Audit log

Every state-changing event for Fake Chainbase Airdrop Phishing Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-02 20:12:15Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,879,510

   sig

   2PGJdyg1NvQY…sppKWXgvcopyexplorer ↗

   hash

   6cvvtAMyM4V4…b8x28Zqecopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (17381 B) ▸

   {"actor":"system:backfill","investigation_id":"9bc5931f-c687-4c09-9cfd-e1f56457f663","kind":"publish","page_slug":"fake-chainbase-airdrop-phishing-campaign","published_at":"2026-06-02T20:12:15.213Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Chainbase Airdrop Phishing Campaign","sections":[{"content":"The campaign impersonates Chainbase (chainbase.com), a legitimate Web3 data infrastructure company founded in 2021 and headquartered in Singapore. Chainbase raised $15 million in Series A funding from investors including Tencent Investment Group and Matrix Partners China, and launched a genuine $C token airdrop (Season 1) on July 14, 2025, distributed exclusively via airdrop.chainbase.com. Chainbase's official blog explicitly warned that all claims would take place only at the official domain and that no wallet connection requests from third-party sites would be legitimate. Threat actors appear to have exploited the high public interest in the real Chainbase airdrop — which was also the subject of a Binance HODLer Airdrop event beginning July 18, 2025 — to deploy parallel phishing infrastructure targeting users searching for how to claim $C tokens. The phishing campaign has no affiliation with Chainbase or any of its authorized partners.","heading":"Campaign Overview and Impersonated Entity","severity":"critical","sources":[{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets in Sophisticated Phishing Campaign","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"},{"credibility":1,"name":"Chainbase Airdrop Season 1 is now LIVE — Official Blog","type":"official","url":"https://blog.chainbase.com/chainbase-airdrop-season-1-is-now-live"},{"credibility":2,"name":"Binance Introduces Chainbase (C) — Its 28th HODLer Airdrops Project","type":"news_article","url":"https://crypto.ro/en/news/binance-introduces-chainbase-c-its-28th-hodler-airdrops-project/"}]},{"content":"PCrisk researchers documented dozens of phishing domains impersonating Chainbase, with chainbz[.]vip identified as the primary anchor domain. Additional confirmed domains include chainbase-airdrop[.]org and chainbasedrops[.]xyz. The actors use cheap, high-rotation top-level domains (.vip, .xyz, .shop) specifically chosen to evade blocklist takedowns and allow rapid domain switching when a domain is flagged. The serving IP 104.21.80.1 was documented for chainbz[.]vip by PCrisk. The domain chainbz[.]vip was flagged as phishing by Trustwave's URL scanner. The phishing sites replicate Chainbase's branding, color scheme, logo, and user interface to create a convincing facsimile of the legitimate platform, including the 'Chainbase Airdrop Season 1' branding used by the real Chainbase event.","heading":"Phishing Infrastructure and Domain Rotation","severity":"critical","sources":[{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"},{"credibility":2,"name":"Chainbase Airdrop Scam: How Fake Sites Are Draining Crypto (MalwareTips)","type":"research","url":"https://malwaretips.com/blogs/chainbase-airdrop-scam/"},{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"}]},{"content":"The primary attack mode presents victims with a 'Connect Wallet' button that mimics authentic Web3 wallet connection dialogs. Upon interaction, the prompt requests permissions that grant attackers the ability to sign transactions, spend tokens, and execute pre-configured smart contracts that siphon funds. The approval grants an unlimited or high-value spend allowance to an attacker-controlled address. Once approved, automated drainer logic executes within seconds, transferring ETH, NFTs, and stablecoins to attacker-controlled addresses. Funds are then split across multiple addresses to impede tracing and recovery. Drainer-as-a-Service (DaaS) toolkits — an established underground economy — likely underpin the automation. Per industry data, the average time from wallet approval to fund loss is under 32 seconds. Assets targeted include ETH, ERC-20 tokens (including stablecoins), and NFTs. Due to the irreversible nature of blockchain transactions, no recovery is possible once the approval is granted.","heading":"Attack Vector 1: Malicious Wallet Approval (Drainer Contract)","severity":"critical","sources":[{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"},{"credibility":2,"name":"Chainbase Airdrop Scam (MalwareTips)","type":"research","url":"https://malwaretips.com/blogs/chainbase-airdrop-scam/"},{"credibility":2,"name":"Crypto Drainers: Wallet Approval Abuse to Malware-Assisted Attack (Gurucul)","type":"research","url":"https://gurucul.com/blog/crypto-drainers-from-wallet-approval-abuse-to-malware-assisted-web3-attacks/"}]},{"content":"A secondary attack mode presents users with a message that their wallet requires an 'update' in order to receive the airdrop. The flow directs victims to a form requesting their wallet seed phrase (recovery phrase) or private key, framed as a verification or migration step. Once a seed phrase or private key is submitted, the attacker gains full, irrevocable control of the wallet and immediately transfers all assets to external accounts. This attack variant requires no smart contract interaction and bypasses wallet approval protections entirely. PCrisk documented the specific flow: (1) user directed to fake airdrop page; (2) user connects wallet to check eligibility; (3) fake wallet update notice is shown; (4) user is prompted to enter wallet passphrase; (5) credentials are captured and transmitted to the attacker's infrastructure. The scam sites then redirect or display a generic success page to delay the victim's realization of theft.","heading":"Attack Vector 2: Seed Phrase and Private Key Harvesting","severity":"critical","sources":[{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"},{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"}]},{"content":"The campaign distributes lures through multiple channels: malicious sponsored Google ads, social media impersonation accounts on X (Twitter), Telegram, and Discord, direct messages to DeFi and NFT community members, pop-up ads on compromised websites, and YouTube and forum comment links. Social engineering copy uses urgency and exclusivity framing — including phrases such as 'You are early — and it matters!' and the authentic-sounding 'Chainbase Airdrop Season 1' event name — to exploit fear of missing out (FOMO). Professional-grade copy and accurately replicated branding lower users' guard. The campaign appears to specifically target users who participated in or searched for information about the legitimate Chainbase $C token airdrop.","heading":"Lure Distribution and Social Engineering","severity":"high","sources":[{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"},{"credibility":2,"name":"Chainbase Airdrop Scam (MalwareTips)","type":"research","url":"https://malwaretips.com/blogs/chainbase-airdrop-scam/"},{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"}]},{"content":"This campaign is consistent with a documented surge in crypto impersonation scams in 2025. According to Chainalysis, impersonation scams grew more than 1,400% in 2025 compared to 2024, with the average scam payment increasing from $782 to $2,764 year-over-year. Total crypto scam losses in 2025 reached approximately $17 billion. The Chainbase campaign follows a pattern common to airdrop impersonation attacks: tying malicious infrastructure to a legitimate, high-profile token distribution event to maximize victim pool size and credibility. Chainalysis noted that AI-enabled scam tooling — including professional copywriting and deepfake-assisted social engineering — has substantially elevated the quality of phishing lures, making detection harder for average users.","heading":"Broader Context: Crypto Impersonation Scam Landscape","severity":"high","sources":[{"credibility":2,"name":"AI, Impersonations Drove Crypto Scam Losses to Record $17 Billion in 2025 (Decrypt / Chainalysis)","type":"news_article","url":"https://decrypt.co/354624/ai-impersonation-drove-crypto-scam-losses-record-17-billion-2025-chainalysis"},{"credibility":2,"name":"Impersonation Scams Surge 1,400% as Crypto Fraud Evolves (BeInCrypto / Chainalysis)","type":"news_article","url":"https://beincrypto.com/chainalysis-crypto-scams-impersonation-ai-trend/"},{"credibility":1,"name":"2026 Crypto Crime Report: Scams (Chainalysis)","type":"research","url":"https://www.chainalysis.com/blog/crypto-scams-2026/"}]},{"content":"The domain chainbz[.]vip was flagged as phishing by Trustwave's URL scanner. Researchers note that despite such flagging, sites frequently remain operational due to evasive hosting tactics, use of cheap TLDs with low registration scrutiny, and rapid domain rotation. As of the reports published in late July 2025, the campaign was described as active with domain rotation ongoing. No law enforcement takedown or attribution to a specific threat actor group has been publicly reported as of available sources. Given the campaign's domain-rotation strategy and the continued relevance of the Chainbase $C token (which remains listed on major exchanges including Binance), the phishing infrastructure may remain operational or continue to generate new variants. Users should treat any airdrop claim site other than airdrop.chainbase.com as suspicious.","heading":"Detection, Takedown Status, and Ongoing Risk","severity":"high","sources":[{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"},{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"}]},{"content":"Any user who connected a wallet to a phishing domain should immediately: (1) revoke all token approvals using a tool such as Revoke.cash or Etherscan's token approval checker; (2) if a seed phrase or private key was entered, treat the wallet as fully compromised and transfer all remaining assets to a newly generated wallet immediately; (3) do not use the compromised wallet for any further transactions. Recovery of stolen funds is not possible once transactions have been executed on-chain. Users should report phishing domains to Google Safe Browsing, Cloudflare, and their wallet provider. Legitimate Chainbase airdrop activity occurs exclusively at airdrop.chainbase.com and is announced via @ChainbaseHQ on X.","heading":"Victim Guidance and Remediation","severity":"medium","sources":[{"credibility":1,"name":"Chainbase Airdrop Season 1 is now LIVE — Official Blog","type":"official","url":"https://blog.chainbase.com/chainbase-airdrop-season-1-is-now-live"},{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"}]}],"sources_used":[{"credibility":2,"name":"Fake Chainbase Airdrop Sites Drain Crypto Wallets in Sophisticated Phishing Campaign (CyberInsider)","type":"news_article","url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"},{"credibility":2,"name":"Chainbase Airdrop Scam — Removal and recovery steps (PCrisk)","type":"research","url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"},{"credibility":2,"name":"Chainbase Airdrop Scam: How Fake Sites Are Draining Crypto (MalwareTips)","type":"research","url":"https://malwaretips.com/blogs/chainbase-airdrop-scam/"},{"credibility":1,"name":"Chainbase Airdrop Season 1 is now LIVE — Official Blog","type":"official","url":"https://blog.chainbase.com/chainbase-airdrop-season-1-is-now-live"},{"credibility":1,"name":"Binance HODLer Airdrop — Chainbase (C)","type":"official","url":"https://www.binance.com/en/square/post/07-18-2025-hodler-chainbase-c-27102245193842"},{"credibility":2,"name":"Binance Introduces Chainbase (C) — Its 28th HODLer Airdrops Project","type":"news_article","url":"https://crypto.ro/en/news/binance-introduces-chainbase-c-its-28th-hodler-airdrops-project/"},{"credibility":2,"name":"AI, Impersonations Drove Crypto Scam Losses to Record $17 Billion in 2025 (Decrypt)","type":"news_article","url":"https://decrypt.co/354624/ai-impersonation-drove-crypto-scam-losses-record-17-billion-2025-chainalysis"},{"credibility":2,"name":"Impersonation Scams Surge 1,400% as Crypto Fraud Evolves (BeInCrypto / Chainalysis)","type":"news_article","url":"https://beincrypto.com/chainalysis-crypto-scams-impersonation-ai-trend/"},{"credibility":1,"name":"2026 Crypto Crime Report: Scams (Chainalysis)","type":"research","url":"https://www.chainalysis.com/blog/crypto-scams-2026/"},{"credibility":2,"name":"Crypto Drainers: Wallet Approval Abuse to Malware-Assisted Attack (Gurucul)","type":"research","url":"https://gurucul.com/blog/crypto-drainers-from-wallet-approval-abuse-to-malware-assisted-web3-attacks/"},{"credibility":1,"name":"Chainbase official website","type":"official","url":"https://chainbase.com/"},{"credibility":1,"name":"Chainbase GitHub organization (chainbase-labs)","type":"official","url":"https://github.com/chainbase-labs"}],"summary":"An ongoing phishing campaign, active since at least July 2025, impersonates Chainbase — a legitimate Singapore-based Web3 data infrastructure company — to lure cryptocurrency holders into either granting unlimited wallet spend approvals or surrendering seed phrases via fake 'wallet update' forms. The campaign exploits the timing of Chainbase's real $C token airdrop (launched July 14, 2025 on airdrop.chainbase.com) and operates through dozens of rotating domains anchored by chainbz[.]vip, using stolen branding, malicious ads, and social media spam. Chainbase has not authorized any third-party claim sites; all legitimate claims occurred exclusively at airdrop.chainbase.com.","timeline":[{"date":"2025-07-06","event":"Binance HODLer Airdrop snapshot window opens for Chainbase $C token (July 6–9, 2025); attacker infrastructure likely deployed around this period to capitalize on high user interest.","source":"Binance Square post (Chainbase HODLer Airdrop announcement)","source_url":"https://www.binance.com/en/square/post/07-18-2025-hodler-chainbase-c-27102245193842"},{"date":"2025-07-14","event":"Official Chainbase Airdrop Season 1 launches at airdrop.chainbase.com; Chainbase blog explicitly warns users that all claims occur only on the official domain and to beware impersonators.","source":"Chainbase Official Blog","source_url":"https://blog.chainbase.com/chainbase-airdrop-season-1-is-now-live"},{"date":"2025-07-18","event":"Binance lists Chainbase $C token with spot trading pairs (C/USDT, C/BNB, C/USDC); $C surges over 230% in 24 hours, significantly raising public profile of Chainbase and likely expanding the phishing campaign's target pool.","source":"Binance HODLer Airdrop post; CryptoNinjas reporting","source_url":"https://www.cryptoninjas.net/news/63-surge-counting-binances-latest-airdrop-ignites-explosive-demand-for-new-ai-token/"},{"date":"2025-07-29","event":"PCrisk publishes removal guide for the Chainbase Airdrop Scam, documenting chainbz[.]vip as the primary phishing domain, serving IP 104.21.80.1, and the two-stage attack methodology (wallet approval and seed phrase harvesting).","source":"PCrisk","source_url":"https://www.pcrisk.com/removal-guides/33499-chainbase-airdrop-scam"},{"date":"2025-07-30","event":"MalwareTips publishes analysis of the campaign, adding additional confirmed phishing domains: chainbase-airdrop[.]org and chainbasedrops[.]xyz, and noting that domains change frequently.","source":"MalwareTips","source_url":"https://malwaretips.com/blogs/chainbase-airdrop-scam/"},{"date":"2025-07-31","event":"CyberInsider publishes report on the phishing campaign, summarizing attack mechanics, distribution vectors, and the use of fake sponsored ads and social media impersonation accounts.","source":"CyberInsider","source_url":"https://cyberinsider.com/fake-chainbase-airdrop-sites-drain-crypto-wallets-in-sophisticated-phishing-campaign/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 8c7e85a3-f11c-4397-bdd8-c53411d99acecopy