Gram Rebrand Scams: The Fake Claim and Migration Phishing Wave

On 8 June 2026 the TON Vote referendum on renaming Toncoin to Gram closed. According to CryptoTimes, the rebrand passed with 81.22% support, and Phemex reports the ticker switched to GRAM on 15 June. Almost the same instant, the thing every phisher waits for swung open: a window of confusion.

This is not another “top 10 crypto scams in general” post. It is a teardown of one specific moment — what scammers do during a rebrand, and why the reasoning “new ticker, so I must do something” is more dangerous than any malware.

The core message: you need to do nothing

Memorise one sentence and half the schemes stop working. The Toncoin-to-Gram rebrand is a presentation-layer rename and nothing more. The official TON channel, as quoted by ChangeNOW, put it as bluntly as possible: “No swap, bridge, claim, or migration. No action required.”

What specifically does not change:

• the balance in your wallet;
• your wallet address;
• smart contracts, Jettons, NFTs;
• your staking and DeFi positions.

Per MEXC, exchanges, wallets and explorers only update labels and trading pairs — there is nothing for the user to do. And if there is nothing to do, then anyone who tells you to “do” something is, by definition, lying.

Why a rebrand is a perfect phishing window

Rebrand coverage and Guardarian’s own scam warning make the same point: a rename opens “a perfect phishing window” — some users will hear the new ticker and assume they need to take action, when in fact they do not. That is psychology, not technology. People are conditioned to expect that, in crypto, updates sometimes do require a contract migration, an airdrop claim or a token swap. The brain fills in the blank: “they changed the name, so surely I have to press something.”

It is precisely that gap — between “nothing is required” and “feels like I should” — that the scammer walks through. They do not need to break TON’s cryptography; they only need to convince you to hand over access yourself.

A catalogue of rebrand scams

The tactics below, as reported by Guardarian, spiked around the rename. Each is tied directly to the moment the name changed.

1. Fake “claim your GRAM” pages

A lookalike site with the Gram logo invites you to “claim” the new tokens. Then one of these scenarios plays out:

• Connect wallet — you connect, the page slips in a signature request that actually grants it the ability to drain your funds.
• Approve a transaction — instead of “receiving GRAM,” you sign a transfer of your own assets to the scammer’s address.
• An “activation fee” — you are asked to send a small amount “to unlock” the new tokens. The money leaves, the GRAM never arrives (there is no separate claim to begin with).
• Seed phrase — the crudest version: a “verify your wallet to migrate” form where you type all 24 words.

Red flag: the very concept of “claiming GRAM” does not exist. There is nothing to claim — the token is already yours, just under a new name.

2. Fake “TON → GRAM migration”

This one parasitises the word “migration,” familiar from other chains. You are told: “old TON will soon lose support, move it to the new GRAM contract before the deadline.” Artificial urgency — a classic social-engineering lever.

In reality there is no “new GRAM contract.” Addresses and contracts did not change. Any offer to “move your TON before it’s too late” is your funds being drained by your own hand.

3. Clone bots on Telegram

Bots appear with names like @gram_migration_bot or @official_gram_claim, visually indistinguishable from the real thing. The bot asks you to connect a wallet via a link (often a fake TON Connect) or to enter a seed phrase “to verify the transition.” We covered how session compromise actually works in our piece on TON Connect phishing.

4. Lookalike domains (typosquatting)

According to Guardarian, lookalike domains multiplied around the rebrand: an extra letter, a hyphen, a changed top-level domain. The idea is to catch someone typing “something about gram” by hand. We showed exactly how such clone sites are assembled in our anatomy of phishing.

5. Fake support in your DMs

You post a rebrand question in a chat — and a minute later a “support agent” slides into your DMs offering “help with the move to GRAM.” Real support never messages first in DMs and, as Guardarian stresses, never asks for your seed phrase.

Checklist: spot a rebrand scam in 10 seconds

Any one of these is a reason to close the tab:

1. They ask you to claim, migrate, swap or activate GRAM — no action is required, period.
2. They request a seed phrase or private key — under any pretext.
3. They ask for an “activation fee” or upfront payment.
4. They pressure you with a deadline: “before it’s too late,” “old TON will be burned.”
5. A DM from “support” that messaged you first.
6. A suspicious domain: extra letter, hyphen, odd TLD.
7. Right after “connect wallet” they ask you to sign an approve / transfer.

What to actually do

• Don’t claim and don’t migrate. That is the correct action.
• Verify the source. Rebrand news comes only from the project’s official channel and major exchanges (Bybit confirmed it would support the ticker change) — not from a pop-up ad or a DM.
• Don’t connect your wallet to unfamiliar “GRAM” pages. If you already did, revoke your TON Connect permissions.
• Never give anyone your seed phrase. Full stop.

If you want a calm walkthrough of what actually changes (only the label), read our guide on what Toncoin holders should do during the rebrand and the technical piece on why Toncoin-to-Gram needs no swap. And to keep the whole threat landscape in mind — the top 10 TON scams on Telegram.

Bottom line

The Gram rebrand is a rare case where the best defence is inaction. The token is already yours; it just has a new name. Any page, bot or “agent” inviting you to “claim,” “move” or “activate” GRAM is exploiting the same bug — not in the blockchain, but in the human expectation that a rename means “I must do something.” You don’t. And that is the whole secret.