Social Engineering in Telegram Crypto Chats 2026

Technical phishing in TON is well documented: drainer contracts, cloned domains, “tap-to-earn” mini-apps with hidden token transfer signatures. The less-discussed but more profitable part of the industry is social engineering. It does not target the interface — it targets the person: their fear, their trust, their loneliness, their hope for a career break. On Telegram these tactics are unusually effective, because the messenger blurs the line between personal and financial context. This guide is a field-level breakdown of the five tactics we observe in TON crypto chats today.

TL;DR

• Fake wallet support always writes first — legitimate support never initiates a DM, that is the entire tell.
• Romance scams (pig butchering) are the highest-loss category by average per-victim damage, with a 3-12 week build-up.
• Admin impersonation relies on Cyrillic look-alike characters in usernames plus cloned avatar and display name.
• Job-offer scams from “crypto recruiters” funnel toward “test our app” — which is always a drainer or trojanized package.
• “Exclusive NFT gift” stickers with a phishing link in the description are the 2025-2026 evolution of gift fraud.

Why Telegram is the highest-leverage channel for crypto scams

The attacker’s logic is simple: campaign efficiency equals reach × conversion divided by cost-per-attempt. Telegram optimises all three at once.

Reach. Public crypto chats with 10-100 thousand members are open targets for username scraping. An attacker pulls the member list via API in a single pass, filters by activity in scam-relevant chats (DEX, NFT, mini-apps), and ends up with a target list of several thousand high-quality usernames per campaign.

Conversion. A message from a human passes the trust filter far more easily than a banner ad. On Telegram there is no visual distinction between a message from a friend and one from a scammer — same interface, same typography, same reply button. By the time the victim opens the dialog they are halfway engaged.

Cost. A Telegram account on a virtual number costs one to three dollars and bans get absorbed in bulk. A single operator runs dozens of parallel conversations through a CRM overlay. Compared to roughly fifty dollars for a single Google Ads click on a crypto keyword, Telegram is essentially free real estate.

Add the fact that the victim’s wallet is already embedded in the messenger (Wallet, TON Connect sessions), and the loop closes: from first contact to signing a malicious transaction takes three taps and five minutes.

Tactic 1: fake wallet support (DM, “verification”)

The victim complains in a project’s public chat about a stuck transaction, an unresponsive balance, or a TON Connect handshake failing. Within 30-90 seconds a DM arrives with display name “Tonkeeper Support” or “Wallet Help Desk”, a username like @tonkeeper_support_help, and the project’s official logo as avatar.

The account offers to help “right now” and asks for one of two things:

1. Enter the seed phrase into a “secure recovery form” linked from the message — the link points to a cloned site.
2. Open a “repair mini-app” — it requests a TON Connect signature to a drainer contract and empties the wallet on confirmation.

Either way the attacker completes the operation in under two minutes.

How to spot it. Legitimate support never initiates a DM. Tonkeeper, MyTonWallet, Tonhub, Wallet on Telegram — all of them respond only through their published support channels, and only after you’ve opened a ticket yourself. Any “support” DM you didn’t request first is a scam by default.

How to react. Block + Report without replying. Don’t write “you’re not real”. Don’t quiz them to “prove it”. Any interaction confirms the username is active, and the account moves into a paid list for the next campaign.

What NOT to do. Don’t repost the conversation publicly without redacting it — your own username and wallet mentions go into scam lists. Don’t click “proof” links from the scammer even out of curiosity; some links fingerprint the device before the page even loads.

Tactic 2: dating funnels and pig butchering

Sha zhu pan, literally “pig butchering” in Chinese, is the script’s source. The victim is “fattened” with trust and emotional attachment before being “slaughtered” in a single large outflow.

The standard runtime is 3-12 weeks.

Week 1. Introduction on Telegram — through a random crypto chat, a knowledge group, or a “wrong number” DM. The attacker’s account is heavily warmed: real-looking profile photos, message history, sometimes a Premium badge.

Weeks 2-4. Gradual deepening. The scammer shares “personal stories”, sends lifestyle photos, sometimes layers in voice messages. Crypto comes up casually — “my uncle works at an exchange in Hong Kong”, “I accidentally made some money on DeFi this month”.

Weeks 5-8. The “exclusive” platform. The victim is shown an app or site where the partner’s “family” earns 5-15 percent weekly on a TON or USDT staking product. The platform is entirely fake with rendered numbers in the browser. The first deposit of $50-200 withdraws fine — that is part of the script.

Weeks 9-12. Escalation. The victim is encouraged to borrow money, mortgage the apartment, take a personal loan. The final deposit lands in tens of thousands and never comes back. The partner disappears within 24-48 hours.

According to Chainalysis 2025, this is the highest-loss crypto-scam category by average per-victim damage — tens of thousands of dollars versus one to three thousand for standard phishing.

How to spot it. Any person who met you online and steered the conversation toward crypto investing within 2-8 weeks is a stop signal. Any platform claiming “exclusive yield” that is not listed on DeFiLlama or referenced by the TON Foundation is fake. Any first successful withdrawal is a scripted hook, not proof of legitimacy.

What NOT to do. Don’t transfer any sum “to test” — let the partner pay first. Don’t reveal your actual financial position. Don’t share wallet addresses in any context, even “so I can send your money back”.

Tactic 3: admin impersonation (Cyrillic look-alike usernames)

In a large crypto chat, a moderator posts a rule or moderates a discussion. At that moment the attacker, lurking as a regular member, activates a pre-prepared account.

The clone uses one of three tricks.

Cyrillic look-alike. Latin a is swapped for Cyrillic а. The username @admin_tonkeeper is visually indistinguishable from @аdmin_tonkeeper where the first а is Cyrillic. Telegram allows this because uniqueness checks operate within a single script.

Hidden character. Inside the username sits an invisible Unicode codepoint (zero-width joiner). Visually absent but technically a different username.

Display name clone. Beneath an unreadable username sits a display name like “Admin | Tonkeeper” with the same avatar as the real moderator.

After activation the fake DMs participants from the chat to “continue the discussion” and offers a “fix” — usually flowing into tactic 1 (fake support) or tactic 4 (job offer).

How to spot it. Telegram shows the username in the profile header with the @ prefix. Copy it and compare character by character with the username from the project’s public channel. If even one symbol differs, it is a fake. Additionally: real admins of major projects almost never DM members first.

What NOT to do. Don’t click links or connect wallets on the basis that “an admin said so in a DM”. When in doubt, ask publicly in the project’s chat — a real admin replies publicly.

Tactic 4: job-offer scam (recruiter → test app → drainer)

A “recruiter” from a crypto company writes you. Sometimes the account looks LinkedIn-style legitimate, sometimes it presents as Head of Talent at a Telegram-native project. The offer is consistently generous: remote, $4-8k a month, low requirements, “because we’re scaling fast”.

The funnel runs 3-7 days.

Day 1. Contact plus a job description. Request for a quick call or text-based interview.

Days 2-3. “Interview”. Technical questions simplified to “do you understand blockchain at a high level?”. The victim relaxes.

Days 4-5. “Take-home task”. Either clone a GitHub repository and run a script (trojanized package.json), or test “our new crypto app for users” — a mini-app or website. The test requires connecting a wallet “to verify UX”.

Days 6-7. Wallet connection equals drainer signature. Afterwards the “recruiter” goes silent or says “unfortunately we’re moving forward with another candidate”.

A second variation targets developers directly. Running the take-home code locally executes npm dependencies that exfiltrate seed files from MetaMask, browser-stored sessions, and immediately drain wallets.

How to spot it. Real crypto recruiting flows through LinkedIn, AngelList, and specialised job boards (Crypto Jobs List, Web3 Career). Telegram-only hiring with generous pay and a single-step “test task” involving running code or connecting a wallet is a known Lazarus Group pattern documented by Google Threat Intelligence.

What NOT to do. Don’t connect a production wallet to “test” apps. Don’t run take-home tasks without isolation — VM, Docker, separate OS user account. Don’t share a seed phrase or private key in any “verification” form.

Tactic 5: gift / sticker phishing

The vector emerged in 2024 alongside the Telegram Gifts (upgraded gifts) launch. By 2025-2026 it has evolved.

A DM arrives with a gift — an animated sticker or a Telegram Gift — with a description like “Exclusive NFT drop — claim before May 31” and a link in the caption. Sometimes the gift looks rare (gold cup, limited pack), which raises curiosity.

The link points to a clone of Getgems or Fragment with a “claim” interface. Connecting a wallet signs a drainer transaction, usually through a jetton transfer or NFT operation with a deceptive forward_payload.

Alternative scenario: the gift sticker leads not to a crypto site but to a phishing Telegram page asking you to “log in to activate” — that route hijacks the Telegram account itself.

How to spot it. Real NFT airdrops are announced in the project’s public channel before distribution, not as a surprise DM. Any “claim now” link inside a gift description from an unknown sender is phishing by default.

What NOT to do. Don’t click the link in the gift description. Don’t connect a wallet to it. Don’t enter a seed phrase anywhere except the first-time setup of your wallet.

Telegram crypto-hygiene checklist

Minimum to close 90 percent of social-engineering scenarios:

1. Two-Step Verification on the Telegram account is mandatory. Without a cloud password, any social engineering scales into an account takeover.
2. Privacy → Phone Number — Nobody. Forwarded Messages — My Contacts. Calls — My Contacts. Tighten the surface area.
3. Who can message you — My Contacts only, unless you are a public figure. You can stay in crypto chats with DMs closed.
4. Don’t post wallet addresses in public chats in any context — that is a solvency marker for scam lists.
5. Don’t post screenshots of balances, open TON Connect sessions, or visible usernames of your contacts.
6. Block + Report any “support” or “admin” who DMs you first. No dialog.
7. Verify usernames character by character before believing you’re talking to an admin. Cross-check against the project’s public channel.
8. Segment your wallets. A hot wallet with a small balance for mini-apps and DeFi, a cold wallet with Ledger for savings. Social engineering reaches at most the hot wallet.
9. Don’t run “test tasks” from Telegram recruiters without VM or Docker isolation.
10. Never enter a seed phrase anywhere except first-time wallet setup. No bots, no forms, no “verifications”, no “recoveries”.

Conclusion

Technical defences — Ledger, segregated wallets, 2FA, domain checks — close a large fraction of vectors. Social engineering remains uncovered for one reason: it attacks not the device but the mental state. Fatigue, loneliness, the wish to earn, the fear of missing out, curiosity about the “exclusive” — that is the attack surface. The best heuristic: in crypto, nobody DMs you first with good news. Every time it happens, treat it as a scam attempt by default until proven otherwise.

If you have already engaged, follow the first-aid guide for stolen TON. If you want to harden the Telegram account against takeover itself, see the Telegram takeover protection guide.

Sources

• FBI IC3 — Cryptocurrency Investment Fraud (pig butchering) 2024 report
• Chainalysis 2026 Crypto Crime Report — romance scams
• Google Threat Intelligence — Lazarus Group crypto job-offer campaigns
• Kaspersky — Phishing and scam in Telegram 2025
• SlowMist — Social engineering vectors in Telegram crypto chats