Open any active wallet on Base, or on most other networks, and sooner or later you will find tokens you never bought. They have names like "✅ USDС TOKEN DISTRIBUTION", a website address baked into the token symbol, and often a deadline urging you to claim something before next week.
You did not get hacked. You got dusted.
What is happening
Sending tokens on a blockchain does not require the recipient's consent. Anyone can create a token, name it anything they like, and send it to thousands of addresses at almost no cost. Scammers do exactly that, and the token name itself is the advertisement. That is why the names contain URLs, Telegram handles and words like claim, airdrop and redeem.
The tokens themselves are worthless and mostly inert. The danger is the website in the name. Visit it and connect a wallet, and you will be asked to sign something. The signature is the trap: depending on the variant, it grants the scammer approval to spend your real tokens, or transfers them outright. Some of these contracts are also built so that any attempt to interact with the scam token itself, even trying to send it away, triggers a malicious action.
A common variant impersonates real assets. The fake "USDC" in our example uses a Cyrillic letter С that looks identical to the Latin one. The name reads like the real thing; the contract has nothing to do with Circle.
The rules
Never visit a URL that arrived inside a token name. Never connect your wallet to a site you reached that way, and never sign anything it asks for. Do not bother trying to send the token away either; interacting with the contract is exactly what its creator wants, and ignoring it is completely safe.
A token you did not buy, with a website and a deadline in its name, is a scam with a probability close to certainty. Real projects do not distribute funds this way.
What Simple Base Swap does about it
We filter the obvious cases out of your token list automatically. Tokens whose name or symbol contains a URL, a Telegram handle or claim-style bait simply do not appear in your balance, so the wallet stays clean and there is nothing tempting to click. The tokens technically still exist at your address, which you can verify on a block explorer like Basescan, but they have no value and no claim on your real funds.
The filter catches patterns, and scammers iterate, so the personal rule still matters: if you did not buy it and it is advertising something, it is not yours and it is not a gift.
One more layer of safety
This whole scam family works because a wallet's real assets can be put at risk by one bad signature. Two habits shrink that risk to almost nothing. First, read what you are signing; a request to "approve" a token for an unlimited amount from a site you just met is a red flag in bold. Second, keep serious holdings in a wallet that does not browse. A wallet that only holds and swaps, and never connects to random websites, has a very small attack surface.
Strange tokens in the balance are the crypto equivalent of spam in a mailbox: unavoidable as long as sending is permissionless, harmless as long as you do not answer.