In recent years, the growth of criminal activity in the TON blockchain has raised serious concerns. The number of registered fraud cases and illegal operations has been growing exponentially. In 2023, the total number of incidents increased by 60% compared to 2022, already signaling alarm for the entire crypto community. However, 2024 brought even more shocking data: in just the first six months, over 1,200 cases of fraud were reported, which is 45% higher than the same period last year.

Particularly worrying is the monthly data. For example, in March 2024, the number of crimes in TON increased by 25% compared to February, and in June, a 30% rise was recorded, linked to the growing popularity of mini-apps on the platform. Analysts estimate that by the end of 2024, the amount of funds stolen through fraud schemes in TON could exceed $100 million, setting a new record for the ecosystem.

One of the most common types of fraud remains fake airdrops and phishing websites, which have already resulted in over $10 million being stolen since the beginning of 2024. Additionally, new money-laundering technologies through decentralized exchanges and mixers allow criminals to almost completely hide their tracks, complicating investigations and the recovery of stolen assets.
Statistics also show that the number of fraudulent schemes in the TON blockchain is growing exponentially, with at least 5 victims of fraud for every 100 new users.
This indicates a pressing need for enhanced security measures and oversight in the ecosystem, which is becoming increasingly attractive to criminals.

While Pavel Durov and the TON development team are actively working on improving the security of the ecosystem, the challenge lies in the rapid growth of the platform. With its fast-growing popularity, the development of security mechanisms hasn’t been able to keep up with the expansion of its ecosystem. However, most likely as the TON ecosystem continues to mature, it will eventually transform into a highly secure and technically advanced blockchain.

One critical issue is that many blockchain analytics platforms do not yet support TON, making it extremely difficult to track stolen assets within the ecosystem. This lack of support has left a significant gap in fraud detection, meaning that once assets are stolen within TON, they are nearly impossible to trace, further complicating recovery efforts.

In recent years, the TON ecosystem has seen a significant migration of fraudulent schemes from the Ethereum blockchain. As Ethereum continues to strengthen its security measures, with more robust wallet protections and anti-fraud tools, it is becoming increasingly difficult for scammers to operate effectively. In 2024, platforms like MetaMask and Coinbase integrated advanced security tools such as transaction simulations and warnings for suspicious activities, forcing scammers to look for more vulnerable ecosystems.

As a result, TON, with its open-source and decentralized nature, has become a prime target for these migrating scams. TON's relatively young infrastructure and lack of widespread adoption of advanced security protocols make it attractive to fraudsters. Vulnerabilities in mini-apps, wallet systems, and smart contracts create opportunities for malicious actors. Additionally, the close integration with Telegram, which is known for its privacy features, further fuels the migration of scams. As stated by industry experts, TON "invites" scammers by offering a less secure environment compared to Ethereum.

For example, wallet drainers that once targeted Ethereum are now frequently being used in the TON ecosystem. These malicious scripts exploit the weaker security measures, allowing scammers to drain users' wallets. Drainer attacks that were blocked in Ethereum due to stronger protection are finding new life in TON, where they have resulted in significant financial losses.

Scams in this category primarily rely on misleading or deceiving users into willingly surrendering their assets or sensitive information. These tactics focus on exploiting human psychology, trust, and lack of technical knowledge.

• Fake Airdrops: Users are lured by promises of free tokens, often spread through Telegram groups. Victims are directed to malicious websites where they are tricked into sharing their private keys or seed phrases (connecting the wallet to malicious website), resulting in stolen funds. In 2024, fake airdrops have led to the theft of over $10 million
  
  
• Social Media Impersonation and Pyramid Schemes: Fraudsters impersonate trusted figures or create pyramid schemes that promise high returns on investments in Toncoin. These scams spread rapidly in Telegram, leading to substantial losses. An example is the pyramid scheme that gained traction in 2024.
  

• Phishing Attacks via Telegram: Scammers use phishing links or bots in Telegram groups to spread malware or steal assets from users' TON wallets. These phishing scams have surged in 2024, primarily targeting wallets like Tonkeeper.

This category focuses on fraud that exploits weaknesses in the TON ecosystem’s infrastructure, such as apps, wallets, and smart contracts.

• Fake Mini-Apps: Fraudulent mini-apps, such as fake versions of popular games like Hamster Kombat, are designed with vulnerabilities or malicious code that enable scammers to access users’ wallets. In 2024, mini-app fraud increased by 30%.
  
• Phishing Websites: Fake websites mimic legitimate TON projects or exchanges. Users are directed to these sites, which look authentic, and are tricked into entering sensitive information, allowing scammers to steal their funds.
  
• NFT and Jetton Token Scams: Fraudsters create fake NFT collections or counterfeit Jetton tokens, luring users into fraudulent transactions on decentralized marketplaces. Hundreds of thousands of dollars have been lost through these schemes.

In the TON ecosystem, hackers use a classical variety of services to build and maintain infrastructure for illegal activities. These services span across several key areas, including domain registration, SEO manipulation, traffic generation tools, VPNs, and proxy networks. On the infographics below is presented a detailed breakdown of the types of services typically used. 

Examples of services used:

• Namecheap: Known for allowing anonymous domain registration, it is a go-to for hackers setting up phishing websites. Its lax verification process is a key advantage for scammers.
  
• Freenom: Offers free domain registration, making it highly attractive for quick and disposable domains. Freenom allows hackers to change domains frequently to avoid detection.
  

• GoDaddy: While more regulated, GoDaddy is still used by cybercriminals because of its global reach and ease of purchasing domains quickly.

Examples of services used:

• Black Hat SEO Agencies: Agencies that specialize in unethical practices, including SEMalt and SEOClerks, where services like backlink spamming and cloaking are offered to manipulate search engine rankings and increase the visibility of scam websites.
  
• Traffic Bots:
  • HitLeap: A service that generates artificial traffic to make a website appear legitimate by increasing the number of visitors. It is frequently used to boost the ranking of fraudulent TON sites in search engines.
  • 9hits: Another common traffic generation tool that simulates website hits, tricking search engines and social platforms into recognizing scam websites as popular.

Examples of services used:

• NordVPN: Highly popular among hackers for its strict no-log policy and advanced encryption, making it difficult for law enforcement to trace their activities.
  
• ProtonVPN: Favored for its double encryption features and high level of privacy, ProtonVPN allows scammers to mask their IP addresses and avoid detection.
  
• ExpressVPN: Widely used by cybercriminals due to its speed and privacy-focused features, it offers a reliable way to operate across multiple jurisdictions.
  
• Bulletproof VPNs: VPN providers operating from jurisdictions such as Russia or the Netherlands often market themselves as "bulletproof," refusing to cooperate with law enforcement and allowing illegal activities to thrive on their servers.

• Telegram: The most widely used platform for organizing cybercrime within the TON ecosystem. Scammers create private channels to sell phishing kits, malware, and wallet drainers. Hackers communicate anonymously, exchange information, and sell tools necessary for their operations.
  

• Dark Web Markets: Websites like Silk Road 3.1 and Empire Market serve as hubs for trading stolen data, malware, phishing kits, and drainer scripts. These dark web forums also allow criminals to buy infrastructure services like bulletproof hosting or access to botnets.

Once hackers steal funds from victims, they often need to launder the stolen cryptocurrency to conceal its origin and make it usable without drawing attention. The laundering process typically involves several methods and platforms. In this process, hackers employ all available methods of laundering stolen funds, which are commonly used in any crypto scams. These range from mixers to privacy coins.

To protect yourself from scams in the TON ecosystem, Match System has prepared a simple checklist for you. By following these steps, you can significantly reduce the risk of becoming a victim of fraud in the TON ecosystem. These straightforward steps might save your money. Just follow them, and you'll stay safe.

If you’ve become a victim of fraud in the TON ecosystem, it’s crucial not to delay and seek professional help as soon as possible. Experience shows that the quicker you reach out to specialists, the higher your chances of recovering stolen funds. 

Match Systems also contributes to strengthening the security of the growing TON ecosystem. By integrating TON into its blockchain analyzer, the company enables detailed transaction tracking and identification of suspicious patterns, providing valuable support to law enforcement and financial institutions. In addition, Match Systems marks and shares fraudulent addresses with the community, helping users avoid dangerous interactions, while also offering real-time alerts on suspicious activities. Moreover, the advanced AML solutions, which include both automated and manual checks, further enhance the network’s ability to monitor and block illicit transactions. 

Together, these efforts contribute to creating a safer and more secure environment for all participants in the TON blockchain ecosystem.

NB! The information provided in this article is for informational and familiarization purposes only, and the data should not be used for illegal purposes and should not be used as an inducement to act.