Ripple's chief technology officer, David Schwartz, issued a blunt warning this week to the platform's more than 700,000 followers on X: the scams targeting XRP Ledger users are getting worse—and they're using artificial intelligence to do it. Schwartz pointed to a surge in fake airdrop and giveaway schemes that have grown more sophisticated with deepfake videos and wallet-draining scripts.
The new wave of wallet drainers
The dominant attack vector, Schwartz explained, is a fake airdrop site. A user connects a non-custodial wallet, and that action triggers a hidden script. The script executes a single authorized transaction—irreversible, and emptying the wallet's contents in one go. Unlike older phishing attempts, these sites look polished and often mimic legitimate Ripple or XRPL interfaces.
Another common con is the giveaway scam. It promises to double any XRP sent to a scammer-controlled address. The pitch often includes fabricated Ripple announcements designed to look official. Schwartz said the combination of elevated institutional attention and retail trading volume has made XRP holders a particularly high-value target.
Deepfake videos clone Schwartz himself
Attackers have started using AI-generated deepfake videos on TikTok and YouTube. In them, a synthetic version of Schwartz's face and voice urges viewers to send XRP for a supposed promotional event. The videos are convincing enough to fool people who aren't looking closely. Schwartz warned that anyone claiming to be him on Instagram, Telegram, or other platforms is almost certainly a scammer.
During the first quarter of 2026, more than 50 fake accounts impersonating Schwartz and Ripple CEO Brad Garlinghouse were reported on Instagram and Telegram alone. The accounts often repost real content from the executives to build credibility before switching to scam messages.
Phishing emails that passed security checks
Schwartz also highlighted a phishing campaign that managed to inject fake emails into Robinhood's infrastructure. The attackers exploited Gmail's so-called dot-trick—adding periods to the username portion of an email address—and embedded malicious HTML payloads. The emails passed SPF, DKIM, and DMARC authentication checks, making them appear completely legitimate to both the email client and the user.
It's unclear how many Robinhood users fell for the scheme, but the fact that the emails cleared standard security protocols underscores how difficult it has become to spot sophisticated phishing attempts.
What users should do now
Schwartz did not announce any specific new security features for XRPL. Instead, he urged users to be extremely cautious about any site or message that asks them to connect a wallet or send XRP for a promotion. He recommended double-checking URLs, not clicking links from social media accounts claiming to be him, and never signing transactions on untrusted sites.
The broader takeaway from Schwartz's warning is that the tools used by scammers are evolving faster than many users' ability to recognize them. And with XRP's price volatility drawing in both retail and institutional traders, the pool of potential victims keeps growing.
