Original title: TON ecosystem scams on the rise: How to stay safe
Original author: HELEN PARTZ
Original source: cointelegraph
Compiled by: Mars Finance, Eason
Because the TON blockchain is open source and permissionless, individual users and projects must be careful to ensure their own security.
The Telegram-integrated blockchain platform The Open Network (TON) has experienced record-breaking growth in 2024. The number of activated wallets on the chain surged from around 1 million in January to more than 9 million in June.
However, the influx of new TON users did not go unnoticed by scammers. In June 2024, blockchain security firm SlowMist warned of the increasing number of phishing attacks facing the TON ecosystem.
The TON Foundation’s ambitious goal of attracting 500 million users by 2028 raises the question of how to properly protect users from a variety of possible attacks without hindering rapid adoption.
Cointelegraph reached out to multiple executives and companies, including the TON Foundation, to better understand the nature of risk in the TON ecosystem and identify steps to protect the security of user assets.
Hacken executive says Telegram is not responsible for the security of mini-apps
When identifying risks in the TON ecosystem, people should be aware that Telegram is not responsible for the security of TON-linked applets.
The number of mini-apps on Telegram, such as Notcoin or Hamster Kombat, has increased significantly in the past few months. However, Stepan Chekhovskoi, lead smart contract auditor at cybersecurity firm Hacken, told Cointelegraph that not all of these applications follow best security practices to ensure the safety of user funds.
“It’s worth mentioning that this is not Telegram’s fault,” Chekhovskoi stressed, adding that the safety of mini-app users depends on the founders and project teams. He added:
“However, Telegram must take care of the security of the platform itself and ensure that its features enable users to seamlessly protect their accounts; it has little to do with the security of applets developed by third parties.”
A spokesperson for the TON Foundation confirmed that users and projects bear full responsibility for security, saying:
“Because the TON blockchain is open source and permissionless, individual users and projects must take care to ensure their own security when conducting activities on the network.”
TON Foundation “Impressed” by Security Measures of Some Apps
The TON Foundation strongly encourages applets on Telegram to take security measures.
“We are impressed by the actions many projects have taken to protect their users,” a representative from the TON Foundation told Cointelegraph.
For example, one of the most popular TON-based wallets, Tonkeeper, allows users to mark whether the non-fungible tokens (NFTs) they receive are legitimate.
The spokesperson also stressed the importance of an active and engaged community as one of the best safeguards against bad actors. The representative added:
“Users should always be cautious when conducting on-chain transactions. Remember that any on-chain transaction is irreversible. We strongly advise users not to click on suspicious links and to carefully check every detail before signing any on-chain transaction.”
Self-hosted and hosted applets on Telegram
Hacken's Chekhovskoi said that from a security perspective, Telegram Mini Apps are "no different" than apps built on other platforms. Therefore, people should apply the same network and encryption security measures to these apps.
Chekhovskoi said that Telegram's mini-program has two ways to manage user private keys, which can be compared to custodial wallets and non-custodial wallets in cryptocurrency.
“Most Telegram Mini apps are hosted, so like any other custodial wallet provider, they must properly identify their users using additional passwords, 2FA [two-factor authentication] mechanisms, etc.,” the experts said.
For self-hosted applications, users must ensure strong encryption of private key storage. “If the application does not require an eight-character password (including numbers and special symbols), or at least a fingerprint, it means that the private key is not securely encrypted,” Chekhovskoi pointed out.
Related: Bybit launches Hamster Kombat token for pre-market trading
Users should also distinguish the risks posed by automatic login on all devices. If automatic login is enabled, then by default anyone with access to the user's device can access their applets.
Non-technical threats in the TON ecosystem
The decentralized nature and ease of use of the TON ecosystem will naturally attract scammers, and Hacken said there is “no silver bullet to protect users.”
To avoid non-technical scams on TON, individuals should exercise caution when interacting with unofficial applications and applications launched by lesser-known developers.
Steve Milton, co-founder and CEO of crypto wallet Fintopio, said one way to avoid potential phishing attacks is to check if the applet has a verification stamp.
Telegram provides verification for public figures and organizations so that users can easily identify official sources. The Telegram team usually verifies bots as well as official channels or public groups.
“Projects like Fintopio that have gone through a rigorous process have demonstrated a commitment to transparency and reliability,” Milton said.
Hacken’s Chekhovskoi also warned against get-rich-quick scams on Telegram, stressing that free cheese can only be found in mousetraps. He said:
“Always be skeptical of free money. If you take a dubious opportunity, it’s better not to risk losing your main crypto wallet and create a new account just for it.”
For more tips on staying safe on TON and Telegram, users can also follow this guidance from the TON Foundation.
