportionately affected.
Pcrisk.com emphasises that current attacks increasingly rely on automated scripts that extract wallet access data and then move the stolen XRP across multiple intermediary wallets to frustrate the tracking of funds.
Removal Guides: Best practices for XRP wallet security
Pcrisk.com’s removal guides for May 2026 stress that XRP holders must avoid clicking on any advertised airdrop links or downloading wallet utilities promoted through unofficial channels. Their threat intelligence shows that phishing and malware infections spike when users interact with Telegram announcements or Discord “claim” bot DMs that request wallet connection. Most victims surrender their recovery phrase on an imitation web page or through a rogue app, often after being pressured to act briskly via countdowns or alleged “bonus expiry” warnings.
Scammers harness mobile phishing and QR code attacks
Both finance.biggo.com and pcrisk.com have documented a sharp uptick in QR code phishing against XRP holders in May 2026. Dozens of scam websites exploit “quick claim” QR codes styled to resemble official wallet features, according to their combined reporting. When scanned, these QR codes route mobile users to credential request forms, malware-laden downloads, or remote attack scripts. Community reporting channels flagged multiple incidents in the second week of May, with scam QR codes circulating via Telegram and Discord chat group promotions branded as “XRP Giveaways.”
Attackers take advantage of users willing to scan unknown codes.
Pcrisk.com added that several campaigns began to employ animated GIF QR codes—designed to evade static image pattern detection by security software and social network spam filters.
Timeline: Growth of fake Xaman airdrop scams in 2026
- March 28, 2026:Pcrisk.com threat alerts register first reports of minor airdrop scams targeting XRP user communities.
- April 15, 2026:Finance.biggo.com’s security desk documents mass registration of the first fake Xaman wallet domains.
- May 6, 2026:Support teams log hundreds of scam-related tickets in a single afternoon, a monthly record according to pcrisk.com data.
- May 16, 2026:Pcrisk.com releases updated malware removal guides in response to new trojan variants and website impersonators.
- May 20, 2026:Finance.biggo.com confirms the use of deepfake influencer marketing in scam campaign videos supplementing traditional phishing emails and posts.
How to spot and report fake Xaman airdrops
Pcrisk.com’s Xaman Monthly $XRP Release Scam page points to several recurring warning signs for fake Xaman airdrop campaigns: unsolicited messages promising free tokens, suspicious requests for recovery phrases or private keys, and external links that redirect users to domains unrelated to the official Xaman platform. Analysts note that none of the legitimate wallet brands distribute airdrops by unsolicited DMs or via Discord or Telegram group chats.
- Point:Official airdrops are never announced through direct messages or social media links. Look for announcements via official website or verified Twitter accounts only.
- Point:Never submit your wallet recovery phrase or private keys to any site or app not listed in the official project documentation.
- Point:Check website domains carefully for misspellings or unusual SSL certificate warnings before interacting with wallet interfaces.
- Point:Only download wallet software from verified app stores or the Xaman official website, never from links in chat apps or social messages.
- Point:If you encounter a scam attempt, take a screenshot of the website or message, note the relevant URL or Telegram handle, and report it directly to Xaman support and pcrisk.com for documentation and awareness tracking.
User education: Why XRP holders remain at risk
According to the Xaman Monthly $XRP Release Scam entry, a meaningful share of May 2026 victims were first-time airdrop participants newly exposed to the crypto space. These users were often drawn in by campaigns that trended on Twitter or Telegram, many using spoofed or deepfake celebrity endorsements to boost credibility. data show that over 50% of reported airdrop scam cases involved users aged 18–29 who primarily get their crypto news from chat-based apps and short-form social video platforms.
Ecosystem response: Developer and exchange action against Xaman scams
Crypto exchanges hosting sizable XRP balances have started to implement mandatory withdrawal delays and additional manual review periods on all accounts flagged as potentially related to scam incidents, per finance.biggo.com in May 2026. Several have updated their support portals to feature warning banners and step-by-step recovery guides for users impacted by phishing. Wallet developers are also accelerating deployment of scam detection toolkits, such as real-time blacklists and in-app pop-up warnings that trigger when suspicious domains or links are detected during a withdrawal or wallet connect attempt.
According to pcrisk.com, some Xaman ecosystem partners track and publicly post addresses involved in scam activity, providing a resource to exchanges and the wider community.
What comes next: The future of XRP security and airdrop safety
Industry watchers anticipate new wallet security upgrades for Q3 2026, including on-chain blacklist sharing and advanced scam site detection, according to pcrisk.com’s coverage of the Xaman development roadmap. Wallet teams are working on baking anti-phishing modules directly into applications, and exchanges are studying stricter withdrawal vetting tied to device fingerprints and user behaviour scoring.
For expanded investigative coverage and in-depth reporting on the tactics behind fake Xaman airdrop scams and evolving XRP user protections, review more detail at XRP Users Targeted by Fake Xaman Airdrop Scams: Safety Tips Inside. If you’ve encountered a new scam or wish to share tips with the investigative team, you can report your story for future analysis on XRP user security trends.
Disclaimer: The content on this page is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.
Sarah Williams is a blockchain technology editor and investigative journalist with 6 years of dedicated crypto reporting. Formerly an editor at CoinDesk, Sarah has broken stories on exchange insolvencies, DeFi exploits, and regulatory enforcement actions. She holds a B.S. in Computer Science from MIT and contributes to the MIT Digital Currency Initiative. Sarah is a frequent speaker at Consensus, Token2049, and ETHGlobal events.
Conflicts of interest
I hold no positions in any cryptocurrency mentioned in my coverage. All investment-related content is reviewed by senior editors before publication. I am not compensated by any project I cover.
