Skip to main content
T TON Adoption
RU
← Glossary
NODE/03 · Term

Phishing

A class of attacks where a malicious site, bot, or message impersonates a legitimate service and tricks the user into surrendering keys, a seed phrase, or signing a malicious transaction. In TON it most often arrives as fake airdrop pages and Telegram impostor bots.

Aliases: phishing attack, scam site

Phishing is the single most common threat to a crypto wallet holder. Unlike a smart-contract exploit, phishing does not break the protocol — it convinces the user to break it themselves by signing the wrong transaction or pasting a seed phrase into the wrong field.

Common vectors on TON

  • Fake airdrop pages. “Claim 500 TON from Notcoin” on a lookalike domain. The user connects a wallet via TON Connect and signs a “claim” that actually transfers out their jettons and NFTs.
  • Telegram impostors. A bot with a name like @tonkeeper_support_bot opens a DM and asks the user to “verify the wallet” by sending the recovery phrase. Real support teams never do this.
  • Cloned DEX and lending UIs. A typo domain (stonfi.org instead of ston.fi), a Google Ads buy on the wrong keyword — the user lands on a familiar-looking interface and approves a transaction that drains the wallet.
  • Fake NFT marketplaces. Landing pages copy Getgems or Disintar; the “mint” button actually pulls valuable NFTs out of the connected wallet.
  • Drainer comments. Replies under official announcements on X or Telegram link to a “compensation” or “free claim” page.

How to spot it

A few practical tells that catch most attempts:

  • Wrong URL. Read the domain character by character before you connect. t0nkeeper.com, ston-fi.org, notcoin-airdrop.app — close the tab.
  • A signature request with no clear purpose. If the wallet shows “Send unknown jetton to EQXxx…” and you cannot explain what is happening, refuse.
  • Manufactured urgency. “Today only”, “17 minutes left”, “limited claim” — designed to switch off scepticism.
  • Direct request for the seed phrase or private key. Anyone who asks is malicious. No exceptions. Wallet support, exchanges, and developers never do this.

Defence

  • Check the domain in TON Connect. When you connect and when you sign, the wallet shows the dApp name and domain. Compare it to what you actually expect.
  • Hardware wallet for serious balances. A Ledger running the TON app displays transaction details on its own screen, so a compromised computer cannot silently swap the recipient address.
  • Burner wallet for new dApps. Use a wallet with a tiny balance to test unknown sites. Keep the main funds on an address that never connects to anything experimental.
  • Bookmark the real services. Do not navigate to STON.fi through a search engine — bookmark it once and only use that link.
  • Zero trust in cold DMs. Any unsolicited message about support, partnership, or a giveaway is a scam by default. Verify through the official channel.
  • Cross-check addresses on an explorer. Run the contract you are about to interact with through Tonviewer or Tonscan — look at age, activity, labels.

Phishing is not solved by technology alone. TON Connect shows the domain, but if a user clicks “confirm” without reading, no protocol can save them. The real defence is a slow, sceptical attitude toward every signature request.

Related terms