XRPL developer and Xaman wallet founder Wietse Wind issued an emergency security warning on X on May 23, confirming that more than 20 new fake X accounts impersonating Xaman Wallet appear every day, and more than 10 newly created scam domains each day. The scammers promote non-existent Xaman desktop wallets and fake airdrop events to诱导 users into connecting their wallet or signing transactions to steal funds.
Scam scale and attack methods: known patterns confirmed by Wietse Wind
Wind’s X post confirms the scale and methods of the following scam activities:
Scale: 20+ fake X accounts impersonating Xaman Wallet every day; 10+ new scam domains created every day; the scam team will keep creating new accounts to bypass reporting and bans.
Confirmed scam carriers: promotion of fake desktop wallets (Xaman has never released a desktop version); fake airdrop events (Xaman has no official airdrop plans); fake browser plugins (all Xaman browser plugins are scams—Xaman interacts with the ecosystem via QR codes and does not require plugins); websites that ask users to connect a wallet or sign transactions to claim “free tokens”; fake customer service accounts or contacting users via private messages; scam NFTs carrying misleading messages.
Xaman’s official response: Wind and the team will continue reporting all identified scam accounts, but users are still advised to stay vigilant because new scam accounts keep appearing, and the reporting mechanism cannot clear them instantly.
Three confirmed “non-existent” Xaman products
Desktop wallet: Xaman has never released a Windows, macOS, or Linux desktop application; any download claiming to be a “Xaman desktop version” is malware
Official airdrop: Xaman has no token airdrop program; any activity claiming that holding Xaman or XRP can get an airdrop is a scam
Browser plugins: All official Xaman interactions are done via QR codes; any Xaman-related plugins in browsers such as Chrome and Firefox are not officially published and should be reported immediately to Chrome or Firefox
FAQ
How to verify the authenticity of Xaman wallet official applications to avoid downloading fake versions?
Xaman’s official apps are distributed only through two official app stores: the Apple App Store and Google Play Store, published by XRPL Labs B.V. During verification, confirm that the developer name is “XRPL Labs B.V.” Search directly in the App Store or Play Store—do not obtain downloads through any third-party links or download buttons on scam websites. Xaman’s official website is xaman.app; any other similar domains may be scams. Wind explicitly pointed out in the warning that Xaman interacts with the XRPL ecosystem’s websites via QR codes rather than browser plugins, so there should be no and no need for any Xaman plugins in browser environments.
Why did scams targeting Xaman spike in May, and how is it related to recent XRP market developments?
Crypto scams are usually positively correlated with market hype—when a particular token (such as XRP) sees increased market attention, significant price fluctuations, or major ecosystem progress, scammers intensify targeted attacks on community users to take advantage of users’ lowered guard during heightened sentiment. This month’s ongoing capital inflows into the XRP spot ETF and the expansion developments in the XRPL ecosystem (including Ripple’s investment in Squid, etc.) have increased overall activity in the XRP community. Wind said that the number of new scams appearing daily reflects the scam team’s continued high-intensity exploitation of the Xaman brand, which is a social engineering attack beyond technical methods.
Which specific scam forms does David Schwartz, Ripple’s former CTO, cover in his contemporaneous warning?
Based on this month’s report, the main scam forms Schwartz warned about include: fake airdrop events (promising free XRP by connecting a wallet); fake giveaway events (usually impersonating well-known figures or Ripple officials); identity impersonation (including confirmed promotion of an XRP giveaway using a fake Instagram account of the confirmed fake Ripple CEO Brad Garlinghouse); and fake customer service accounts. Schwartz’s advice is: if users see any such posts, they should assume they are scams, and must independently verify the information source before signing any transaction.
