Audit log

Every state-changing event for Fake Jupiter CJUP Airdrop Phishing Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-28 03:54:12Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,642,309

   sig

   9ApW8NEqJmdT…wnwBEKyncopyexplorer ↗

   hash

   4tfiiCceeknH…xUhNbKuwcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (19225 B) ▸

   {"actor":"system:backfill","investigation_id":"4f4b1319-f6e4-43e1-8423-17c8d320d0b6","kind":"publish","page_slug":"fake-jupiter-cjup-airdrop-phishing-campaign","published_at":"2026-05-28T03:54:12.008Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Jupiter CJUP Airdrop Phishing Campaign","sections":[{"content":"An active phishing campaign first publicly flagged by Solana Floor on approximately May 22, 2026 involves unknown threat actors distributing fake tokens bearing the ticker $CJUP directly into Solana wallet addresses without any user action. Recipients are then directed, via on-chain token metadata or accompanying messages, to malicious websites operating as wallet drainers. Upon connecting a wallet to one of these sites, malicious smart contract interactions are initiated that can transfer all or the most valuable assets from the wallet to attacker-controlled addresses within minutes. Jupiter Exchange has not announced any airdrop distribution for mid-2026. The ticker $CJUP has no association with the legitimate Jupiter project, whose official token is $JUP with contract address JUPyiwrYJFskUPiHa7hkeR8VUtAeFoSYbKedZNsDvCN on Solana. Jupiter's sole legitimate claim interface is jup.ag.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":2,"name":"Fake Jupiter airdrop alert: Wallet draining Jupuary impersonator airdrop spreads — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fake-jupiter-aidrop-jupuary-wallet-drainer/"},{"credibility":2,"name":"Fake $CJUP airdrop drains Solana wallets within minutes — Coin Turk","type":"news_article","url":"https://en.coin-turk.com/fake-cjup-airdrop-drains-solana-wallets-within-minutes/"},{"credibility":2,"name":"Warning: Fraudsters impersonating Jupiter are airdropping fake CJUP tokens — WEEX Crypto News","type":"news_article","url":"https://www.weex.com/news/detail/warning-fraudsters-impersonating-jupiter-are-airdropping-fake-cjup-tokens-luring-users-to-connect-to-phishing-websites-wxkvx1w8xs037nl8a29p027q"},{"credibility":2,"name":"Fraudsters Drain Solana Wallets Instantly With Phony $CJUP Airdrop — BigGo Finance","type":"news_article","url":"https://finance.biggo.com/news/V_75UJ4BYH_ypPqOfPBG"}]},{"content":"The campaign follows a two-stage delivery model well-documented in prior Solana phishing operations. In the first stage, counterfeit SPL tokens labeled $CJUP are airdropped at no cost directly into target Solana wallet addresses. Token metadata is crafted to mimic Jupiter Exchange branding and to reference a claim URL. In the second stage, when a user navigates to the claim site and connects their wallet, a malicious smart contract interaction is triggered. Security researchers analyzing analogous Solana wallet drainer operations (including the CLINKSINK Drainer-as-a-Service campaign documented by Google/Mandiant in January 2024) describe the mechanism as follows: the draining script enumerates wallet token balances, then constructs and requests signature of a transfer instruction that moves assets to an attacker-controlled address. Once signed, transactions are irreversible on Solana. The CLINKSINK DaaS model, which has been used in multiple Jupiter-branded phishing variants, operates with a revenue-sharing model between a central operator (typically retaining 20% of drained assets) and affiliate attackers (retaining 80%), coordinated via Telegram. Known phishing domains from the broader Jupiter impersonation campaign ecosystem include jupdefirewards[.]xyz, jupiterchecker[.]top, jupiterofficial-ag[.]com, jupiter-allocation[.]com, claim.jupiter-dex[.]info, jupbox[.]net, jupitersearns[.]com, visit-jup[.]app, jup-airdrop.onspace[.]app, and jupag[.]pro. The $CJUP campaign may use additional or different domains not yet publicly catalogued. Delivery of phishing links is also spread via compromised social media accounts on X (Twitter) and Discord, rogue advertising networks, and spam posts.","heading":"Attack Mechanism and Technical Details","severity":"critical","sources":[{"credibility":2,"name":"Avoid getting scammed by fake Jupiter Airdrop websites — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/28803-jupiter-airdrop-scam"},{"credibility":2,"name":"Jupiter Allocation Scam removal guide — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/35327-jupiter-allocation-scam"},{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer: Owner Reassignment, Durable Nonces, and Blinks Phishing — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":1,"name":"Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns"}]},{"content":"The campaign's social engineering effectiveness derives from exploiting familiarity with Jupiter Exchange's established annual Jupuary airdrop tradition. Jupiter distributed 1 billion JUP tokens in January 2024, followed by approximately 700 million JUP tokens valued at approximately $616 million in January 2025. In February 2026, Jupiter DAO opened a governance vote on whether to continue or cancel the Jupuary tradition, ultimately approving a Net-Zero Emissions proposal with approximately 75% support. This vote postponed and significantly reduced any future Jupuary distribution, with 700 million JUP tokens returned to the Community Cold Multisig wallet and team token emissions paused indefinitely. The ambiguity and public debate around whether a 2026 Jupuary event would occur created a window of confusion that the $CJUP campaign alleged to exploit. Users who were aware of the Jupuary tradition but not fully informed of the DAO vote outcome would be more susceptible to believing an unsolicited airdrop represented a legitimate distribution.","heading":"Exploitation of Jupiter's Jupuary Airdrop Tradition","severity":"high","sources":[{"credibility":2,"name":"Jupiter Drops 3% as DAO Cancels Jupuary Airdrop — CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/top-stories/699b6195302cb822e7265462/"},{"credibility":2,"name":"Jupiter DAO opens vote on potentially canceling Jupuary airdrops — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/jupiter-dao-vote-canceling-jupuary-airdrops/"},{"credibility":2,"name":"Jupiter Airdrop: The JUP Token Guide (2026) — Phantom","type":"official","url":"https://phantom.com/learn/crypto-101/jupiter-jup-airdrop"}]},{"content":"The following indicators have been identified across documented Jupiter-impersonation phishing operations as of May 2026. The fraudulent token ticker is $CJUP; the legitimate Jupiter token ticker is $JUP. Known phishing domains in the broader Jupiter scam ecosystem include jupdefirewards[.]xyz, jupiterchecker[.]top, jupiterofficial-ag[.]com, jupiter-allocation[.]com, claim.jupiter-dex[.]info, jupbox[.]net, jupitersearns[.]com, visit-jup[.]app, jup-airdrop.onspace[.]app, and jupag[.]pro. A serving IP of 104.21.16.67 has been associated with visit-jup[.]app. Malicious domains in this campaign cluster are flagged by Emsisoft and Trustwave as phishing and are detectable on VirusTotal. For the CLINKSINK DaaS infrastructure underlying many Solana drainer operations, the command-and-control domain ontopothers[.]com, operator Solana address B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h, and MD5 hash 8650e83da50bd726f77311b729905c0d have been published by Google Cloud's Mandiant division. Users should verify any claimed airdrop exclusively through jup.ag/portfolio/airdrop-checker and should never connect a wallet to any URL not hosted at the official jup.ag domain. Receiving an unsolicited token in a Solana wallet does not require any action and poses no risk unless the user interacts with it or visits any associated URL.","heading":"Indicators of Compromise and Detection Guidance","severity":"critical","sources":[{"credibility":2,"name":"Avoid getting scammed by fake Jupiter Airdrop websites — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/28803-jupiter-airdrop-scam"},{"credibility":1,"name":"Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns"},{"credibility":1,"name":"Jupiter official airdrop checker — jup.ag","type":"official","url":"https://jup.ag/portfolio/airdrop-checker"}]},{"content":"The $CJUP campaign is part of a documented pattern of Solana-native phishing operations that impersonate high-profile DeFi projects to conduct wallet drainer attacks. The CLINKSINK Drainer-as-a-Service (DaaS) campaign documented by Google Cloud's Mandiant division in January 2024 involved at least 35 affiliate IDs and was estimated to have stolen over $900,000 in Solana assets in a short period by impersonating Phantom, DappRadar, and the BONK token. The technical infrastructure — JavaScript wallet drainer loaded from a phishing domain, wallet balance enumeration, malicious transaction construction using legitimate Solana Web3.js libraries — is consistent across multiple Jupiter-branded variants. The DaaS model lowers the barrier for non-technical attackers to participate by providing ready-made drainer toolkits in exchange for a revenue share. Prior Jupiter impersonation operations have included fake Jupiter Allocation sites (jupag[.]pro), fake Jupiter Rewards sites, and fake Jupiter Airdrop Checker sites, all using similar social engineering and technical mechanisms to the $CJUP campaign.","heading":"Broader Solana Airdrop Phishing Ecosystem","severity":"high","sources":[{"credibility":1,"name":"Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns"},{"credibility":2,"name":"Jupiter Allocation Scam removal guide — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/35327-jupiter-allocation-scam"},{"credibility":2,"name":"Jupiter (JUP) Rewards Scam removal guide — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/33024-jupiter-jup-rewards-scam"}]},{"content":"As of the time of this investigation, no specific aggregate victim loss figures or individual case reports with confirmed amounts have been published for the $CJUP campaign specifically. Coverage from Cryptopolitan, Coin Turk, WEEX, and BigGo Finance confirms the campaign is active and that assets are drained within minutes of wallet connection, but none of these sources cite on-chain data, blockchain analytics reports, or victim testimonies with specific USD or SOL loss figures. The campaign is active and losses are presumed to be ongoing. The speed of asset drainage (described as within minutes) is consistent with fully automated drainer scripts documented in prior Solana phishing operations.","heading":"Absence of Documented Victim Loss Figures","severity":"medium","sources":[{"credibility":2,"name":"Fake $CJUP airdrop drains Solana wallets within minutes — Coin Turk","type":"news_article","url":"https://en.coin-turk.com/fake-cjup-airdrop-drains-solana-wallets-within-minutes/"},{"credibility":2,"name":"Fraudsters Drain Solana Wallets Instantly With Phony $CJUP Airdrop — BigGo Finance","type":"news_article","url":"https://finance.biggo.com/news/V_75UJ4BYH_ypPqOfPBG"}]},{"content":"Jupiter Exchange's only legitimate token is $JUP at Solana contract address JUPyiwrYJFskUPiHa7hkeR8VUtAeFoSYbKedZNsDvCN. The only legitimate airdrop checker is hosted at jup.ag/portfolio/airdrop-checker. Jupiter will never request seed phrases or private keys. Any unsolicited token appearing in a Solana wallet bearing the $CJUP ticker or directing users to any domain other than jup.ag should be disregarded. Users should not visit, connect a wallet to, or approve any transaction on any site claiming to distribute CJUP tokens. Solana blockchain transactions are irreversible; there is no recovery mechanism for assets drained via wallet drainer malware. Any social media post, direct message, email, or pop-up advertisement offering CJUP tokens or directing users to a Jupiter airdrop claim site should be treated as a phishing attempt. Users who have already connected their wallets to a suspected drainer site should immediately revoke token approvals using a tool such as Revoke.cash and transfer remaining assets to a new wallet address.","heading":"User Protection Guidance","severity":"high","sources":[{"credibility":1,"name":"Jupiter official site — jup.ag","type":"official","url":"https://jup.ag/"},{"credibility":1,"name":"Jupiter official airdrop checker — jup.ag","type":"official","url":"https://jup.ag/portfolio/airdrop-checker"},{"credibility":2,"name":"Avoid getting scammed by fake Jupiter Airdrop websites — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/28803-jupiter-airdrop-scam"}]}],"sources_used":[{"credibility":2,"name":"Fake Jupiter airdrop alert: Wallet draining Jupuary impersonator airdrop spreads — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fake-jupiter-aidrop-jupuary-wallet-drainer/"},{"credibility":2,"name":"Fake $CJUP airdrop drains Solana wallets within minutes — Coin Turk","type":"news_article","url":"https://en.coin-turk.com/fake-cjup-airdrop-drains-solana-wallets-within-minutes/"},{"credibility":2,"name":"Warning: Fraudsters impersonating Jupiter are airdropping fake CJUP tokens, luring users to connect to phishing websites — WEEX Crypto News","type":"news_article","url":"https://www.weex.com/news/detail/warning-fraudsters-impersonating-jupiter-are-airdropping-fake-cjup-tokens-luring-users-to-connect-to-phishing-websites-wxkvx1w8xs037nl8a29p027q"},{"credibility":2,"name":"Fraudsters Drain Solana Wallets Instantly With Phony $CJUP Airdrop — BigGo Finance","type":"news_article","url":"https://finance.biggo.com/news/V_75UJ4BYH_ypPqOfPBG"},{"credibility":2,"name":"Alert: Scam group impersonates Jupiter by distributing fake CJUP tokens — Bitget News","type":"news_article","url":"https://www.bitget.com/news/detail/12560605424105"},{"credibility":2,"name":"Avoid getting scammed by fake Jupiter Airdrop websites — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/28803-jupiter-airdrop-scam"},{"credibility":2,"name":"Jupiter Allocation Scam removal guide — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/35327-jupiter-allocation-scam"},{"credibility":2,"name":"Jupiter (JUP) Rewards Scam removal guide — PCRisk","type":"research","url":"https://www.pcrisk.com/removal-guides/33024-jupiter-jup-rewards-scam"},{"credibility":1,"name":"Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns"},{"credibility":2,"name":"Anatomy of a Solana Wallet Drainer — DEV Community","type":"research","url":"https://dev.to/ohmygod/anatomy-of-a-solana-wallet-drainer-owner-reassignment-durable-nonces-and-blinks-phishing-50a8"},{"credibility":2,"name":"Jupiter Drops 3% as DAO Cancels Jupuary Airdrop — CoinMarketCap","type":"news_article","url":"https://coinmarketcap.com/top-stories/699b6195302cb822e7265462/"},{"credibility":2,"name":"Jupiter DAO opens vote on potentially canceling Jupuary airdrops — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/jupiter-dao-vote-canceling-jupuary-airdrops/"},{"credibility":2,"name":"Jupiter Airdrop: The JUP Token Guide (2026) — Phantom","type":"official","url":"https://phantom.com/learn/crypto-101/jupiter-jup-airdrop"},{"credibility":1,"name":"Jupiter official site — jup.ag","type":"official","url":"https://jup.ag/"},{"credibility":1,"name":"Jupiter official airdrop checker — jup.ag","type":"official","url":"https://jup.ag/portfolio/airdrop-checker"}],"summary":"An active phishing campaign operating as of May 2026 distributes counterfeit $CJUP tokens to Solana wallet addresses and directs recipients to wallet-drainer sites that automatically empty connected wallets within minutes. The campaign impersonates Jupiter Exchange and exploits widespread familiarity with its annual Jupuary airdrop tradition. No legitimate $CJUP token exists; Jupiter's real token is $JUP (contract address JUPyiwrYJFskUPiHa7hkeR8VUtAeFoSYbKedZNsDvCN), and no airdrop distribution was announced by Jupiter for mid-2026.","timeline":[{"date":"2024-01-01","event":"Jupiter distributes 1 billion JUP tokens in the first Jupuary airdrop, establishing the annual tradition that scammers later exploit.","source":"Phantom — Jupiter Airdrop: The JUP Token Guide (2026)","source_url":"https://phantom.com/learn/crypto-101/jupiter-jup-airdrop"},{"date":"2024-01-03","event":"Mandiant's X (Twitter) account is hijacked by CLINKSINK Drainer-as-a-Service operators to distribute Solana wallet drainer phishing links, illustrating the sophistication of the broader ecosystem.","source":"Google Cloud / Mandiant — CLINKSINK Drainer Campaigns","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/solana-cryptocurrency-stolen-clinksink-drainer-campaigns"},{"date":"2025-01-01","event":"Jupiter distributes approximately 700 million JUP tokens (valued at ~$616 million) in Jupuary 2025, further cementing community expectation of annual airdrops.","source":"Coin Turk — Fake $CJUP airdrop drains Solana wallets within minutes","source_url":"https://en.coin-turk.com/fake-cjup-airdrop-drains-solana-wallets-within-minutes/"},{"date":"2026-02-22","event":"Jupiter DAO concludes governance vote approving Net-Zero Emissions proposal with ~75% support, indefinitely postponing the Jupuary 2026 airdrop and returning 700 million JUP to the Community Cold Multisig. This creates public confusion about whether a 2026 airdrop will occur.","source":"CoinMarketCap — Jupiter Drops 3% as DAO Cancels Jupuary Airdrop","source_url":"https://coinmarketcap.com/top-stories/699b6195302cb822e7265462/"},{"date":"2026-05-22","event":"Solana Floor issues a public warning: 'scammers are impersonating Jupiter Exchange, sending fake $CJUP to wallets, and directing users to malicious sites. Caution is strongly advised.' Multiple crypto news outlets including Cryptopolitan, Coin Turk, WEEX, and BigGo Finance amplify the warning.","source":"WEEX Crypto News — Warning: Fraudsters impersonating Jupiter are airdropping fake CJUP tokens","source_url":"https://www.weex.com/news/detail/warning-fraudsters-impersonating-jupiter-are-airdropping-fake-cjup-tokens-luring-users-to-connect-to-phishing-websites-wxkvx1w8xs037nl8a29p027q"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision d87044a7-0b28-44b4-962a-0b39f80a0f05copy