TON stolen: first 30 minutes step-by-step (2026)

A theft of TON or jettons is a shock, and the first reaction is almost always wrong: panic, reinstall the wallet, delete the “hacked” app. That’s the worst thing you can do. This guide is a step-by-step plan for the first 30 minutes after discovering a theft. The goals — preserve what’s left, lock down evidence, and maximise the chance of partial recovery through an exchange. Every step has been validated on real 2024-2025 cases — no “magical recovery”, only what actually works.

What happened — three typical scenarios

Before acting, you need to know which kind of theft you’re dealing with. The next steps depend on it.

Scenario A — seed phrase leaked

Signs: assets are leaving your address but you didn’t sign anything just now. Maybe you typed the seed into a phishing site, into a “verification” bot, or it leaked through a screenshot in the cloud. The attacker imported the seed and is operating directly from their own device.

This is the worst case. The wallet is fully compromised, and any funds you send to it will leave instantly.

Scenario B — drainer signature

Signs: you connected the wallet to a dApp / mint / swap, signed something, and now the balance is empty. The address itself isn’t “hacked” — the attacker doesn’t have the seed, only a single-transaction signature.

A less severe scenario. The address itself is “clean”, but if there’s an open TON Connect session, the attacker may try again. The full anatomy is in the drainer sites in TON breakdown.

Scenario C — Telegram account hijacked

Signs: you can’t log into Telegram, or you notice activity coming from your name. If you had a custodial Wallet inside Telegram, the funds there are gone. Tonkeeper and MyTonWallet are immune (the seed is local), but the in-Telegram Wallet is not.

This scenario also requires Telegram account recovery in parallel. See the Telegram security guide.

Step 1 (0–5 minutes): save what’s left

First — figure out which wallet is compromised, and rescue whatever the attacker hasn’t taken yet.

1. Open the wallet on the current device, but don’t re-enter the seed and don’t tap anything beyond viewing balances.
2. If there are still assets at the address (jettons, NFTs, TON) — they need to leave immediately.
3. Create a new wallet on a clean device (different phone, different computer) with a fresh seed phrase. Don’t use the same device the theft happened on — there might be a trojan or an active attacker session there.
4. Write the new seed on paper right away, do not save in the cloud.
5. Move the remaining assets from the compromised address to the new one.

!

Speed is critical

In the “seed leaked” scenario, attackers often run an automated sweeper script: any incoming transaction to the victim’s address is instantly forwarded to the attacker’s. If you ever send another payment to the compromised address, it’s gone in seconds. Treat that address as permanently dead.

Step 2 (5–10 minutes): revoke TON Connect sessions

Only for Scenario B (drainer signature). If the attacker has the seed, this step is meaningless.

1. Open Tonkeeper → Settings → Connected apps.
2. Tap “Disconnect” on every app one by one. Don’t try to figure out which is the drainer — kill them all.
3. Same in MyTonWallet — “Connected apps” section.
4. After revocation the drainer site can no longer initiate a new signing request.

This closes follow-up attacks for the next hours and days. Especially important before sleeping — drainers love to launch a second wave at night, banking on absent-minded confirmation of a push notification.

Step 3 (10–15 minutes): lock down evidence

Here’s what to collect right now, while memory is fresh and access is intact.

Technical data

• Attacker address. Open tonscan, find your wallet, look up the outgoing theft transaction. Copy the recipient (To).
• Transaction hashes — the alphanumeric IDs in tonscan. Copy each hash that’s part of the attack.
• Exact UTC time and date of the transactions.
• List of stolen assets with rough USD value (use CoinGecko at the time of theft).
• Screenshot of the tonscan page with transaction history — in case the address somehow “disappears” later.

Contextual evidence

• Phishing or drainer site. Screenshot of the page, full URL, link to a urlscan.io or Wayback Machine snapshot.
• Conversations with the “support agent”, “seller”, or “friend”. Screenshots, the Telegram username (including @username), message timestamps.
• Ad / channel post that led to the scam. Screenshot, link to the post, publication date.
• List of TON Connect sessions before you revoked them.

Why it matters

Without structured evidence, any report to law enforcement or to an exchange is paperwork. With it — there’s a chance the exchange spots a deposit from your address into its hot wallet and freezes the balance pending review.

Step 4 (15–25 minutes): trace the funds

A 5–10 minute task whose payoff is sometimes decisive for recovery.

1. Open the attacker address on tonscan.
2. Look at outgoing transactions — where the thief sends the funds.
3. Often the next hop is an intermediary, then a centralised exchange. Major CEXes (Bybit, OKX, MEXC, Binance) have known public hot-wallet addresses; tonscan and tonviewer often label them.
4. If funds reached a CEX — that’s your main shot at recovery. The exchange can freeze the remaining balance on a properly filed law-enforcement request or, sometimes, on a well-documented direct request.
5. If funds went into a DEX (STON.fi, DeDust) or a mixer — odds are near zero. Note the last “trail” and stop tracking.

Step 5 (25–40 minutes): file the official requests

Two parallel tracks.

A — police report

1. Local cybercrime portal — IC3 (US), Action Fraud (UK), national equivalents. Submit electronically; you receive a case number automatically.
2. In person at a station if needed. Bring printouts of all evidence.
3. Get a case number — you’ll need it for the next step.

The realistic chance of investigation success is low — investigators rarely have crypto expertise. But without a report you have no legal basis to escalate to an exchange.

B — exchange request

If funds reached a CEX, every exchange has a security team and a form for legal / law-enforcement requests.

• Bybit — compliance@bybit.com, on-site form.
• OKX — Help → Compliance → Law enforcement.
• MEXC — compliance@mexc.com.
• Binance — Law Enforcement Request System.

In your request include:

• Your wallet address and the attacker’s address.
• Theft transaction hashes and the deposit hash into the exchange’s address.
• Police case number.
• Exact amounts and timestamps.

Exchanges don’t always respond, but in clear drainer scenarios with a fast (1–3 hours) escalation, a freeze is realistic.

Step 6 (after the first hour): what NOT to do

This deserves its own step, because mistakes here create a second theft on top of the first.

• Don’t pay “hackers who’ll help you recover”. Always a follow-up scam.
• Don’t enter the seed into any “recovery service”. Any such service is phishing.
• Don’t grant remote access to your computer to “support helpers”. That’s another theft via TeamViewer / AnyDesk.
• Don’t post your seed in public chats “for verification”. Nobody “verifies” a seed online.
• Don’t return to the compromised address after recovery. Ever.

!

Recovery services are the second theft

According to Chainabuse, around 60% of crypto-theft victims become victims of a follow-up scam within a month. Attackers actively monitor public-channel complaints and DM the desperate. Any “we’ll recover the crypto for 30%” offer is a scam.

Step 7 (next day): security audit

Once the urgent steps are done, do a cool-headed analysis.

• Change passwords on email, Telegram, exchange accounts. Enable 2FA via an authenticator app (not SMS).
• Scan the device for trojans. Full Bitdefender / ESET scan, audit the installed browser extensions.
• Uninstall and reinstall wallet browser extensions. Old ones may have been compromised by a malicious extension.
• Generate a new seed on a clean device. Never use the old one — it’s leaked forever.
• Read up on the cause — top-10 Telegram scams, phishing anatomy, and secure seed-phrase storage.

Realistic expectations

Honestly:

• “Drainer scenario, CEX request within an hour” — recovery chance 10–20%, usually not all funds.
• “Seed leaked, funds already on a DEX” — recovery chance near zero.
• Average request review time — 2–6 months. Be ready for a long process.
• A police report is mandatory; without it nothing can be done with an exchange. Even if the investigation never closes, it’s your only legal lever.

Field log · Team experience

In 2024–2025 we helped 7 acquaintances with TON thefts. In 2 of 7 cases we got a partial recovery through Bybit and OKX — both with a request within 60 minutes of the theft and a police case open. In the remaining 5, funds had passed through a DEX or mixer before we could react. Speed and clean evidence are what decide it.

— TON Adoption

After recovery — what to change

Theft usually happens because of a specific weakness in the setup. Don’t repeat the same mistake.

1. Segment wallets. A cold Ledger for savings, a separate hot for DeFi, a minimal one for risky dApps.
2. Enable Two-Step Verification on Telegram. See the Telegram protection guide.
3. Never enter the seed anywhere except first-time wallet setup. Final rule.
4. Sign all future transactions through a Ledger — drainer can’t substitute details unnoticed.

Move funds to a hardened setup

Tonkeeper with Ledger is the standard safe setup. The hardware wallet shows transaction details, reducing drainer-attack risk.

→

Sources

• Chainabuse — Ultimate Guide to Recover Stolen Crypto
• The Cyber Helpline — Hacked virtual currency recovery
• SlowMist — 2025 Q2 MistTrack Stolen Funds Analysis
• Britannica Money — Crypto Security and Recovery
• tonscan.org — TON explorer for tracing transactions