TON Wallet Drainer Scams: Complete Avoidance Guide (2026)

— By Tony Rabbit in Tutorials

TON Wallet Drainer Scams: Complete Avoidance Guide (2026)

Wallet drainers are the largest category of TON-related losses in 2026. This guide walks through how the scams actually work, the warning signs to spot, and the daily hygiene that keeps your TON wallet safe.

Wallet drainers are the most successful scam category against everyday crypto users. They do not require breaking encryption, exploiting smart contracts, or hacking infrastructure. They require a phishing page, a convincing wallet-connect prompt, and a user who clicks "Approve" without reading. On TON, the same patterns that work elsewhere have adapted to Telegram-native distribution: fake Mini Apps, fake giveaways inside chats, and look-alike domains that imitate legitimate TON dApps.

Quick answer: A drainer scam tricks the user into signing a wallet transaction or approval that lets the attacker move funds. On TON, the most common patterns are phishing dApps that mimic STON.fi, DeDust, Tonkeeper, or Fragment; fake "claim" pages tied to popular tokens (NOT, HMSTR, DOGS); fake support DMs in Telegram channels; and fake Mini Apps that look almost identical to real ones. The defenses are boring but effective: verify links, read every wallet-connect prompt, never share seed phrases, and audit dApp approvals regularly.

  • Drainers exploit user behavior, not protocol bugs. The protocol works as designed; the user signs the wrong thing.
  • Phishing imitators are everywhere. Look-alike domains and Mini Apps target every popular dApp.
  • Read every TON Connect prompt. Permissions and source domain are the signals.
  • Use a separate burner wallet for risky dApps and tap-to-earn games.
  • Audit approvals monthly. Stale permissions are a passive attack surface.

How drainer scams actually work

The end-state is the same regardless of brand: the attacker either tricks you into signing a transaction that sends them your funds directly, or tricks you into granting an approval that lets them move funds later.

TON

Trade TON with Not.Trade, the fastest terminal on TON

Not.Trade is purpose built for TON traders: real-time on-chain charts for every jetton, insider safety scoring (Top 10 wallets, snipers, dev movement, bundlers, LP lock), MCAP-trigger limit orders, multi-wallet sniping, MEV protection and one-click swaps routed across STON.fi and DeDust. It runs natively inside Telegram and as a fast web terminal, with TON Connect non-custodial wallet support.

Read the full Not.Trade guide →

Step 1: lure

The lure is usually a link: a giveaway, an airdrop claim, a "support team" DM, or a promotional message in a Telegram group. Legitimate-looking sites mimic real TON dApps with near-identical visual design.

Step 2: wallet connect

The user clicks the link, lands on the fake site, and is prompted to connect a TON wallet. The connect prompt is the first decision point. Read the domain. Read the permissions. Reject if anything looks off.

Step 3: malicious signing

If the user connects, the next step is a malicious signing prompt. It might be framed as "claim your tokens" or "verify your wallet." The actual transaction is a Jetton transfer to the attacker, an approval the attacker can later use to drain, or a contract call that empties the wallet.

Step 4: drain

Once the malicious signature is given, funds leave the wallet. By the time the user notices, the assets are usually already swapped or moved through bridges. Recovery is rare.

Diagram of wallet drainer flow: phishing link, fake dApp, wallet connect, malicious approval, funds outflow
Inline visual 1: how a typical drainer scam flows from phishing link to drained wallet.

Patterns specific to TON

Fake dApp imitators

Look-alike sites for STON.fi, DeDust, Tonkeeper, EVAA, and Fragment are widespread. The visual design is often nearly identical. Differences hide in the domain itself: extra characters, swapped letters, or different TLDs.

Fake claim pages tied to popular tokens

NOT, HMSTR, DOGS, and other popular Jettons attract claim-themed phishing. Sites promise to "claim your missed allocation" or "verify eligibility for a new airdrop." The legitimate claim windows for major tokens have closed; any current claim site is suspect.

Fake support DMs

Scammers monitor Telegram groups for users who report problems. They DM as "support" with a link to a fake dApp. Real support never DMs first and never asks for seeds, private keys, or wallet connections through DMs.

Fake Mini Apps

A clone of a popular Mini App can replicate the visual interface and steal seeds or signatures from users who launch it. Always verify the Mini App source link from the project's official channel.

Four-panel illustration of common drainer caution icons: fake giveaway, fake claim, fake support DM, fake Mini App
Inline visual 2: the four most common drainer entry points on TON.

Reading the wallet-connect prompt

The connect prompt is the most important security checkpoint.

Verify the domain

The wallet displays the requesting domain. Compare it character by character with the legitimate site. Letters that look identical (zero vs O, capital I vs lowercase l, or Cyrillic letters mimicking Latin) are common substitutions.

Read the requested permissions

A swap on a DEX should ask for permissions related to the swap. A claim site should ask for permissions related to claiming. Anything broader (unlimited token allowances, contract calls beyond the apparent action) is a red flag.

Reject and re-check

If anything feels off, reject and verify the link from a trusted source. The cost of rejecting and re-checking is seconds. The cost of approving the wrong prompt is a drained wallet.

Wallet connect prompt mockup with site name, permissions list with a suspicious wide permission highlighted, and reject button
Inline visual 3: the wallet-connect prompt is where most drainer scams succeed or fail.

Auditing dApp approvals

Even after rejecting bad sites, old approvals can sit in your wallet for years.

Why approvals matter

An approval lets a contract move tokens from your wallet without further signing. Useful for legitimate dApps; dangerous when an old approval grants access to a contract you no longer trust or never inspected carefully.

How to audit

Use TONScan or a TON-aware approval-management tool. List active approvals, identify any you do not recognize, and revoke them. Make this a monthly habit.

Reduce blast radius

Approve specific amounts whenever possible rather than unlimited. Most modern wallets and dApps support narrow approvals; some legacy flows ask for unlimited by default.

Approval-management screen mockup on a TON-aware tool with a list of dApp approvals and revoke buttons
Inline visual 4: a typical approval-management view used to revoke stale dApp permissions.

Daily wallet hygiene

The boring rules are the ones that work.

  • Verify links from official sources. Bookmark the real ones; never click links in DMs.
  • Read every wallet-connect prompt. Domain and permissions are non-negotiable checks.
  • Never share seed phrases. No support team, airdrop, or "wallet upgrade" needs them.
  • Use a burner wallet for risky dApps. Keep your main balance separate.
  • Use a hardware wallet for size. Ledger pairing protects against most malware.
  • Audit approvals monthly. Revoke anything you do not recognize.
Infographic showing daily wallet hygiene rules: verify links, read prompts, burner wallet, hardware for size, monthly audits
Inline visual 5: the daily hygiene rules that prevent the vast majority of drainer attacks.

If your wallet has already been drained

Quick steps that can sometimes limit damage.

  1. Move remaining assets to a new wallet with a freshly generated seed phrase.
  2. Revoke any active approvals on the drained wallet immediately.
  3. Document the transaction hashes for any future investigation or platform report.
  4. Report to the official dApp's support if a fake imitation drained you while pretending to be them.
  5. Treat the drained seed phrase as compromised forever. Never reuse it.

Frequently asked questions

What is a wallet drainer?

A scam tactic that tricks users into signing a transaction or approval that gives an attacker access to wallet funds.

Are TON drainers different from Ethereum drainers?

The patterns are the same. The TON-specific differences are the entry points (Telegram-native distribution, Mini App imitators) and the asset types (Jettons, NFTs).

Can I recover funds after a drain?

Recovery is rare. Some on-chain investigation services exist, but most drained funds end up swapped or bridged before victims notice.

How often do I need to audit approvals?

Monthly is a good cadence for active users. Less active wallets can audit quarterly. After interacting with any new dApp, audit before walking away.

Is TON Connect itself safe?

TON Connect is a connection protocol, not a security guarantee. The safety depends on the dApp on the other end and your willingness to read every prompt.

Final takeaway: Drainer scams will not disappear because they exploit user behavior, not protocol weakness. The defenses are unglamorous: verify links, read prompts, separate wallets by risk, use hardware for meaningful balances, and audit approvals on a schedule. None of those rules are exciting. All of them work.

Disclaimer: This guide is for educational purposes only and does not constitute investment, financial, legal, or trading advice. On-chain transfers are usually irreversible and recovery from drainer scams is rare.