Wietse Wind, the lead developer of the Xaman wallet and a prominent figure in theXRP Ledger (XRPL) ecosystem, hasissued a technical advisory regarding a coordinated scam campaign active this February 2026. Following a weekend of deploying emergency filters and in-app warnings, Wind outlined six specific attack methods currently targeting the community.
Six attack vectors and social engineering with XRP
According to Wind, the current threat landscape reveals an increasingly sophisticated shift toward deceptive social engineering. The first and most prevalent method involves fraudulent sign requests that trick users into authorizing seemingly routine transactions that actually trigger the immediate transfer ofXRP to addresses controlled by attackers.
Next is the use of malicious NFTs distributed via unsolicited airdrops. These assets often include "swap offers" designed to lure holders into exchanging their legitimate balances for worthless tokens.
Third, impersonation accounts on social platforms such as X and Telegram pose as official support staff to manufacture a sense of urgency and bypass user caution. Furthermore, phishing emails referencing wallet activity are used in the fourth vector.
There is a massive XRPL targeted scam effort going on.I've been working all weekend (day+night) to do what we can to add more warnings & filters, but at the end of the day nothing works as well as our own vigilance.We're seeing:- Scam sign requests (they try to trick you… https://t.co/FGNCtvNPDo
— Wietse Wind - 🪝🛠 Xaman® + XRPL + Xahau (@WietseWind) February 16, 2026
Wind specifies that since the Xaman infrastructure, the one he is heavily engaged in, does not collect user email addresses, these campaigns rely on leaked databases from unrelated crypto breaches to create the illusion of official communication.
The fifth threat is the circulation of fake desktop wallets. Wind has clarified that no official desktop client exists for Xaman, so any such software is a definitive security risk.
card
Finally, the sixth threat vector involves fraudulent token giveaways that request secret keys or recovery phrases under the guise of promotional participation.
Wind stresses that theXRPL protocol remains secure and uncompromised. The attacks operate entirely at the social engineering layer, targeting user decision-making rather than network consensus. The operational takeaway is procedural discipline: verify within the official in-app support channel and treat unsolicited interaction as hostile by default.