Wallet Founder Warns of Coordinated Scam Targeting XRPL Users
February 16 2026 – CryptoNews Desk
The founder of Xaman Wallet, Wietse Wind, has sounded an alarm over a wave of coordinated scams aimed at users of the XRP Ledger (XRPL). In a post on X (formerly Twitter) on February 16, Wind disclosed that his team had spent the previous weekend implementing additional filters and alerts after detecting a surge in social‑engineering attacks designed to trick users into authorising malicious transactions.
What the attackers are doing
According to Wind, the campaign employs a variety of tactics, including:
- Fake sign‑request prompts – malicious pop‑ups that mimic legitimate Xaman Wallet requests, urging users to approve token swaps or other transactions they never initiated.
- Phishing emails and direct messages – messages masquerading as official support or community staff, often containing links to counterfeit websites. Although Xaman does not retain user email addresses, the scammers appear to be leveraging data leaked from unrelated breaches.
- Scam NFTs and “free‑token” offers – promotional assets that claim to deliver token rewards in exchange for a user’s secret keys.
- Counterfeit desktop wallets – promotional downloads for a “desktop” version of Xaman, despite the product being mobile‑only.
- Impersonation accounts – social‑media profiles that copy official Xaman branding to lend credibility to the fraud.
Wind emphasised that the attacks focus on user manipulation rather than vulnerabilities in the XRPL protocol or the Xaman codebase. The primary danger lies in users inadvertently signing transactions or disclosing private keys.
Broader industry context
The XRPL‑specific scam surge mirrors a wider trend in the cryptocurrency ecosystem. A recent PeckShield report covering 2025 identified more than $4 billion lost to scams and hacks, with $1.37 billion (≈64 % increase from 2024) attributed solely to fraudulent schemes. The report also noted a shift toward targeted phishing campaigns that focus on individuals with substantial holdings, rather than mass‑scale technical exploits.
Centralised exchanges and platforms now account for roughly 75 % of stolen funds, up from 46 % the previous year, underscoring the growing effectiveness of social‑engineering attacks across the sector. Earlier this month, blockchain analyst ZachXBT documented a hardware‑wallet scam that resulted in the loss of ≈$282 million in Bitcoin and Litecoin, with the proceeds subsequently routed through THORChain and converted to Monero, highlighting the sophistication of fund‑laundering pipelines.
Analysis
The current wave of XRPL scams illustrates a paradigm shift: attackers are exploiting the human element rather than searching for protocol bugs. While wallet developers like Xaman can enhance detection mechanisms and push out alerts, the ultimate line of defence remains user vigilance.
- Increased attack surface – By moving beyond on‑chain exploits to off‑chain tactics (email, social media, fake apps), scammers broaden their reach and make it harder for automated security tools to catch every threat.
- Data leakage amplification – Even wallets that do not store email addresses are vulnerable when attackers harvest personal data from unrelated breaches and repurpose it for targeted phishing.
- Education over technology – The most effective mitigation appears to be user education—ensuring that holders understand that legitimate wallets never ask for secret keys, never request unsolicited token swaps, and that official communications are limited to verified channels.
Wind’s warning serves as a reminder that security is a shared responsibility. While Xaman Wallet’s recent filter upgrades and public alerts are valuable, they cannot compensate for users who willingly approve malicious transactions.
Key Takeaways
- Coordinated scams targeting XRPL users involve fake sign‑requests, phishing emails, counterfeit desktop wallets, and “free‑token” NFT offers.
- User action – Funds remain safe as long as users refrain from approving unknown transactions and never share private keys.
- Industry trend – Scams now account for a larger share of crypto losses, with a 64 % year‑over‑year rise in fraudulent activity.
- Centralised platforms are increasingly the primary conduit for stolen assets, highlighting the need for stronger security practices across exchanges and custodians.
- Best practices – Verify URLs, avoid clicking unsolicited links, use only official wallet applications, and treat any request for secret keys as a red flag.
Wind concluded that the situation is a “cat‑and‑mouse game,” but emphasized that scammers cannot succeed if users do not interact with malicious prompts. As the crypto community grapples with increasingly sophisticated social‑engineering schemes, heightened awareness and disciplined wallet usage remain the most reliable safeguards.
Source: https://cryptopotato.com/wallet-founder-warns-of-coordinated-scam-targeting-xrpl-users/
