Address Investigated 0xA1a5b1: https://app.nansen.ai/profiler?address=0xA1a5b1EB70D287113E41aC4636fC8e75fA161C4d Chain: Plasma Date: May 31, 2026 Threat Level: ⚠️ HIGH For several days, a cla
Address Investigated 0xA1a5b1: https://app.nansen.ai/profiler?address=0xA1a5b1EB70D287113E41aC4636fC8e75fA161C4d
Chain: Plasma Date: May 31, 2026
Threat Level: ⚠️ HIGH
For several days, a classic airdrop phishing operation targeting users on the Plasma blockchain. The scammer deployed a malicious contract and distributed worthless tokens to multiple wallets, attempting to lure victims to a fraudulent website disguised as a "Base airdrop claim."Key Findings
1. Wallet Profile- Creation Date: May 31, 2026 (brand new wallet)- Current Holdings: $0 (empty wallet)- First Funder: 0xf5c1e1: https://app.nansen.ai/profiler?address=0xf5c1e1eb21646e601a812a980516483a91b20a08, unlabeled address, likely part of the same operation
2. Malicious Contract DeployedThe address deployed a smart contract with an embedded phishing URL:> www[.]7base[.]cfd - claim Your Base airdrop> Contract: 0x187b3c: https://app.nansen.ai/profiler?address=0x187b3c5afaec152d6a27b66a9a706020454771f5This naming convention is designed to:- Appear in block explorers and wallet UIs- Impersonate legitimate Base network airdrops- Drive traffic to the phishing domain
3. Mass Token Distribution (Dusting Attack)The scammer sent a token named WWW. 7BASE .CFD to at least 9+ victim addresses, including:
Victim Address, Token Received, USD Value: 0x0050ab: https://app.nansen.ai/profiler?address=0x0050ab71d3369e305042a52b7460e3de34163d9c WWW[.]7BASE[.]CFD | $0 | 0xb32aaa: https://app.nansen.ai/profiler?address=0xb32aaa0bb1bd314659b2e06064daa8d085198cab WWW[.]7BASE[.]CFD | $0 ||
0x991972: https://app.nansen.ai/profiler?address=0x991972d8a82a8366f09e182d75c478bc7ad4fda1 WWW.7BASE.CFD | $0 |
0x09ce97: https://app.nansen.ai/profiler?address=0x09ce977b7639b0d2eebbe9535aaa15222987bae4 WWW.7BASE.CFD | $0 ||
0x114d8f: https://app.nansen.ai/profiler?address=0x114d8fcac587b39206c3e76cd70bcbd0ec1c6f28 WWW[.]7BASE[.]CFD | $0 |
How This Scam Works
1️⃣ SETUP └─► Scammer creates fresh wallet └─► Deploys contract with phishing URL in name
2️⃣ DISTRIBUTION └─► Sends worthless tokens to random active wallets └─► Token name contains malicious URL
3️⃣ EXPLOITATION └─► Victim sees "free airdrop" in wallet └─► Visits phishing site to "claim" └─► Site requests wallet connection + approval └─► Drainer contract steals all assetsRed Flags Identified
- Brand new wallet created, same day as attack
- Zero-value token distribution, classic dusting pattern
- URL embedded in contract/token name, social engineering tactic
- Impersonating a legitimate project "Base airdrop" theme- Empty wallet post-distribution, disposable infrastructure
- Unlabeled first funder, no traceable originThreat IntelligenceDomain: 7base[.]cfd
- commonly abused for phishing)
- Impersonation Target: Base Network (Coinbase L2)
- Tactic: Fake airdrop claim page
- Likely Payload: Wallet drainer / approval phishing
My recommendations for UsersIf You Received This Token:
1. DO NOT visit the website in the token name
2. DO NOT attempt to sell, swap, or interact with the token
3. DO NOT approve any transactions related to this token
4. IGNORE it completely, the token has zero value
5. HIDE the token in your wallet interface if possible
General Protection Tips:
- Always verify airdrop announcements through official project channels
- Be suspicious of any token that appears unexpectedly in your wallet
- Never connect your wallet to unknown websites
- Use a burner wallet for testing suspicious interactions
- Check contract addresses on block explorers before interactingThis investigation confirms 0xA1a5b1EB70D287113E41aC4636fC8e75fA161C4d as a malicious address conducting an airdrop phishing campaign on Plasma. The operation uses classic scam infrastructure: disposable wallets, worthless token distribution, and embedded phishing URLs designed to steal user funds through fake "airdrop claims."
Users who received the WWW[.]7BASE[.]CFD tokens should take no action, interacting with it poses a significant risk of asset loss.Plz, @BinanceWallet @BitgetWallet @wallet @TrustWallet, if possible, please blacklist this address: 0xA1a5b1EB70D287113E41aC4636fC8e75fA161C4d, especially all those addresses that clutter our wallets.
