Can stolen TON be recovered?

Mostly no. Blockchain transactions are irreversible. The only real chance is when funds land on a centralised exchange (Bybit, OKX, MEXC) and you file a fast report with their security team referencing tonscan.

Do scammers really steal seed phrases via Telegram bots?

Yes. Per SlowMist, 2025 saw a 2000%+ rise in fake verifier bots posing as wallet support and harvesting seeds via forms or clipboard malware.

How does a TON scam differ from one on Ethereum or Solana?

Mainly the venue. TON scams almost always start in Telegram via a mini-app or DM link, not via X or Discord ads. Cheaper for the attacker and converts better.

Is it safe to connect a TON wallet to mini-apps?

To trusted dApps (STON.fi, DeDust, Tonstakers, Getgems) — yes, via TON Connect on the official domain. Any mini-app from a stranger's link or a 'support' bot — potentially a drainer.

Does Telegram's built-in anti-phishing help?

Partially. Telegram blocks already-known scam domains and warns on chat links, but new drainer sites live 24–72 hours before takedown — enough time to do the damage.

What to do right now if I already connected to a suspicious site?

1. Sign nothing else. 2. From the main wallet move all assets to a clean address from a second wallet with a different seed. 3. Revoke permissions in Tonkeeper — Connected Apps.

Top 10 TON scams on Telegram and how to defend yourself

In 2025 Chainalysis estimated total crypto-scam losses at $17B — a record, with average loss per victim rising to $2,764 from $782 the year before. Telegram became one of the main fraud-coordination venues — the platform accounted for over $200M in direct losses and a 43% year-on-year rise in scam activity. TON users are a priority audience because the 2024-2025 mini-app wave brought tens of millions of inexperienced people into crypto. This guide is the full list of schemes we see in chats and DMs right now, with mechanics and defences.

Why TON and why Telegram

Attacker logic is simple. The cheaper to reach the victim, the more profitable. In Telegram that means:

Zero friction. A link goes into a DM or a chat, the wallet is already inside the messenger.
Anonymity. Accounts on virtual numbers cost $1-3, get banned in batches — the attacker loses pennies.
Social context. You can buy a mention in a big channel or fake an admin post.
Fast monetisation. A TON transaction finalises in 5 seconds — stolen funds land on a swap before the victim notices.

Unlike Ethereum scams where the main funnel is X and Google Ads, TON scams operate inside one app. That lowers the entry bar for attackers and complicates defence: the user never leaves Telegram, and the usual browser security habits do not fire.

Top 10 active schemes

1. Fake “tap-to-earn” mini-apps

Classic from the 2024-2025 wave: a bot promises a click-for-tokens drop like Notcoin or Hamster Kombat. After “farming” the user is offered to “withdraw” the reward — which requires connecting a wallet. TON Connect shows a signing prompt, but the drainer contract is structured so that one signature gives spending rights on key jettons (USDT, NOT, DOGS). Seconds later the wallet is empty.

Defence. Verify the official mini-app domain on tonscan via the project jetton. If the bot is not Telegram-verified (no blue tick) and is not mentioned on the project site — it is always fake.

2. “Verifier” security bots

The most common scheme of 2025, per SlowMist a 2000% rise. The victim gets a DM or chat link to a bot named like OfficialSafeguardBot or TonSecurityVerify. The bot offers to “confirm wallet ownership” by entering the seed phrase or pressing a button that copies a trojan loader to the clipboard.

Defence. No legitimate TON service will ever ask for the seed phrase. If asked — by definition a scam.

3. Fake airdrop sites

A clone of an official airdrop site distributes “legendary” tokens. To claim — connect a wallet and sign. The signature is actually a transfer of all jettons to the attacker’s address.

Defence. Verify the airdrop URL against the official announcement in the project’s verified channel. Details — in the phishing anatomy breakdown.

4. Drainer sites under NFT mints

Trend continues from Solana and Ethereum: a fake “mint” page for a rare Telegram username or Getgems collection. Mint price symbolic, but on connecting the wallet the malicious contract gets delegation on NFTs and jettons. Detailed technical breakdown — in the TON drainers article.

5. P2P trade with fake escrow

Victim looks for where to buy TON or USDT in local currency in a Telegram channel. The “seller” offers an “official guarantor” — actually their accomplice. The victim wires fiat, gets a fake tracking link, the “guarantor” confirms and disappears with the seller.

Defence. Use only official P2P platforms inside Wallet in Telegram, Bybit P2P, OKX P2P. Private “guarantors” do not exist — always fraud.

6. Fake wallet support

A @tonkeeper_support_official account writes in a chat or DM offering to help — usually after the victim complained in a public chat about a transaction error. Asks for a seed or directs to a “repair” site that “syncs” the wallet.

7. Pump-and-dump groups for new jettons

Closed “signal” channels announce the launch of a new jetton on STON.fi or DeDust. Subscribers buy in sync — price spikes. Organisers sell at the top, remaining participants lose 80-95% in minutes.

Defence. No “insider” groups exist. Any “jetton signal” is either pump-and-dump or a drainer-site lure.

8. Romance scams (pig butchering) with TON twist

A long approach via Telegram, sometimes weeks of conversation. The “partner” gradually pulls the victim into a “family investment” in TON DeFi on a special platform. First $50 withdrawal works — for trust. Then $5-50K deposits, none of which return. Per Chainalysis the most expensive scam category by per-victim loss.

Defence. Any “investment” recommended by a messenger contact is a stop signal. There are no exclusive yields.

9. Clipboard address swap

Malware (often delivered via that same fake-verify bot) sits on the device and on copying any TON address swaps it with the attacker’s address. The victim copies a top-up address from an exchange and does not notice the paste differs.

Defence. Verify the first 4 and last 4 characters of the address before every transaction. Use the built-in address book in Tonkeeper and MyTonWallet instead of manual paste.

10. Fake exchanger under official brand

A site like tonkeeper-swap.io or mytonwallet-exchange.app promises the best TON-USDT rate. Accepts the deposit, refuses to release on output citing “verification” and asks for additional fees.

Defence. Inside the wallet the swap routes through the STON.fi/DeDust API — third-party “exchangers” branded by the wallet do not exist.

Base hygiene against all 10 schemes

All ten distil into 4 universal rules.

Segment wallets. One account for savings (Ledger, no TON Connect sessions), the other a “hot” wallet with a small balance for DeFi and mini-apps. Phishing only catches the hot one.
Never enter the seed anywhere except in the official wallet during first restoration. No bots, no sites, no “verifications”.
Verify domain and signature. Before tapping “Confirm” in TON Connect read the request — to which address the signature goes, which jettons are touched.
Enable Two-Step Verification on Telegram itself. Without the cloud password SIM-swap takes the account in minutes, with all TON Connect sessions inside.

What to do if already caught

Act in the first 5 minutes:

If you signed something on a drainer site — open Tonkeeper, Connected Apps section, revoke all sessions.
Move remaining funds to a clean address (new wallet with new seed) immediately.
Save all transactions from tonscan (attacker address, transfer hashes) — useful for reports.
Notify the wallet team and warning channels like @ton_scam_alert to save others.

2024-2025 cases: what real numbers look like

A few public cases to make the figures concrete.

January 2025, fake Notcoin claim. A clone site posing as a “second drop phase” lasted 38 hours before takedown. Per tonscan and SlowMist — about $1.8M in TON and USDT, more than 1,200 victims. Average per-victim hit $1,500.
March 2025, Inferno-style drainer on TON. A group adapted its Ethereum script to TON. Site impersonating Getgems, distributed via compromised admins of 3 large channels. Analysts estimate $4.2M over a month before the campaign was shut down.
August 2025, fake Wallet support bot. Bots like @WalletByTelegramSupport (with various tails) phished seed phrases through a “recovery procedure”. Public cases minimum $600K total losses before takedown.
November 2025, Fragment auction phishing. A clone of Fragment on fragment-bid.app and fragment-auction.io. Victims signed a “bid” that actually transferred all their jettons. Around $900K over 2 weeks.

Common to every case: the attacker hits emotion — desire to grab a rare lot, fear of losing balance, time pressure. Strip emotion from your crypto behaviour and falling becomes much harder.

Minimum defence setup for an average user

If you only read this guide once — remember these 7 actions.

Tonkeeper or MyTonWallet for the main balance, not Wallet in Telegram.
Two-Step Verification on the Telegram account. Without a cloud password — door open.
Bookmarks to the official Tonkeeper, MyTonWallet, STON.fi, DeDust, Getgems, Fragment sites. Use those only.
Never enter the seed anywhere except the wallet’s first setup.
Segmentation — separate small-balance hot wallet for DeFi and mini-apps, separate cold with Ledger for savings.
Read every TON Connect prompt before “Confirm”. Which address, which operations, which jettons.
Regular cleanup — once a week revoke old TON Connect sessions and check active Telegram sessions.

That covers 95% of realistic attack scenarios.

Where to track current threats

SlowMist Twitter and blog — daily drainer and phishing updates.
Chainalysis Crypto Crime Report — annual aggregated reports.
Tonkeeper Help — Common scams — official warnings for specific scam addresses.
tonscan.org — verify the counterparty before sending (scam labels appear there before the wallet UI).