Skip to main content
T TON Adoption
RU
Security SAFETY · 2026

Safe TON discovery: a checklist for newcomers

How to vet a wallet, DEX, dApp, or mini-app before using it on TON. A 12-point checklist to avoid scams in 2026.

Author
TON Adoption Team · editorial
Published
6 min read

The most expensive mistakes in TON aren’t made on complex DeFi strategies. They’re made on simple things: opened the wrong wallet site, signed the wrong request, sent TON to the wrong address. Most of these losses are preventable with five minutes of due diligence.

Below — a checklist of 12 quick verifications to run before using any new-to-you tool on TON: a wallet, DEX, dApp, mini-app, bridge, staking service.

Before starting: three types of discovery

For the checklist to apply consciously, recognise which type of discovery you’re doing:

Type 1: a wallet. Highest risk because you input a seed phrase or key. A compromised wallet = full TVL lost.

Type 2: DEX / lending / staking. Medium risk. You connect an existing wallet through TON Connect; smart contracts can only debit what you sign.

Type 3: dApp / mini-app / Telegram bot. Variable risk. Could be phishing pulling signatures. Could be legitimate but leaky. Could be honest.

The same checklist applies to all three — but the weights differ.

The checklist: 12 points

1. Eyeball the domain (30 seconds)

Open the site. Look at the URL bar. Compare letter-by-letter to the canonical:

  • tonkeeper.com — right.
  • tonkeperr.com, tonkeepers.com, t0nkeeper.com, tonkееper.com (with Cyrillic “е”) — phishing.

Scam domains often use:

  • Letter doubling (keeperkeeperr)
  • Look-alike substitution (o0, Latin e → Cyrillic е)
  • Extra suffixes (tonkeeper-app.com)

Red flag: the URL came from a link in a Telegram chat and you don’t remember anyone recommending exactly that URL.

2. Check SSL and certificate (10 seconds)

Click the lock in the URL bar. A legitimate protocol has:

  • A green lock with no warnings.
  • Certificate from a trusted CA (Let’s Encrypt, Cloudflare, DigiCert).
  • Validity not “expired yesterday”.

Red flag: “Connection not private”, self-signed certificate, expired date.

3. Find the Twitter / X account (1 minute)

A legitimate protocol has a Twitter with:

  • 5,000+ followers (for serious protocols — 50,000+).
  • Post history going back 6+ months.
  • Regular activity, not silent since the launch tweet.

Red flag: Twitter created 2 weeks ago, 200 followers, last post 2 months ago.

4. Find the official Telegram (1 minute)

In crypto, Telegram = the main community channel. A legitimate protocol has:

  • A Telegram channel with 1,000+ subscribers.
  • A public chat for questions.
  • A bot for notifications / support.

Red flag: only a private chat with no description; the team doesn’t reply; channel created the day you first heard of it.

5. Check audits (2 minutes)

Mandatory for DeFi. Go to the site, find a “Security” or “Audits” page:

  • Who audited? Known names: Hacken, Halborn, Trail of Bits, Quantstamp, CertiK, OpenZeppelin.
  • When? If the last audit was 2 years ago and the code changed since — that’s bad.
  • Where’s the full report PDF?

Red flag: “We are audited” with no report link; audit by some no-name “AuditBros LLC”.

6. Check TVL and active users (1 minute)

Open DeFiLlama or TonAPI. A legitimate working protocol has:

  • TVL > $100K (small) or > $1M (serious).
  • Stable growth or moderate fluctuation, not ±90% candles.
  • 100+ unique users per day.

Red flag: TVL = $200 (three transactions for show), 1-2 unique users.

7. Check open-source (1 minute)

A legitimate protocol usually has a GitHub. Check:

  • Activity in the last 90 days — are there commits?
  • Issues — does someone respond?
  • Are contracts public?

Red flag: GitHub exists, but only 2 commits both from 2024; contracts “closed for security”.

8. Check incidents (2 minutes)

Google: <protocol name> hack OR exploit OR drain. Read what comes up:

  • If incidents happened — how did the protocol respond? Transparently or by hiding?
  • User compensations?
  • Post-incident code review?

A past incident doesn’t disqualify — the response disqualifies.

Red flag: incident happened, info is sparse, team went silent for a month.

9. Check Twitter community sentiment (1 minute)

Twitter search: <protocol name>. Look at user posts from the last month:

  • Complaints “money didn’t arrive”, “contract hung”, “withdrew unannounced”?
  • Active engagement (real users, not bots)?
  • Tone — reviews or hype-posting?

Red flag: all tweets about the protocol come from 10 identical accounts with buy-the-dip energy.

10. Check if it’s in curated catalogues (1 minute)

The TON Foundation maintains a project directory; on our site there’s a TON wallet catalogue, DEX catalogue, CEX catalogue. If the protocol isn’t in any curated list, that doesn’t disqualify it — but it raises the bar on the other checks.

Red flag: protocol absent from ALL curated lists while being actively promoted.

11. The connection: signing request (30 seconds on first connect)

When you connect via TON Connect, the wallet shows a signing request. Read it:

  • What are you signing? The wallet should show a domain and description.
  • Are unexpected permissions requested (e.g., “all jetton balances”)?
  • Is there a warning about an unverified dApp?

More on signData and phishing via TON Connect — in our piece.

Red flag: the wallet shows only “Sign” with no description; a permission request that doesn’t match the current action.

12. First transaction: test it (1-5 minutes)

Before the main operation, do a small test transfer (e.g., 1 TON, or $5 in stablecoins). Verify:

  • Did the transaction complete?
  • Did funds arrive where promised?
  • If there’s a reverse operation — does it work too?

This is basic, but the most common check newcomers skip. 5 minutes of testing saves hours of panic and thousands of dollars.

Red flag: test transaction “hung” for more than 10 minutes, support is silent, explorer shows an error.

What to do if the protocol fails the check

  • Don’t use it. Not for $100, not for $5.
  • Find an alternative. Every category has vetted options.
  • Tell the community. If it’s an obvious scam copy — let the real protocol’s Twitter and Telegram know. It helps the next victims.

Where to find “vetted alternatives”

Curated catalogues we maintain:

  • Wallets: /en/wallets/ — 8 vetted wallets with reviews.
  • DEX: /en/dex/ — 5 major DEXes on TON.
  • CEX for buying TON: /en/cex/ — 5 exchanges with regional access notes.

Each entry has: pros/cons, our score, audit links, and notable known risks.

The most dangerous newcomer mistakes

Top three losses I see:

  1. Address poisoning. Someone sends you a tiny TON transaction from an address very similar to a friend’s. Next time, copying an address from history, you accidentally pick the malicious one. More — in our address poisoning piece.

  2. Domain-twin phishing. tonkeperr.com instead of tonkeeper.com. You type in your seed phrase to “recover the wallet” — it’s gone.

  3. Telegram social engineering. Fake support in Telegram writes “There’s a problem with your wallet, let me check. Enter your seed phrase into this bot for diagnostics”. No legitimate support ever asks for your seed phrase. More — in our social engineering in TG chats piece.

If you remember only three rules:

  • Never show your seed phrase to anyone. Even support. Even “for diagnostics”.
  • Verify destination addresses character by character, especially the last six.
  • Before any new operation — test transfer.

Net takeaway

12 points sounds like a lot, but in reality vetting a known protocol takes 2-3 minutes — you already know most answers. A new one — 15-20 minutes. That’s less than an hour of work, much less than negotiating a refund after a scam (which probably won’t succeed).

Full TON security primer for newcomers — here. Real-world phishing and social engineering cases — the TG chat scam piece.

Frequently asked

TON discovery is the process of finding and connecting to new tools in the TON ecosystem: wallets, DEXes, dApps, mini-apps. At each step there's a risk of running into a fake, phishing site, or scam. The checklist is a 12-step quick verification, after which you either know the protocol is safe to use or that you should walk away.
5-15 minutes depending on experience. If the protocol is large and well-known (Tonstakers, STON.fi, Tonkeeper), most points you already know and clear in a minute. New protocol — takes longer. Either way it's less than the time you'd spend recovering from a scam (which probably won't work).
You can shorten, not skip. The TON Foundation curates major protocols, but: (1) the Foundation site itself could be impersonated by a phishing twin — verify the domain; (2) even legitimate protocols can have an active incident — check Twitter/Telegram for fresh security news; (3) your specific path to the protocol could be tainted (telegram bot, link from a chat).
Don't use it. Better to spend another 5 minutes finding a vetted alternative (our catalogues, community recommendations) than risk a deposit. List of TON wallets, DEXes, and CEXes that passed our editorial review — in the [site catalogues](/en/wallets/).
Yes, and especially important. Telegram mini-apps often connect via a telegram channel/bot, bypassing the browser warning about suspicious URLs. Verify: (1) the bot's official account — does it have a Telegram verified checkmark; (2) bot subscriber numbers — organic, not inflated; (3) mini-app behaviour at sign-in — does it ask for strange permissions.
Top three risks: (1) address poisoning — someone sends you a near-identical look-alike address so you copy the wrong one next time; (2) phishing copy of a known protocol on a look-alike domain (e.g., tonkeperr.com instead of tonkeeper.com); (3) Telegram social engineering — fake support accounts asking for your seed phrase.

Related

← Back to blog