As TON becomes one of the hottest ecosystems this summer, risks also arise.

The price of Toncoin has increased more than fivefold over the past year, successfully entering the top ten cryptocurrencies by market capitalization, and TON has become one of the most successful stories in the cryptocurrency space.

With 900 million users, Telegram has excited supporters about TON's potential. Airdrop games like Notcoin and Hamster Kombat have also driven the number of active addresses on TON to surpass that of Ethereum. These astonishing numbers are what every project dreams of, but for those trapped in Ethereum, it also presents a new opportunity for scammers.

Raz Niv, co-founder of Israeli security company Blockaid, told the magazine: "We are seeing more and more scammers showing interest in the TON ecosystem because the value through TON is just too great."

For cryptocurrency newcomers flocking to the platform to play games, they are ideal targets for scammers. Worse still, the scam activities on TON are relatively new, and the network's wallets do not yet have the security tools that Ethereum has.

One TON scammer used a bait of 5000 USDT to fish for victims. This scam exploited TON's unique feature that allows custom messages to be included in transfers during the wallet signing phase.

When the transfer prompts "Receive 5000 USDT" along with a "Confirm" button, victims unknowingly lose their assets.

According to a report from Scam Sniffer, this simple yet effective scam allowed a specific scammer to earn at least 22,000 TON (approximately $152,000).

Recently, the same suspicious address launched an activity related to the Notcoin airdrop phishing scam.

"As TON becomes more popular, phishing scams are on the rise. ScamSniffer warned in a tweet in May that TON-related phishing sites surged in the past month."

The magazine even found that TON scammers were selling scripts on Telegram for as low as $300.

What are Wallet Drainers and how do they affect TON?

Wallet drainers are tools sold by developers to help malicious actors steal cryptocurrency, often luring investors through phishing links that lead to the theft of their assets.

For example, a user posting on X about being stuck on a transaction on Coinbase will typically see dozens of replies from fake Coinbase support personnel offering help, ultimately guiding the user to a fake website that tricks them into handing over control of their wallet to the scammer. Similarly, posts about revoking old token authorizations (a good idea to avoid being exploited) may also lead to scammers.

According to Scam Sniffer's report, in May, victims lost $42 million in phishing scams, with nearly 80% of the victims coming from Ethereum. This is an increase from $38.6 million in April but down from $75 million in March.

Many scammers are looking for new opportunities as business on chains like Ethereum becomes increasingly difficult, with security tools able to sniff out malicious links and requests with high precision.

Blockaid is one of the biggest threats to the scam industry. It integrates with wallets like MetaMask and Coinbase, simulating transactions and filtering suspicious ones.

When a threat is detected, Blockaid posts a stop sign on the wallet, warning users of potential losses (some investors choose to continue despite multiple warnings).

"Blockaid bypass" has become a feature promoted by surviving scammers, although not all of them are effective.

Over the past year, Blockaid's wallet integration has played a key role in shutting down scam operations, with Violet Drainer being the latest example to directly cite Blockaid as the reason for closure.

Violet Drainer announced its shutdown in April 2024, citing a decline in scam success rates due to Blockaid's security tools.

A former operator of the Violet Drainer Telegram channel told the magazine: "Many scammers are shutting down due to low hit rates; overall, scamming is becoming increasingly difficult." They claimed the Telegram channel was sold for $7,000 and is now operated by "new management."

"He (the new manager) is also scamming, but using a private scammer that claims to have full Blockaid bypass capabilities," they said.

Private scammers operate in closed communities. In some cases, they need group members' approval to use scam services.

The Violet Drainer operator added that scammers are turning to "a new token," which "can now be scammed."

"In my opinion, it's better than scams on SOL and ETH," the operator said.

When asked which cryptocurrency scammers are turning to, the operator declined to comment, as it would "cause trouble for the community."

However, operators of scammers in several Telegram communities pointed out that TON and the Bitcoin network are major candidates for becoming new scam hotspots.

Niv from Blockaid told the magazine that scammers are very fond of TON.

Scams from EVM to TVM

The increasing difficulty of scamming on Ethereum and Ethereum Virtual Machine-compatible blockchains makes the rising popularity of TON attractive. The user base of this blockchain has exploded, driven by viral mini-apps typically associated with future airdrop promises.

According to Token Terminal, as of June 14, the network's monthly active users reached a record 5.7 million, up from just 228,000 at the beginning of the year.

But it is not simply a matter of migrating to TON, especially since TON is not essentially an EVM-based blockchain. Wallet drainers' developers have already begun offering multi-chain products for EVM chains (like Ethereum, Binance's BNB chain, or Avalanche).

For non-EVM chains like TON, developers must deploy new scam products.

This does not mean that TON has new security vulnerabilities, but rather that advanced security tools and scam detectors have not yet been integrated into the network's wallets.

The privacy-protecting nature of Telegram (encrypted messages, but not end-to-end encrypted) attracts users who feel mainstream messaging apps do not pay enough attention to data protection and privacy. According to founder Pavel Durov, this messaging app has 900 million users.

However, its privacy design also makes the app a hotbed for illegal activities, with some calling it the new "dark web."

Blockaid states that it is developing security measures for various blockchains, including TON, but is reluctant to share data that could be used by malicious actors to implement ahead of time.

"Due to this cat-and-mouse game, everything we publicly display is immediately used by scammers to try to evade us," Niv said.

The Rise of TON

The rise of TON coincides with the popularity of Telegram games, which have recently driven the number of daily addresses on the network to exceed that of Ethereum (excluding its layer two users).

Notcoin is a viral Telegram game that rewards users for clicking on the screen, reportedly gaining 35 million users. Its product model successor, Hamster Kombat, claims to have over 150 million cumulative users.

Where there are large numbers of users and rich cryptocurrency profits, there will be scammers and thieves.

The TON network, integrated with privacy-focused Telegram, creates an environment that is more convenient for scammers.

In recent years, Telegram has emerged as an alternative to the dark web, with cybercriminals migrating en masse from traditional dark web platforms to this messaging app.

A social engineering Telegram channel monitored by the magazine, with over 5,500 members, shows cryptocurrency criminals buying and selling services from each other, such as SIM swapping and trading KYC-verified cryptocurrency accounts.

Typically, disputes arise after scammers are scammed by another channel member. Scamming is one of the frequently offered services in these Telegram channels.

The magazine found an independent Telegram channel selling a TON scam script.

The product is marketed as a wallet scam script, currently only applicable to Tonkeeper wallets, as it remains the earliest available version.

At the time of writing, the scammer is only applicable to two tokens, Toncoin and Jetton (TON's fungible token). The complete source code is priced at $1,000, while the lightweight version is priced at $300.

Those new users of the TON blockchain hoping to receive airdrops through various Telegram mini-apps, who are not cryptocurrency natives, will encounter wallets and seed phrases for the first time through this viral experience.

For them (but fortunately for scammers), Blockaid does not yet support TON wallets. However, it does scan and detect malicious code in all DApps, including those on TON.

Newcomers who are not very familiar with cryptocurrency may have to learn through painful lessons due to their unfamiliarity with the threats posed by drainers until the corresponding security tools emerge on this relatively new network.

"We started with Ethereum—where we blocked them. They moved to Solana—where we blocked them. Now they are moving to TON. After that, they will move to the next chain," Niv said.

Will Drainers Target Bitcoin?

According to Cos, founder of security company SlowMist, Ethereum assets, particularly ERC-20 tokens, are the most stolen assets in the world, but even so, they have their limitations.

This is because only one ERC-20 asset can be consumed in a single transaction, such as USDT or USDC. The only exception is when approval is granted to platform contracts (like OpenSea Seaport or Uniswap Permit2), allowing multiple tokens to be consumed simultaneously.

In a tweet released in June 2023, Cos detailed a Bitcoin-related theft incident. "The first Bitcoin theft incident observed by the security community." (Cos)

In the Bitcoin system, transactions use the UTXO model, where each transaction can contain multiple inputs (unspent outputs from previous transactions) and multiple outputs (new UTXOs).

Cos explained: "Since all Bitcoin-based assets (including native Bitcoin) exist in UTXO form, if a user is stolen from, all Bitcoin assets could potentially be stolen in a single transaction."

This means that if an attacker controls a user's wallet, they can create a transaction that consolidates all UTXOs belonging to the user, potentially stealing all Bitcoin-based assets, including BRC-20s, Ordinals, Runes, and even Bitcoin, in a single transaction.

Blockchain forensics company Chainalysis reported in May that it discovered the first Bitcoin thief disguised as the Magic Eden website, a non-fungible token marketplace supporting Bitcoin Ordinals trading.

Chainalysis stated that as of April 2024, this thief had stolen approximately $500,000 through over 1,000 transactions.

However, Cos noted that an earlier incident indicated that Bitcoin thieves have existed for more than a year.

In June 2023, a social media user reported a scam disguised as a BRC-20 project, promoted alongside a suspicious phishing link.

The rise of TON has opened a new field for thieves, extending their activity lifespan as Ethereum theft operations become more difficult.

Some of the most successful thieves have chosen to retire, such as Pink Drainer, who opted out after plundering $85 million. Inferno Drainer closed down at the end of 2023 after stealing $70 million but became active again in May.

The explosive growth of new cryptocurrency users on TON and the privacy features of Telegram provide new opportunities and new victim pools for malicious actors. The lack of reliable security tools (like Blockaid) on the TON network currently exacerbates these users' vulnerabilities.

As Niv describes, it is an ongoing "cat-and-mouse game," where security companies and cybercriminals outsmart each other.

Once security measures are established on the TON network, new threats will emerge, just as rare events observed recently on Bitcoin show that the UTXO model provides an efficient theft scenario for wrongdoers.

Operators of Violet Drainers refer to this multi-blockchain private theft and threat phase as the "new era of theft."

But Blockaid claims that they are one step ahead of the thieves and are still able to identify and track theft activities, whether these activities are conducted openly or privately.