Skip to main content
T TON Adoption
RU
Regulation GUIDE · 2026

KYC for TON wallets and exchanges: 2026 guide

Where KYC is required in TON in 2026: Telegram Wallet, Mercuryo/MoonPay, Bybit, OKX. And where it isn't: Tonkeeper, MyTonWallet, DEXes.

Author
TON Adoption Team · research desk
Published
8 min read

TL;DR. In the TON ecosystem of 2026, KYC is not a single universal process — it is a spectrum. From “zero verification” (Tonkeeper, MyTonWallet, STON.fi) to “full passport + proof of address + selfie with a note” (Bybit Lv2, OKX Advanced). The boundary is simple: where there is fiat (dollar, euro, ruble) or a custodial service, there is KYC; where only on-chain TON and jettons live, there is none. This guide breaks down which documents to prepare, typical processing times and what to do when rejected.

Disclaimer. Informational material. Not financial, tax or legal advice. Each service changes thresholds, limits and requirements without public notice — check the official page before any transaction.

What KYC is and why crypto has it

KYC (Know Your Customer) is the set of procedures every regulated financial institution must apply to identify a client. The goal is compliance with AML/CFT (anti-money laundering, counter-financing of terrorism) and sanctions rules. Crypto adopts KYC on the same grounds as banking:

  • FATF Travel RuleFATF recommendation, implemented in the EU (TFR), the US (FinCEN), Singapore, the UAE, Japan and elsewhere. Regulated VASPs (Virtual Asset Service Providers) must identify both sender and recipient for transfers above the ~$1000 equivalent.
  • EU AMLD-6 — the sixth anti-money-laundering directive: extended liability and a list of obliged entities that now covers all VASPs.
  • MiCA — the Markets in Crypto-Assets Regulation, in force across the EU through 2024-2025. Requires KYC for CASPs (Crypto-Asset Service Providers).
  • OFAC SDN list (US) and analogues — sanctions registers. A regulated service must refuse a client appearing on a sanctions list.

KYC therefore appears in the TON ecosystem exactly where a service falls under one of these requirements.

Where KYC is mandatory in the TON ecosystem

A summary table of services a typical TON user touches:

ServiceTypeKYC required?No-KYC threshold
Telegram Wallet (@wallet)custodialyes, on P2P and large off-ramps~$200/day P2P, ~$1-3k/month
xRocket (xJetton + Pay)custodial / hybridon card/SEPA off-rampssmall internal P2P
Cryptobot (@CryptoBot)custodialon P2P fiattip ops up to ~$50
Mercuryofiat onrampyes (mid/large amounts)up to ~$50 per transaction
MoonPayfiat onrampyesup to ~$150/month without full KYC
Banxafiat onrampyesup to ~$50 per transaction
Transakfiat onrampyesup to ~$100/month
BybitCEXyes (for trading and withdrawal)deposit and hold only
OKXCEXyesdeposit and hold only
MEXCCEXformally yes, softer in practicepartial spot without full KYC
HTXCEXyesdeposit
BitgetCEXyesdeposit
Tonkeeperself-custodynounlimited (no intermediary)
MyTonWalletself-custodynounlimited
Tonhubself-custodynounlimited
STON.fi / DeDuston-chain DEXnounlimited
Getgems / DisintarNFT marketplaceno (for on-chain trading)unlimited

Telegram Wallet — custodial by nature

Wallet by The TON Foundation Inc. (the @wallet operator, not the TON Foundation itself) is licensed in St. Vincent and the Grenadines. Baseline features — receive, send, hold TON/USDT/BTC/NOT — work without verification; the service holds the keys. KYC kicks in for two scenarios:

  1. P2P marketplace. Going above the daily fiat trade threshold (usually around $200 per day depending on region) triggers verification.
  2. Large outbound withdrawal. Typically once cumulative monthly turnover crosses a few thousand dollars.

After basic KYC the limits go up. Extended KYC (for $10k+ tiers) includes proof of address.

Mercuryo / MoonPay / Banxa / Transak — fiat onramps

All four work along a similar ladder:

  • Mini-KYC (no full passport) — email + phone. Cap: roughly $50–150 per month depending on provider and country.
  • Standard KYC — passport + selfie, sometimes video verification. Cap: $5k–20k per month.
  • Enhanced Due Diligence — for amounts above $10k–20k: proof of address + source of funds.

See the best fiat-onramps guide for fees and region availability.

CEX (Bybit, OKX, MEXC and others) — the strictest tier

Every mainstream exchange in 2026 requires at least basic KYC for spot trading and withdrawals. Without KYC you can only register and deposit — this is now codified in most jurisdictions.

KYC tiers on Bybit as a typical CEX flow:

  • Lv1 Basic — passport/ID + selfie. Opens spot trading and up to ~$50k daily withdrawal.
  • Lv2 Advanced — proof of address (utility bill, bank statement under 3 months). Raises daily withdrawal to $1M+.
  • Pro/VIP — extra checks for institutional clients; not needed for retail.

OKX has analogue tiers (Lv1, Lv2, Lv3). HTX and Bitget follow the same model. MEXC was historically softer — some spot features worked without full KYC — but tightened during 2025-2026 under regulatory pressure.

Where KYC is NOT required

Self-custody wallets

Tonkeeper, MyTonWallet, Tonhub, Wallet.tg-Hub, Ledger with TON app — all non-custodial. Creation = a private/public key pair generated on your device. The developer does not hold personal data, cannot freeze your balance and does not file reports to any regulator, because they have no concept of a “client”.

See Tonkeeper vs MyTonWallet and storing TON on CEX vs wallet risks for deeper comparisons.

On-chain DEX and NFT marketplaces

STON.fi, DeDust, Getgems, Disintar and other pure dApps work via smart contracts. Connecting through TON Connect is a cryptographic signature from your wallet, not a transfer of personal data. KYC is technically impossible at the smart-contract level.

Mining and validation

Running your own TON validator (~300k TON stake) or delegating to a staking pool (Tonstakers, Hipo, bemo) is an on-chain operation from a self-custody wallet. No KYC. Tax obligations still arise — these are independent.

KYC documents

The standard package regulated services ask for in 2026:

Basic tier

  1. ID document. Passport (national or international), national ID, driver’s licence. Most services recognise these automatically via providers like Sumsub, Onfido, Jumio.
  2. Selfie / liveness check. Often with prompts: “turn your head”, “read a number”, “smile”. Confirms the face is live and matches the document photo.
  3. Email + phone. Already at registration.

Extended tier (proof of address)

  1. Proof of address. Any of:

    • utility bill (electricity, gas, water) from the last 3 months;
    • bank statement (PDF, not screenshot);
    • official letter from a government agency (tax authority, immigration);
    • rental contract with a registered address.

    The document must clearly show: full name, current address, issue date.

Enhanced Due Diligence (large amounts)

  1. Source of funds. Tax return, sale-of-asset contract, employer salary statement, business-sale documents.
  2. Customer profile questionnaire. Profession, expected turnover, origin of capital.
  3. Video interview for very large sums (above ~$100k).

Technical requirements for scans

  • Colour image, no clipped corners.
  • No glare, especially on holograms.
  • Document on a uniform background (table, not floor).
  • Selfie in even lighting, no sunglasses or hats (except for religious reasons), face centred.
  • PDF for proof of address — not a web screenshot; an actual PDF downloaded from your bank or utility portal.

Typical timelines

Service typeBasic KYCExtended
Telegram Walletminutes to hourshours to days
Mercuryo / MoonPay (at amount)minutes to hoursdays
Bybit / OKX (automated)5-30 min1-5 days
Bybit / OKX (manual review)1-48 hours5-10 days
MEXC5 min - 24 hours3-7 days

“Hours” applies when the AI provider is confident in document quality. Manual review kicks in on low confidence scores or for suspicious profiles.

Rejection reasons and what to do

The most common rejection reasons in 2026:

1. Document quality

  • Document number unreadable. Fix: reshoot in daylight on a plain surface.
  • Selfie does not match the document. Fix: remove glasses, hat, mask; redo the liveness check.
  • Expired document. Passports under 3-6 months of validity are sometimes rejected. Fix: use a valid ID.

2. Data mismatch

  • Name in the document does not match the form. Often a transliteration problem: “Ivanov A.” vs “Aleksei Ivanov”. Fix: enter the name exactly as it appears in the passport, in the same alphabet.
  • Date of birth mismatch. Usually a typo in registration. Fix: contact support to correct it.

3. Sanctions / region

  • Region not served. Many services refuse users from specific jurisdictions by policy. The list shifts. Not a bug, policy.
  • IP does not match the declared country. Using a VPN from a third country often triggers blocks. Fix: use a clean IP from the country in your KYC. Using a VPN to bypass geo-blocks violates the ToS of most services.

4. Suspicious activity

  • Multiple accounts on one identity. Every KYC provider does biometric matching — a face cannot be “let in” a second time.
  • Suspicious operation history. For example, attempting to withdraw a freshly deposited large sum without trading.

What to do on rejection

  1. Read the rejection email. The wording is usually specific: “document not clear”, “face mismatch”, “proof of address expired”.
  2. If the cause is technical — resubmit with corrections. Most services allow 2-3 retries. After 4-5 fails some block further attempts for 30-90 days.
  3. If the cause is systematic — support is unlikely to help. Consider alternatives:
    • another exchange with lighter compliance for your region;
    • the same exchange’s P2P market — KYC is softer and trades happen between individuals;
    • a local exchanger.

KYC and taxes

Passing KYC by itself does not create a tax obligation, but it creates a trail: the exchange knows who you are and what you hold; on official request the tax authority gets that information. In most countries 2024-2026 saw automatic data exchange between crypto venues and tax services rolled out.

So a KYC exchange is not “risky from a tax angle”, it is “tax-visible by default”. The best strategy: keep records from day one, declare income on time, avoid large unexplained transfers between wallets.

Pre-registration checklist for any CEX or onramp

  1. Prepare documents in advance. Passport + high-resolution selfie + PDF bank statement under a month.
  2. Check that the service covers your region. Open the FAQ or Terms — there is usually an excluded-countries list.
  3. Use honest data. Name exactly as in the passport, real address, real phone.
  4. Do not run a VPN during KYC. The IP country must match your declared country.
  5. Screenshot a successful KYC. Useful for future disputes.
  6. Enable 2FA right after KYC. Prefer a Yubikey or authenticator app over SMS.

Sources and references

All formulations reflect our reading as of 9 June 2026. Each service changes limits and document requirements without public notice — check the official page before any operation.

Frequently asked

KYC applies to custodial services: Telegram Wallet (when daily and monthly P2P thresholds are exceeded and on large withdrawals), xRocket Pay (on card off-ramps), Cryptobot Pay (on P2P fiat operations), and every CEX that lists TON — Bybit, OKX, MEXC, HTX, Bitget. Full self-custody — Tonkeeper, MyTonWallet, Tonhub, Ledger with TON app — plus pure on-chain activity (DEX, NFT marketplaces) does not request KYC by architecture: the service has no personal data on you to verify.
Per our reading in 2026, Wallet by The TON Foundation Inc. (the @wallet operator, not the TON Foundation itself) keeps a baseline P2P threshold around $200 per day and a few hundred dollars per withdrawal. Monthly cumulative turnover without KYC is typically a few thousand dollars. Exact thresholds vary by region. After basic KYC the cap rises to roughly $10,000 per month; for tiers above that the service asks for an extended document package.
It is not their initiative — it is a licensing requirement. Mercuryo holds EMI/MSB licences in the EU, UK and elsewhere; MoonPay is registered as a VASP across EU jurisdictions and as a FinCEN MSB in the US. They must follow the FATF Travel Rule (for transfers above the ~$1000 equivalent between regulated services) and AMLD-6 in the EU. On small amounts (Mercuryo up to about $50, MoonPay up to about $150 per month), email verification can be enough; above that the full KYC kicks in.
Basic KYC on Bybit and OKX (passport + selfie) is usually automated and completes within 5-30 minutes. When the model is not confident in image quality, it moves to manual review, which takes 1 hour to 1-2 days. Extended KYC (Lv2 on Bybit, Advanced on OKX) — proof of address such as a utility bill from the last 3 months or a bank statement — takes longer, 1-5 business days on average.
First read the rejection email — it is usually specific: 'passport number unreadable', 'face mismatch', 'address not verified'. Resubmit with fixes. If the rejection is systematic ('your region is not served', 'you appear on a sanctions list'), support will rarely help — this is policy, not a bug. In that case look at alternatives: P2P on the same exchange, a different CEX, a local exchanger with lighter compliance.
Regulated services (Mercuryo, MoonPay, Bybit, OKX) store KYC data in infrastructure subject to GDPR or equivalent — direct public-facing leaks have been rare. But: on an official government request (OFAC, FinCEN, your local regulator) the data is handed over. This applies to all KYC services equally. For most users it is a theoretical risk; for users in sanctioned regions or FATF-sensitive categories it is real.
Technically yes: a self-custody wallet (Tonkeeper, MyTonWallet) + an on-chain DEX (STON.fi, DeDust) + peer-to-peer trades without intermediaries = zero KYC. But the moment you need a fiat off-ramp (selling TON to your bank account in dollars or euros), the regulated middleman of 2026 will request verification. Fully cash-only schemes via offline exchangers exist but are a regulatory grey zone.

Related

← Back to blog