Can a TON transaction be reversed after sending?

No. A TON transaction finalises in 5 seconds and is irreversible. There is no "cancel" in the blockchain, and no wallet, exchange or TON Foundation can return funds directly.

Is recovering stolen TON realistic?

It's possible but the chance is low and depends on where the funds went. If they hit a CEX (Bybit, OKX, MEXC, Binance) — there's a chance the exchange freezes the balance on a properly filed request. If they went into a DEX or mixer — almost zero chance.

What's needed from me first?

Speed and proper evidence preservation. Every transaction hash, screenshots of the phishing site or chat, exact timestamps — this is what the exchange security team and law enforcement need. Each hour of delay reduces the chance of a freeze.

Should I pay \"crypto recovery services\"?

Absolutely not. 99% of such services are secondary scams targeting desperate victims. Real blockchain-investigation firms (Chainalysis, TRM Labs) work with law enforcement and major exchanges, not directly with private individuals.

Where do I file a report?

File with local law enforcement (cybercrime division, IC3 in the US, Action Fraud in the UK, equivalent in your jurisdiction) and obtain a case number. Without a filed report there is no legal basis for an exchange to act on your request.

Should I write to TON Foundation?

TON Foundation does not control user wallets and has no authority to freeze assets. Writing only makes sense for mass attacks on infrastructure. For personal incidents, support comes from the specific wallet's team.

TON stolen: first 30 minutes step-by-step (2026)

A theft of TON or jettons is a shock, and the first reaction is almost always wrong: panic, reinstall the wallet, delete the “hacked” app. That’s the worst thing you can do. This guide is a step-by-step plan for the first 30 minutes after discovering a theft. The goals — preserve what’s left, lock down evidence, and maximise the chance of partial recovery through an exchange. Every step has been validated on real 2024-2025 cases — no “magical recovery”, only what actually works.

What happened — three typical scenarios

Before acting, you need to know which kind of theft you’re dealing with. The next steps depend on it.

Scenario A — seed phrase leaked

Signs: assets are leaving your address but you didn’t sign anything just now. Maybe you typed the seed into a phishing site, into a “verification” bot, or it leaked through a screenshot in the cloud. The attacker imported the seed and is operating directly from their own device.

This is the worst case. The wallet is fully compromised, and any funds you send to it will leave instantly.

Scenario B — drainer signature

Signs: you connected the wallet to a dApp / mint / swap, signed something, and now the balance is empty. The address itself isn’t “hacked” — the attacker doesn’t have the seed, only a single-transaction signature.

A less severe scenario. The address itself is “clean”, but if there’s an open TON Connect session, the attacker may try again. The full anatomy is in the drainer sites in TON breakdown.

Scenario C — Telegram account hijacked

Signs: you can’t log into Telegram, or you notice activity coming from your name. If you had a custodial Wallet inside Telegram, the funds there are gone. Tonkeeper and MyTonWallet are immune (the seed is local), but the in-Telegram Wallet is not.

This scenario also requires Telegram account recovery in parallel. See the Telegram security guide.

Step 1 (0–5 minutes): save what’s left

First — figure out which wallet is compromised, and rescue whatever the attacker hasn’t taken yet.

Open the wallet on the current device, but don’t re-enter the seed and don’t tap anything beyond viewing balances.
If there are still assets at the address (jettons, NFTs, TON) — they need to leave immediately.
Create a new wallet on a clean device (different phone, different computer) with a fresh seed phrase. Don’t use the same device the theft happened on — there might be a trojan or an active attacker session there.
Write the new seed on paper right away, do not save in the cloud.
Move the remaining assets from the compromised address to the new one.

Step 2 (5–10 minutes): revoke TON Connect sessions

Only for Scenario B (drainer signature). If the attacker has the seed, this step is meaningless.

Open Tonkeeper → Settings → Connected apps.
Tap “Disconnect” on every app one by one. Don’t try to figure out which is the drainer — kill them all.
Same in MyTonWallet — “Connected apps” section.
After revocation the drainer site can no longer initiate a new signing request.

This closes follow-up attacks for the next hours and days. Especially important before sleeping — drainers love to launch a second wave at night, banking on absent-minded confirmation of a push notification.

Step 3 (10–15 minutes): lock down evidence

Here’s what to collect right now, while memory is fresh and access is intact.

Technical data

Attacker address. Open tonscan, find your wallet, look up the outgoing theft transaction. Copy the recipient (To).
Transaction hashes — the alphanumeric IDs in tonscan. Copy each hash that’s part of the attack.
Exact UTC time and date of the transactions.
List of stolen assets with rough USD value (use CoinGecko at the time of theft).
Screenshot of the tonscan page with transaction history — in case the address somehow “disappears” later.

Contextual evidence

Phishing or drainer site. Screenshot of the page, full URL, link to a urlscan.io or Wayback Machine snapshot.
Conversations with the “support agent”, “seller”, or “friend”. Screenshots, the Telegram username (including @username), message timestamps.
Ad / channel post that led to the scam. Screenshot, link to the post, publication date.
List of TON Connect sessions before you revoked them.

Why it matters

Without structured evidence, any report to law enforcement or to an exchange is paperwork. With it — there’s a chance the exchange spots a deposit from your address into its hot wallet and freezes the balance pending review.

Step 4 (15–25 minutes): trace the funds

A 5–10 minute task whose payoff is sometimes decisive for recovery.

Open the attacker address on tonscan.
Look at outgoing transactions — where the thief sends the funds.
Often the next hop is an intermediary, then a centralised exchange. Major CEXes (Bybit, OKX, MEXC, Binance) have known public hot-wallet addresses; tonscan and tonviewer often label them.
If funds reached a CEX — that’s your main shot at recovery. The exchange can freeze the remaining balance on a properly filed law-enforcement request or, sometimes, on a well-documented direct request.
If funds went into a DEX (STON.fi, DeDust) or a mixer — odds are near zero. Note the last “trail” and stop tracking.

Step 5 (25–40 minutes): file the official requests

Two parallel tracks.

A — police report

Local cybercrime portal — IC3 (US), Action Fraud (UK), national equivalents. Submit electronically; you receive a case number automatically.
In person at a station if needed. Bring printouts of all evidence.
Get a case number — you’ll need it for the next step.

The realistic chance of investigation success is low — investigators rarely have crypto expertise. But without a report you have no legal basis to escalate to an exchange.

B — exchange request

If funds reached a CEX, every exchange has a security team and a form for legal / law-enforcement requests.

Bybit — compliance@bybit.com, on-site form.
OKX — Help → Compliance → Law enforcement.
MEXC — compliance@mexc.com.
Binance — Law Enforcement Request System.

In your request include:

Your wallet address and the attacker’s address.
Theft transaction hashes and the deposit hash into the exchange’s address.
Police case number.
Exact amounts and timestamps.

Exchanges don’t always respond, but in clear drainer scenarios with a fast (1–3 hours) escalation, a freeze is realistic.

Step 6 (after the first hour): what NOT to do

This deserves its own step, because mistakes here create a second theft on top of the first.

Don’t pay “hackers who’ll help you recover”. Always a follow-up scam.
Don’t enter the seed into any “recovery service”. Any such service is phishing.
Don’t grant remote access to your computer to “support helpers”. That’s another theft via TeamViewer / AnyDesk.
Don’t post your seed in public chats “for verification”. Nobody “verifies” a seed online.
Don’t return to the compromised address after recovery. Ever.

Step 7 (next day): security audit

Once the urgent steps are done, do a cool-headed analysis.

Change passwords on email, Telegram, exchange accounts. Enable 2FA via an authenticator app (not SMS).
Scan the device for trojans. Full Bitdefender / ESET scan, audit the installed browser extensions.
Uninstall and reinstall wallet browser extensions. Old ones may have been compromised by a malicious extension.
Generate a new seed on a clean device. Never use the old one — it’s leaked forever.
Read up on the cause — top-10 Telegram scams, phishing anatomy, and secure seed-phrase storage.

Realistic expectations

Honestly:

“Drainer scenario, CEX request within an hour” — recovery chance 10–20%, usually not all funds.
“Seed leaked, funds already on a DEX” — recovery chance near zero.
Average request review time — 2–6 months. Be ready for a long process.
A police report is mandatory; without it nothing can be done with an exchange. Even if the investigation never closes, it’s your only legal lever.

After recovery — what to change

Theft usually happens because of a specific weakness in the setup. Don’t repeat the same mistake.

Segment wallets. A cold Ledger for savings, a separate hot for DeFi, a minimal one for risky dApps.
Enable Two-Step Verification on Telegram. See the Telegram protection guide.
Never enter the seed anywhere except first-time wallet setup. Final rule.
Sign all future transactions through a Ledger — drainer can’t substitute details unnoticed.