Xaman Founder and XRP Ledger Dev Warn of Fake NFT ‘Passes’ Scam Designed to Drain XRP Wallets

Wallet apps do not hand out "exclusive passes" by surprise. Yet scammers keep betting that the word exclusive will make people click first and think later, because of course it will.

Over the weekend, Wietse Wind, founder of Xaman (formerly Xumm) and a long time XRP Ledger (XRPL) developer, issued a blunt warning to XRP$1.1067 holders: Xaman is not sending NFT "passes", and any inbound NFT offer claiming to be a pass, beta invite, or special access is almost certainly a scam designed to drain wallets. ^[1]

Wind's alert hit X on Feb. 28, 2026, and it was amplified again in reporting published March 1, 2026, as users shared screenshots of suspicious NFT "passes" and offers landing in XRPL wallets. ^[2]

XRPL Foundation Patches Critical XRP Ledger Vulnerability Before It Reached Mainnet

Enjoy articles without ads?

What was flagged: fake NFT "passes" and bait offers

Wind's warning was direct:

"We are NOT sending 'passes' or NFT's"
"These are sent by SCAMMERS"
"Do not engage, do not accept, CANCEL their offer"

The scam pattern described across community reports is consistent with an increasingly common playbook on multiple chains:

A scammer sends or offers an NFT that looks like an official Xaman asset (often branded as a "pass," "beta invite," or "closed access" token).
The victim is pushed to accept an offer or follow a link to "claim" access.
The acceptance or follow-up step leads to a transaction signature (approval) that gives the attacker a route to siphon assets, or to set up future control of the account.

On XRPL specifically, the trap often starts with something that looks harmless: an NFT offer. On-chain, "offers" are just proposed trades. The danger comes when the next step is engineered to get you to sign something you would not sign if it were described honestly.

How wallet drainers work on XRPL (plain English version)

A "wallet drainer" is not magic. It is paperwork, weaponized. ^[3]

Most crypto thefts still rely on one of two outcomes:

You hand over your keys (seed phrase, secret, recovery words), and the attacker simply takes everything.
You sign a transaction that grants permissions or moves funds, because the prompt is disguised as something else.

XRPL scams leaning on NFT bait can push victims toward either outcome. The fake "pass" creates urgency, then the attacker funnels the target into steps like:

Signing a transaction you did not intend, such as setting a new key or authorizing a configuration change.
Connecting to a fake website that imitates an official product and asks for sensitive data, including seed phrases.
Approving actions that create follow-on risk, such as granting an attacker ongoing capabilities if the account's settings are altered.

Wind also flagged a more specific variant: a website using a fake Xaman-like domain that presents the NFT as an invitation to a closed beta. That is a classic funnel: brand impersonation plus an access narrative plus a prompt to "verify" your wallet. ^[4]

If you are wondering why scammers love "beta passes," it is because people expect betas to be messy and unofficial. That ambiguity is useful cover.

The scam's delivery mechanism: NFT offers and social engineering

The reporting cites two behaviors seen in the wild:

Scammers mint or duplicate NFTs and then craft offers that appear to come from legitimate projects, or that visually resemble known collections.
Scammers "pry" at existing NFT offers, then mimic them from another wallet to lure buyers or collectors into interacting with a malicious flow.

That second tactic matters because it exploits normal market behavior. XRPL users who trade NFTs are already accustomed to seeing offers, counter-offers, and transfers. A scam that looks like routine deal flow can slip past someone who is moving quickly.

OKX Deploys Chainalysis Alterya to Detect Scams Before Crypto Withdrawals

Practical takeaways (because vibes do not stop theft)

1) If you receive an unsolicited "pass," treat it as hostile

A surprise NFT "invite" is not a gift, it is an attack surface. Even if the NFT itself cannot execute code, it can be used as a lure to get you to take the one action that matters: signing something or sharing secrets.

2) "Do not engage" is real advice, not paranoia

Wind's guidance to cancel the offer is important. On XRPL, you can often remove yourself from the interaction by declining or canceling. The goal is to avoid giving scammers any additional signals that your wallet is active, reachable, and worth targeting.

3) Domain spoofing is doing heavy lifting here

A fake domain that looks close to the real one is the oldest trick on the internet, and it still works. If the flow sends you off-wallet to "verify," "claim," or "join," assume the destination is the product. Verify it independently, not via the link you were handed.

4) Support impersonation remains a top XRPL scam vector

The source reporting also points to a familiar companion scam: fake support accounts. Real support will not ask for your seed phrase. Real support will not need you to "validate" your wallet by entering secrets on a website. Anyone who does is not support, they are the threat. ^[5]

What users should do right now

Here is a simple checklist that matches the risk profile Wind described:

Do not accept unsolicited NFT "passes," invites, or beta access tokens.
Cancel or decline suspicious NFT offers inside your wallet interface.
Do not follow links embedded in NFT metadata or accompanying messages.
Never enter your seed phrase on any site, for any reason. Wallet recovery words are not a login.
Verify official domains and announcements by navigating manually (bookmark the real site), not by clicking.
Scrutinize transaction prompts before signing. If you do not understand what a transaction does, do not approve it.

If you are part of a team or community that onboards new XRPL users, this is also the moment to repeat the boring line that saves money: no legitimate project needs your seed phrase, and no "pass" is worth rushing a signature.

What to watch next (mildly unimpressed, but realistic)

Several near-term signals will indicate whether this campaign is growing or getting contained:

More impersonation domains: look for additional fake "Xaman" sites and similarly named landing pages pushing pass claims.
Wallet-side warnings: if the scam scales, expect more proactive labeling, blacklists, or in-app alerts from wallet providers and community tools.
Shifts in the lure: if "beta pass" fatigue sets in, scammers will rename the same trick to "airdrop access," "KYC unlock," or "priority mint." Same hook, different wrapping.
On-chain clustering: researchers may begin linking sending wallets and offer patterns, which can help users block known sources, even if it does not stop the broader tactic.

Bottom line: a fake NFT "pass" is not a new product feature, it is a dressed-up request for you to make a costly mistake. Wind's message is not subtle, and it does not need to be: cancel the offer, ignore the bait, and move on with your day.