Crypto airdrop-claim drainer lure — email announces token-airdrop eligibility (Backpack, Pyth, Jito, Wormhole, LayerZero ZRO, Monad MON, Arbitrum, Optimism, etc.) with a short claim window + connect-wallet CTA at an off-brand URL. Post-connection the drainer harvests approval signatures. Pre-connection recruitment variant; distinct from seed-phrase + EIP-712 permit signals. FBI IC3 PSA 2025-06-03 + FBI Mar 2026 FBI Token TRC-20 alert; $17B 2025 crypto fraud losses

Email announces that the recipient is eligible for a token airdrop (Backpack BACK, Pyth, Jito, Wormhole, LayerZero ZRO, Monad MON, Arbitrum ARB, Optimism OP, zkSync, Starknet STRK, etc.) with a short claim window and a "connect your wallet" CTA pointing at an off-brand URL. The "claim" page is a crypto drainer — once the victim connects their wallet and signs any approval or permit message, the attacker drains it. The FBI issued IC3 PSAs on June 3 2025 (Hedera NFT airdrop) and March 19 2026 (fake FBI Token TRC-20 on Tron), and MEXC/Coinmonks, Cointelegraph, and Check Point Research all tracked the pattern through 2025-2026; estimated 2025 crypto fraud losses totaled ~$17B. This signal targets the PRE-connection recruitment email, not the signature message itself — distinct from seed-phrase-verify (R3) and EIP-712 permit drainer (R4) signals. The giveaway is the combination of claim-framing ("claim your airdrop"), a wallet-connect CTA, and either a recognizable project brand or a short claim window — legitimate airdrops are announced via verified project newsletters with no wallet-connect link embedded in the email.