With the development of blockchain technology, the TON (The Open Network) ecosystem has gradually attracted widespread attention. However, with its growing user base, various phishing scams are also emerging. This article will summarize common phishing scams and combine them with real cases to help users identify and prevent these threats.

1. Virtual number NFT phishing

The TON ecosystem provides virtual number NFT services, and these NFTs have also become phishing targets. Hackers will create fake NFTs and send them to users. When users try to transfer these NFTs, they will find that the transfer fees are abnormally high.

real case：

Hackers induce users to transfer these NFTs by airdropping fake NFTs. When users try to transfer, the transfer fees are very high. The high transfer fees set by the hacker contract will cause asset losses. Fake NFTs sometimes fail to actually transfer, allowing users to pay transfer fees multiple times while the NFT remains in their wallet.

Precautions：

• Be wary of any airdropped NFTs, especially those from unknown or unknown sources.
• Do not attempt to transfer any NFT that looks suspicious or unusual, and always keep your assets secure.

2. NFT phishing attack

Hackers will send some NFTs of unknown origin to user wallets. These NFTs often have inductive names or descriptions to entice users to click to see their details.

real case：

• Hackers will send NFTs with misleading names or descriptions to user wallets, attracting users to click to view their details.
• When users click to view these NFTs, they are redirected to a malicious website. These websites will ask users to connect their TON wallet and even prompt for a mnemonic phrase to “unlock” or “claim” more rewards.
• If the user enters a mnemonic phrase or wallet connection, the hacker can obtain the assets of the user’s wallet.

Precautions：

• Be wary of any NFT you receive, especially those of unknown origin or with deceptive names.
• Use secure wallets that support NFT risk identification, such as TonKeeper, MyTonWallet, etc.
• Do not randomly connect your wallet to websites from unknown sources, and do not enter mnemonic phrases or private keys.

3. Zero transfer fishing

In the TON network, hackers took advantage of the zero-transfer feature to send phishing messages to user wallets. This information contains links to malicious websites. Users may click on these links when viewing transaction records, resulting in the loss of funds.

real case：

• Hackers sent 0 amounts of TON in batches with phishing link information to many addresses.
• Then add tempting and malicious links to the transfer transaction.
• Users may click on these links while viewing transaction records and visit malicious websites.
• If the user performs a so-called claim interaction, the assets will be stolen by hackers.

Precautions：

• Avoid clicking on any links in transaction records from unknown sources.
• Use a wallet tool with phishing link identification capabilities and perform address risk analysis.

4. Comment field fishing

Hackers exploited the Comment field in TON wallet transaction requests to mislead users into thinking they were receiving some kind of reward, leading to incorrect asset transfers.

real case：

• In a phishing scam exposed by Scam Sniffer, after the victim clicked on a link that said “Received 5,000 USDT,” not only would he not get the 5,000 USDT, but he would also lose the $TON in his wallet.

• According to analysis, the phishing scam actually used the Comment mechanism of TON wallet transfers. The information “Received 5,000 USDT” displayed in the link was actually a Comment content, and no funds were actually transferred. For example, wallets like Tonkeeper will display Comment content when users sign, so many users will be misled.

• Not only that, using this mechanism, scammers may also tailor misleading information for different users, such as NFT-related phishing attacks, to lure users into taking the bait.

Precautions：

• Understand the actual use of the Comment field. It is only used for messages or notes and does not represent the transaction result.
• Do not trust the content in the Comment field easily, and check the transaction details carefully before confirming the transaction.

5. Centralized tool fishing

Many users in the TON ecosystem use Telegram’s Wallet wallet or trading bot (Bot). These tools sometimes host users’ private keys, which means that if a Telegram account is stolen, the assets in the wallet are also exposed.

Case：

• Hackers gain control of user wallets by stealing Telegram accounts.
• Since trading bots usually need to host users’ private keys, once hackers take control of a user’s Telegram account, they can fully control these trading bots and transfer users’ assets.

Precautions：

• Enable two-step verification for Telegram accounts to increase account security.
• Avoid trading bots that require escrow of private keys and instead use more secure self-hosted wallets like TON Space.

In addition to the above phishing methods, there are also some common phishing scams in the TON ecosystem:

6. Fake Telegram channels and groups

Scammers create official Telegram channels or groups and pretend to be administrators or official support personnel to induce users to provide private keys or click on malicious links.

• Case: In early 2023, a fake Telegram group appeared in the TON community, which pretended to be an official support group and attracted hundreds of users to join. Scammers pretend to be administrators and contact new members via private messages, claiming there is a problem with their account and they need to re-verify the seed phrase. This approach resulted in dozens of users having their assets stolen.
• Precautions: Never provide your private key or password through unofficial channels. Make sure that the groups and channels you join are officially certified. You can confirm their authenticity through TON’s official website or official announcement.

7. Fake TON wallets and applications

Scammers use fake apps or wallets to trick users into entering their private keys or seed phrases to steal their assets.

• Case: A fake TON wallet app went live on the Google Play Store and went viral. The app requires users to enter their seed phrase or private key to import their existing wallet. Once the user enters their information, the scammer is able to take control of their wallet and transfer all assets.
• Precautions: Only download wallets or apps through official websites or trusted app stores. Before installing any software, carefully check the developer’s information and user reviews.

8. Fake airdrops and giveaways

Scammers promote fake airdrop campaigns, asking users to provide wallet addresses or make small transfers in order to receive “large” rewards in order to steal funds.

• Case: In 2023, a false airdrop activity was circulated in the TON ecosystem. Scammers claimed that as long as users send 0.1 TON to the specified address, they can get 10 TON in return. Many users have been tricked into sending funds to scammers, only to receive nothing in return.
• Precautions: Be highly suspicious of airdrop campaigns that ask you to pay a fee or provide sensitive information. Verify the authenticity of the event through official channels.

9. Phishing websites and fake exchanges

Create a phishing website that closely resembles an official website to trick users into entering login credentials, private keys, or performing malicious transactions.

• Case: A fake exchange website called “TONexchange” was created that looks almost exactly like the official exchange. After users entered their account information, the website immediately sent their login credentials and private keys to the scammers, resulting in the theft of multiple users’ assets.
• Precautions: Check the URL to make sure you are visiting the official website. Use bookmarks or official links to visit commonly used exchange and wallet websites.

10. Fake technical support

Scammers pretend to be official technical support and contact users via email, social media or chat tools, asking for sensitive information or downloading malware.

• Precautions:Official technical support will usually not proactively contact you and ask for sensitive information. If you are contacted by any individual claiming to be official, you should be vigilant and verify through official channels.

11. Scam comments under the official account

Taking advantage of users’ trust in official accounts, some scam users will post phishing links in the comment area of ​​official Twitter. The names are similar to the official ones, making it very difficult to distinguish.

• Precautions：  

Recommended to use scamDefender The plug-in marks the official account, making it very easy to distinguish the official/scam account.

Summary and suggestions

With the rapid development of the TON ecosystem, hackers’ attack methods are also constantly upgrading, from fake websites to NFT phishing to Comment field phishing. These methods all take advantage of users’ negligence and lack of security awareness. In order to protect their assets, users need to be more vigilant and take the following security measures when participating in the TON ecosystem:

1. Choose a safe wallet: Use TON wallet tools that support risk identification, such as TonKeeper or MyTonWallet, and avoid using wallets that host private keys.
2. Raise anti-phishing awareness: Always be wary of NFTs, links or transaction requests from unknown sources, and understand the true meaning of the Comment field.
3. Enable additional security: Enable two-step verification for Telegram accounts to avoid losing wallet assets due to account theft.
4. Manual backup of mnemonic phrases: For users who use self-hosted wallets such as TON Space, it is recommended to manually back up the mnemonic phrase and keep it properly to avoid using the online backup function.

Through these measures, users can be more secure when participating in TON ecological projects and protect their encrypted assets from phishing attacks. Continuously improving prevention awareness and understanding new security threats are important guarantees for survival and development in the Web3 world.