Anatomy of phishing: how to spot a fake TON wallet site

Every second TON loss in 2025 starts with a click on a fake link. SlowMist’s annual report calls phishing the most active attack vector against the ecosystem — attackers mass-clone Tonkeeper, MyTonWallet, STON.fi, Fragment and Getgems sites. This breakdown is the full anatomy of a typical fake site — what attackers copy, what they cannot copy, and how to tell the real thing from the clone in 30 seconds. Without this skill any wallet is exposed, however technically advanced.

Phishing site lifecycle

To know what to look at, it helps to know how a clone site is born and dies.

1. Day 0 — domain registration. Attacker buys a visually similar domain. Cost — $1–15. WHOIS privacy on from the start.
2. Day 0–1 — cloning. A wget or httrack script grabs the original site HTML/CSS/JS. Only the backend endpoint that receives form submissions or signatures changes.
3. Day 1 — certificate. Let’s Encrypt issues a free SSL on DNS validation. Green padlock appears.
4. Day 1–2 — promotion. Ads in Telegram channels, DMs from Telegram accounts, mentions in fake support bots. Often a fake post in a “verified” channel via a compromised admin.
5. Day 2–4 — harvest. 80% of funds arrive in the first 24–48 hours.
6. Day 3–7 — ban. Telegram, anti-phishing services and original-site owners file reports. Site banned, domain disposed of.
7. Day 8 — restart. New domain on the same template.

Headline: a domain lives a week. If you are on a URL you did not see yesterday and it is not in your bookmarks, treat it as potential phishing.

What separates the clone from the original

Attackers copy the visuals near-perfectly, but there are structural limits. Use them.

What attackers copy precisely

• HTML, CSS, images — automated.
• Fonts, icons, colours, the home-page text.
• Buttons, forms, mobile layout.
• Sometimes — even videos and animations.

What attackers cannot copy

• Domain name. The original tonkeeper.com is taken; the attacker has to use tonkeeper.io, tonkeeper-app.com, tonkeeper-wallet.online or a homoglyph — tonkeepеr.com (Cyrillic ‘е’ instead of Latin ‘e’).
• Domain history. The original is registered 5+ years ago, the fake — this week. Visible via WHOIS or services like whois.com.
• OV SSL certificate. Serious projects on TON often use DV (Domain Validation), but big ones — with Organisation Validation. Fakes always use DV from Let’s Encrypt.
• Internal links. Some links on a cloned site still point to the original domain or to 404 — cloning is imperfect.

7 fake-site markers

A systematic checklist. Any one trigger is enough to close the tab.

1. Domain does not match the official one

Compare the address bar with what the project’s official Telegram channel pins (@tonkeeper, @mytonwallet). Watch the small things:

• Extra hyphen: ton-keeper.com vs tonkeeper.com.
• Letter substitution: mytomwallet.com (m for n).
• Cyrillic homoglyph: ton.org where letters are Cyrillic ‘т’, ‘о’.
• Extra subdomain: secure.tonkeeper.io.app-verify.com.
• Different TLD: .app, .online, .io, .xyz instead of expected.

2. Site asks you to enter the seed phrase

Never does an official wallet ask for the seed on a web page. Seed import only happens inside the installed app (mobile or extension). A web form with 12–24 inputs for the seed is guaranteed phishing.

3. Signing prompt has an unfamiliar address

When connecting via TON Connect read the popup carefully — which address initiates the request (Source field) and which jettons are listed in the transfer. If the transfer shows your main USDT balance while you are trying to “mint” one NFT — that is a drainer. Details — in the drainer sites article.

4. Too good to be true

The site promises a 5,000 TON airdrop ($25,000+) for connecting a wallet. Real TON airdrops in 2024–2025 (Notcoin, DOGS, Hamster) distributed via Telegram bots, not via a web form on a third-party site.

5. No official contacts

The original Tonkeeper or MyTonWallet has links to verified Telegram channels, GitHub, privacy policy. On a clone these links either lead nowhere (open the same page) or lead to the original (the attacker forgot to rewrite them).

6. Urgency and pressure

“Today only”, “47 minutes left”, “your wallet will be blocked unless you verify within an hour”. Legitimate services do not work via urgency — that is a social-engineering marker.

7. Fresh SSL and private WHOIS

Tech step for the savvy. Click the padlock then Connection is secure then Certificate is valid. The Issued On field shows issuance date. Less than 7 days ago plus issuer Let’s Encrypt — high probability of fake. WHOIS on any third-party service shows registration date.

i

Bookmarks beat any check

The most reliable defence is to bookmark the official sites once and use them only via bookmarks. 2 minutes of work and insurance against 90% of phishing attacks.

A real 2025 case

In April 2025 there was a wave of getgems-mint.app, tonkeeper-airdrop.com, mytonwallet-claim.io sites. All three — drainer campaigns by the same Rublevka Team group, per Recorded Future. Same script:

• Ads in big TON channels via compromised admins.
• Landing with a countdown timer and a “free” NFT for 0.1 TON gas.
• On wallet connection via TON Connect — a packed signing request: alongside the NFT mint a transfer of all jettons and NFTs from the address.

By our estimates and public tonscan data this series collected about $4–6M in a month before the campaign was wound down and the group switched to Solana.

Protect your wallet with a proper setup

Tonkeeper — non-custodial wallet with Ledger protection and warnings on suspicious TON Connect requests.

→

30-second verification algorithm

Every time you are about to connect a wallet to a site you see for the first time:

1. Compare the domain with your bookmark. No bookmark — open the project Telegram channel and verify the domain in the pinned message.
2. Check domain age. whois.com or who.is — under a month, be alert.
3. Read the TON Connect prompt. Transfer addresses, listed jettons and NFTs must match the stated action.
4. Never enter the seed on a page. Final rule, no exceptions.

Field log · Team observation, 2025

Out of 200+ links our team checked over a year via whois and urlscan.io, around 30% were fresh domains (under 14 days) with private registration. Out of those 30%, almost all were drainers or classic phishing.

— TON Adoption

Practical security setup

Minimum habits that actually work:

• Bookmarks only. Visit wallet sites only via them. If a friend sends a link — still open the bookmark and verify the URL matches.
• Wallet browser extension. Tonkeeper and MyTonWallet extensions inspect signing requests and warn on known-bad addresses.
• Separate browser profile. A “crypto” profile with no extra extensions or history, separate from work and personal. Reduces cross-contamination risk.
• Hot wallet with small balance. Connect to dApps only with a hot wallet of $50–200, never the main one. Details in the seed phrase guide.

How phishing links reach you

Knowing the delivery channels is half the defence. Main 2025–2026 channels:

Telegram channel ads

The biggest channel. The attacker buys an ad post in a major TON channel ($200 to $5,000 by audience size) and embeds a drainer link. Sometimes the channel is large and legit — admins may miss the malicious link in auto-moderation, especially if the domain is not yet flagged by anti-phishing services.

Defence — never click ads in Telegram. If interested in a project, find its official channel via search or bookmarks.

DMs from “friends”

One account is compromised (via SIM-swap or phishing), and the attacker DMs the entire contact list with “look what I got”. Link goes to a drainer.

Defence — if a friend sends a crypto link without context, call them by voice or text via another channel. Almost always a hijacked account.

”Support” in public chat comments

Victim writes in a public Tonkeeper chat “my transaction is not landing, help”. Minutes later a @tonkeeper_help account DMs offering a “resolution procedure”. Then phishing or drainer.

Defence — public project chats do not provide private support. All legit support channels are public, and any question is answered there.

Hijacked posts in verified channels

A 100k+ subscriber channel is taken over via SIM-swap of an admin. The attacker posts an “exclusive airdrop” with a drainer link. Subscribers click because they trust the channel.

Defence — be critical of any “exclusive” offers even in verified channels. Real airdrops are announced ahead of time across multiple sources, not from a single channel.

Offline QR codes

Less massive but growing. At crypto conferences, meetups, expos there are booths with QR codes saying “get 5 TON for following”. Scanning leads to a drainer site. Especially dangerous because offline drops the defensive reflexes.

Defence — no QR scanning from unknown sources, especially with free-token promises.

Victim psychology and why it works

Technical facts are half the story. The other half is why people ignore obvious warnings.

• FOMO. “47 minutes left for the drop” bypasses any critical check.
• Social proof. Fake comments under a post (“got 200 TON, thanks”), reviews, distributed-rewards counters. All fake, all convincing.
• Authority. “Confirmed by TON Foundation”, Tonkeeper and MyTonWallet logos, fake verification ticks. The attacker manufactures a visual association with a trusted brand.
• Check fatigue. By the 10th domain check of the day, attention drops. Attackers run campaigns in peak hours (evenings, weekends).
• Bystander effect. “If it were bad, somebody would have warned by now” — but the early victims do not have time to warn.

The best antidote — a 10-second pause before any signature or seed entry. Enough for critical thinking to return.

Sources

• SlowMist 2025 Blockchain Security and AML Annual Report — phishing as the main vector
• Recorded Future — Rublevka Team report
• Tonkeeper — Common scams
• Cloudflare — what is domain spoofing
• Talos — anatomy of drainer phishing