Wallet Drainers and Investment Scams Impersonating SpaceX and the FIFA World Cup
Executive Summary
Over the past month, Blockaid tracked a sharp rise in malicious dApps and crypto scams built around two of the biggest stories in the world right now, Elon Musk's companies and the 2026 FIFA World Cup. The two events are entirely unrelated, yet the campaigns riding them followed the same playbook. Each one funneled victims to a lookalike site, prompted a wallet connection or a deposit, and completed the theft the moment the victim acted.
The Musk campaigns clustered around the SpaceX IPO, the largest public offering in history and one that reserved a large share for retail investors, the same audience these scams target. Blockaid observed attackers pivot away from Tesla, the brand earlier waves leaned on, toward SpaceX, Grok, and xAI, fresher names with less scam fatigue attached, and shift from fake investment platforms toward presale-token dApps that drain wallets directly.
The World Cup campaigns spiked twice, once during the ticket rush in mid-May and again as the tournament kicked off in mid-June, and skewed even harder toward outright wallet drainers, powered primarily by AngelFerno, Quark, Rublevka, Eleven, and Step, with some operations offering kits built specifically for the tournament.
This post breaks down how both campaigns worked, the two attack types behind them, and why the pattern will repeat with major events around the world. For the wallets, exchanges, and platforms whose users are the targets, it also covers how Blockaid's End User Protection detects these scams in real time, before a user ever connects or signs.
Why Trending News Is the Perfect Bait
Most crypto scams reuse the same infrastructure, a lookalike domain, a "connect your wallet" button, and a malicious approval or drainer script that drains funds the moment a victim signs. What changes is the bait, and the most reliable bait is whatever already dominates people's feeds. A product launch, a celebrity headline, or a global sporting event delivers the three ingredients a scam needs. Urgency pushes victims to act before the opportunity disappears, borrowed trust attaches the scam to a name people already recognize, and distraction supplies the excitement that lowers a user's guard.
April was the worst month for crypto theft on record, with over $629 million drained across more than 20 incidents, and drainer operators moved with the news, registering fake revoke and migration sites within hours of each major hack to intercept panicked users. Blockaid documented that behavior across five separate exploits.
Learn more about how wallet drainers use fake revoke sites and Twitter phishing to exploit victims →
The Two Attack Types Behind Event-Driven Scams
The same lure feeds two distinct attack types, and the difference matters for how platforms defend against them.
- Malicious dApps (wallet drainers) - The user connects a wallet to what looks like a token claim, vote, or mint. A hidden token approval or drainer script transfers assets out the instant they sign. The victim never knowingly hands over funds, since one malicious signature does the work.
- Investment scams - A fake trading or presale platform persuades the user to deposit funds to a wallet address. A fabricated dashboard shows the balance climbing, but withdrawals never process, because the funds were gone the moment they were “invested”.
Both attack types share the same front-end and follow the same sequence.
- An asset that serves as bait - A deepfake video, airdrop post, or hijacked account drives traffic.
- A lookalike phishing site - A freshly registered domain mimics an official launch or fan page.
- A prompt to connect a wallet or deposit funds - The user is asked to claim, vote, or buy in through a wallet connection, or to send funds to a deposit address.
- Drain the moment the user signs - On a drainer, a hidden signature sweeps assets out once the user signs. In an investment scam, the user transfers funds they will never recover.
- Rotation to the next domain - The burned domain is abandoned and the kit spins up a replacement.
Because so much of this pipeline is automated and disposable, the campaigns move faster than any manual defense can track.
Campaign #1: Elon Musk, xAI, Grok, and SpaceX
As Musk-related news held the crypto crowd's attention, Blockaid detected a clear spike in scams impersonating his companies, along with a notable shift in which brands the attackers leaned on. Earlier waves relied heavily on Tesla, while the most recent surge pivoted to SpaceX, Grok, and xAI, fresher names with less scam fatigue attached. Activity intensified around the SpaceX IPO in June, which put those brands at the center of every feed and gave scam offers a real event to hide behind.
The Setup
Attackers moved away from fake investment platforms and toward presale-token dApps that drain wallets directly, built on two kinds of infrastructure.
- Wallet-draining presale sites posing as official SpaceX, Grok, or xAI token launches.
- Machine-generated domains built to dodge simple keyword filters, using short randomized strings like gro66m, gro90b, spcx28p, and spcx29k alongside full-name lookalikes such as grokvalis[.]com, grokvaxium[.]com, official-spacex[.]com, and elon2x[.]com. The same kit re-registers a single name across .com, .net, and .org to survive takedowns.

The Drain
The sites themselves are only the endpoint of the campaign. Victims reach them through an unusually multi-channel distribution network.
- YouTube - Deepfake Elon Musk videos promise to double any crypto sent to a QR-coded wallet, with comments disabled to hide warnings from previous victims.
- AI voice synthesis - Victims report phone calls using a convincing synthetic Musk voice, followed by a push to move the conversation to Telegram or WhatsApp before an investment wallet address is shared.
- Hijacked social accounts - Compromised X, Instagram, and Discord accounts auto-post scam links to their existing followers.

The Outcome
The damage from this campaign is already visible in public victim reports. One user described losing several hundred dollars to a fake SpaceX-themed token that pumped over 250% before the rug pull, noting that the timing felt perfect amid the SpaceX hype. Others reported five-figure losses to Elon Musk imposters.

Takeaways
- Brand rotation outruns name-based defenses - Attackers moved from Tesla to SpaceX, Grok, and xAI as scam fatigue set in, so any defense keyed to specific brand names lags each pivot.
- Disposable domains defeat keyword filters - Strings like gro66m carry no brand name, and hundreds of short-lived sites rotate faster than manual lists can update.
- AI has made impersonation cheap and scalable - Deepfake videos and synthetic voice calls put a convincing Elon Musk in front of victims on the platforms they use every day, delivering borrowed trust at scale.
- Both attack types ran side by side - The same campaign pushed deposit-address investment scams, like the fake Medium post soliciting Bitcoin and Ethereum transfers, alongside wallet-draining presale dApps, so defenses tuned to one model miss the other.
- Blockaid secures the moment funds want to move - On integrated wallets, including MetaMask, Blockaid warns users before they connect to a flagged site or sign a draining transaction, and provides exchanges the same real-time screening to block transfers to known scam addresses.
Campaign #2: The 2026 FIFA World Cup
The world's biggest sporting event is an obvious target, and the activity matched Blockaid's expectations. Scam deployment spiked twice, first during the ticket-and-hype season in mid-May and again as the tournament kicked off in mid-June. The campaign skewed even harder toward outright wallet drainers than the Musk wave, powered primarily by AngelFerno, Quark, Rublevka, Eleven, and Step, several of which Blockaid has profiled in past threat intelligence reports.
The Setup
Operators built tournament-themed infrastructure using the same commercial kits they deploy everywhere else.
- Fake tournament dApps disguised as betting platforms, fan-voting pages, and match-streaming sites, at domains such as roobet-worldcup.vercel.app, worldcupvp.app, watchfifa2026.xyz, vote-worldcuponpump.com, and fifaworldc.com.
- World Cup affiliate packages - Established drainer operations advertised special tournament offers to affiliates in their internal channels, with off-the-shelf kits carrying anti-analysis features like code obfuscation and blocked developer consoles.

The Outcome
Scam deployment spiked twice, first during the ticket-and-hype season in mid-May and again as the tournament kicked off in mid-June. With the tournament still under way, the conditions that produced both spikes remain in place.
What Blockaid Flagged
- Tournament dApps detected across Solana and EVM - Including sites targeting users of Phantom, Backpack, Solflare, OKX, and Coinbase, and a Polymarket-themed dApp aimed at EVM wallets during the tournament.
- Automatic real-time detection - Blockaid's dApp scanning flagged the malicious $WCUP token dApp automatically and in real time.
Takeaways
- Major events now get dedicated criminal tooling - Drainer operations sold World Cup-specific packages to affiliates, productizing the tournament the same way they productize support for new chains.
- Criminal activity tracks the event calendar - Both spikes mapped to predictable moments, ticket sales and kickoff, which means defenders can anticipate the next wave rather than react to it.
- Anti-analysis features defeat manual inspection - Code obfuscation and blocked developer consoles mean even technical users cannot easily verify a site, so detection has to happen automatically at the point of connection.
Learn more about how crypto drainers are using X (Twitter) to target Web3 users →
Why Legacy Security Tools Miss This
When users fall for these scams, they are responding to genuine excitement around real events, on platforms they use every day, through content designed to look like everything else in their feed. The legacy tooling most platforms still rely on, static blocklists, keyword filters, and manually curated deny-lists, was built for a slower threat.
Static blocklists are reactive by nature. A domain has to be known and reported before it gets flagged, and these domains are machine-generated, carry no obvious brand name, and are abandoned before they would ever make a manual list. Keyword filters fail for the same reason, since a string like gro66m or spcx28p matches nothing. And because the same bait is exploited by many independent operators running different kits, there is no single actor to track and block. The technique itself has spread across the drainer ecosystem, which means legacy defenses that wait for a threat to be reported will always arrive after the theft. The only reliable defense evaluates every connection and transaction in real time, regardless of who is behind it, and that is the model the next section covers.
How Blockaid's End User Protection Stops Wallet Drainers and Investment Scams in Real Time
Blockaid's End User Protection stops both attack types at the moment they matter, when a user attempts to connect a wallet, interact with a token, or sign a transaction, before any funds are stolen. Any user on a Blockaid-integrated wallet, including MetaMask, Coinbase, Rainbow, Ledger, and Zerion, is warned in real time before connecting to the malicious infrastructure these campaigns deploy:
- dApp Scanning - Blockaid's web crawler continuously analyzes DNS records, certificate transparency logs, and live web data to detect newly registered or compromised domains within minutes of appearing, then scans each site for drainer code signatures and infrastructure tied to known operations. Detection is based on what a site does rather than what its domain is called, so randomized throwaway domains offer the attacker no cover. Blockaid's dApp Scanning flagged the $WCUP dApp in the World Cup campaign this way, automatically and in real time.
- Token Scanning - Blockaid detects the malicious and impersonation tokens that cluster around trending events, flagging fake Grok, SpaceX, and World Cup tokens and warning users before they interact.
- Address Scanning - Every address involved in a transaction is checked against Blockaid's threat intelligence database, which tracks addresses tied to drainer campaigns and scam operations across chains. This layer catches investment scams as well, warning users before they send a deposit to an attacker-controlled address, even when the site collecting it is brand new.
The Musk and World Cup waves traced back to a handful of the hundreds of active drainer operations Blockaid tracks, and the next wave will be built around whatever story breaks next.
Learn more about Blockaid's End User Protection →
Conclusion
Every major event around the world now produces a scam wave to match it, and the operations behind these campaigns are already positioned for the next product launch, token listing, or tournament, with kits that can spin up themed infrastructure in hours. Brands and tactics shift too fast for defenses tied to specific names or static lists, which age out in days, while behavioral detection holds up because it evaluates what a site, token, or address actually does rather than what it claims to be.
Blockaid's End User Protection applies that evaluation where it matters most, at the moment a user connects or signs, screening the dApps, tokens, and addresses these campaigns deploy in real time and warning users before they connect to a malicious site, buy a fake token, or send funds to a scam address. For the wallets, exchanges, and platforms serving those users, that protection is in place before the next headline breaks.
About Blockaid
Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users, combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3 billion transactions and blocked 585 million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.
Learn more at Blockaid.io, and follow us on Twitter and LinkedIn.
Blockaid is securing the biggest companies operating onchain
Get in touch to learn how Blockaid helps teams secure their infrastructure, operations, and users.



