TON blockchain has been the crypto success story of 2024. Toncoin’s price has increased more than five times over the past year and surged into the top 10 cryptocurrencies by market capitalization.
Its clicker games with airdrops like Notcoin and Hamster Kombat have helped drive daily active addresses above Ether’s.
The 900 million users of the Telegram messaging platform excites proponents who see TON as a potential mass adoption play.
The eye-watering numbers are a project’s dream, but it’s also an oasis for drainers stuck in Ethereum, where lakes of victims are starting to dry up.
Israel-based security firm Blockaid reports that cryptocurrency drainers have started migrating to The Open Network (TON), a blockchain initially developed by messaging app Telegram.
“We’re seeing a lot of drainers become more and more interested in the TON ecosystem [because] there is so much value streamed through TON,” Raz Niv, co-founder of Blockaid, an Israel-based security company, tells Magazine.
Crypto newcomers who have flocked to the platform for games are ideal, unsophisticated targets for drainers.
To make matters worse, draining activity on TON is relatively new, and the network’s wallets don’t yet contain the security tools that older chains like Ethereum do.
One TON drainer was seen phishing victims with the allure of 5,000 USDT. This scheme uses TON’s unique comment feature, which allows transfers to contain a custom message for the recipient at the signing stage in their wallets.
When the transfer pops up saying “Receive 5,000 USDT,” along with a “Confirm” button, victims get hooked without knowing that they’re actually signing off on a token drain.
This simple yet effective trick earned one particular drainer at least 22,000 TON (about $152,000), according to Scam Sniffer.
More recently, the same suspicious address was seen spinning up a campaign related to a Notcoin airdrop phishing scam.
“As TON gains popularity, phishing scams are on the rise. ScamSniffer has detected a surge in TON-related phishing sites past month,” the security firm warned in a May tweet.
Magazine has found TON drainers scripts available for as little as $300 — on Telegram, naturally.
What are wallet drainers, and how do they affect TON?
Drainers are scam tools developers sell to help illicit actors steal cryptocurrencies. Scammers often hook investors via phishing links that set them up to get their assets stolen.
For example, a user who posts about a stuck transaction on Coinbase on X will often see a dozen replies from fake Coinbase support staff offering to help, leading to a fake website that tricks users into handing control of their wallet over to a drainer. Similarly, a post about revoking old token approvals (which is a good idea to avoid being exploited) may lead to a drainer.
In May, victims lost $42 million to phishing scams, with almost 80% of those victims coming from Ethereum, according to Scam Sniffer. That’s an increase from April’s $38.6 million but down from $75 million in March.
Many of these drainers are looking for new opportunities because business has become difficult on chains like Ethereum, where security tools are increasingly able to sniff out malicious links and requests with high accuracy.
Blockaid is a security tool that poses one of the largest threats to the draining industry. Attached to wallets like MetaMask and Coinbase, the service simulates transactions behind the scenes and screens for suspicious transactions.
When a threat is identified, Blockaid posts stop signs on wallets to warn users of potential losses (some investors still decide to proceed despite multiple warnings).
A “Blockaid bypass” has become a feature advertised by the surviving drainers though not all of them work.
Over the past year, Blockaid’s wallet integration has played a key role in drainers closing up shop, with Violet Drainer being one of the latest examples to directly cite Blockaid as a reason for the shutdown.
Violet Drainer announced its closure in April 2024, citing a dropping scamming success rate due to Blockaid’s security tools as the primary reason.
“Many drainers have been shutting down because of few hits, [and] all together draining has been getting harder,” the operator of the former Violet Drainer Telegram channel tells Magazine, claiming the Telegram channel has been sold for $7,000 and is now under “new management.”
“He (the new manager) is also draining but with a private drainer which claims to have a full Blockaid bypass,” they say.
Private drainers operate in closed communities. In some instances, they require a stamp of approval from a group member to be onboarded to the draining services.
The Violet Drainer operator adds that drainers are switching over to a “new coin” that is “now drainable.”
“In my opinion, it’s better than both SOL and ETH draining,” the operator says.
When asked which cryptocurrency the drainers were moving to, the operator declined to comment as it would “bring heat to the community.”
But drainer operators in a number of Telegram communities single out TON and Bitcoin networks as prime candidates to become the new hot zones for draining.
Blockaid’s Niv tells Magazine that drainers are favoring TON.
From EVM to TVM draining
The increased difficulty of draining on Ethereum and Ethereum Virtual Machine-compatible blockchains makes the increasing popularity of TON attractive. The blockchain’s user base is exploding on the back of viral mini apps usually tied with promises of future airdrops.
According to Token Terminal, the network had a record 5.7 million monthly users as of June 14, up from just 228,000 at the beginning of the year.
But it’s not as simple as porting over to TON, especially because TON is not inherently an EVM-based blockchain. Drainer developers have started offering multichain products for EVM chains like Ethereum, Binance’s BNB Chain or Avalanche.
For non-EVM chains like TON, developers must deploy new draining products.
That’s not to say that TON comes with new security vulnerabilities, but rather that advanced security tools and scam detectors aren’t integrated into the network’s wallets yet.
Telegram’s privacy-focused nature (encrypted messaging, though not end-to-end encryption) is attractive to users who feel mainstream messaging applications aren’t focused enough ondata protection and privacy. The messaging app has 900 million users, according to founder Pavel Durov.
However, its privacy-focused design has also made the application a platform ripe for illicit activities, and some have dubbed it the new “dark web.”
Blockaid says it is working on security measures across various blockchains, including TON, but isn’t keen on sharing information and data that could be used by illicit actors to front-run the company.
“Because of this cat-and-mouse game, everything that we show publicly is immediately being used by the drainers to try and circumvent us,” Niv says.
The rising TON
TON’s rise comes amid an eruption of popularity in Telegram-based games, which recently pushed the network’s daily address count over Ethereum, excluding users on its second layer.
Notcoin, a viral Telegram game that rewarded users for tapping their screens, reportedly gained 35 million users. Its spiritual successor, Hamster Kombat, claims to have a player base of more than 150 million cumulative users.
Where there are large numbers of users and plenty of profits in crypto, you’ll find scammers and thieves.
The TON network’s integration with Telegram, an app that champions privacy, makes for an even more convenient environment for scammers.
Telegram has been rising as an alternative to the dark web in recent years with cybercriminals migrating en masse to the messaging app from the traditional dark web.
A social engineering Telegram channel monitored by Magazine with over 5,500 members shows crypto criminals buying and selling each other’s services, such as SIM swapping and trading accounts, at cryptocurrency exchanges that have passed Know Your Customer verifications.
Frequently, scammers are seen arguing after getting scammed by another member of the channel.
Draining is among the services frequently offered in such Telegram channels.
A grand for their TON
Magazine has found a separate Telegram channel that is selling a TON drainer script.
The product is advertised as a wallet drainer script that only works with the Tonkeeper wallet as it’s still in its earliest available version.
At the time of writing, the drainer only works for two types of tokens, Toncoin and Jetton (TON’s fungible tokens). The full source code is selling for $1,000 and a lighter version is offered at $300.
The millions of users who are joining the TON blockchain in hopes of receiving airdrops through various Telegram mini apps are not crypto natives and will be introduced to wallets and seed phrases for the first time through this viral experience.
Unfortunately for them (but fortunately for drainers), Blockaid does not yet support the TON network.
Crypto newbies who aren’t yet fully aware of the threats posed by drainers may have to find out the hard way until security tools land on the relatively new network.
“We started from Ethereum — blocked them there. They moved to Solana — blocked them there. Now, they’re moving to TON. After this, they will be at the next chain,” Niv says.
Will drainers come for your Bitcoin next?
Ethereum-based assets, particularly ERC-20 tokens, are the most drained assets in the world, but even they have their limitations, according to Cos, founder of security firm SlowMist.
That’s because only one ERC-20 asset — such as USDT or USDC — can be drained at a time in a single transaction. The exception is that multiple tokens can be drained when approval is given to platform contracts (like OpenSea Seaport or Uniswap Permit2).
In Bitcoin, transactions use the UTXO model, where each transaction can include multiple inputs (unspent outputs from previous transactions) and multiple outputs (new UTXOs).
“Since all Bitcoin-based assets (including native Bitcoin) exist as UTXOs, if a user is drained, all of their Bitcoin-based assets may potentially be drained simultaneously in a single transaction,” Cos explains.
This means that if an attacker gains control over a user’s wallet, they can create a transaction that consolidates all UTXOs belonging to the user, potentially draining all Bitcoin-based assets in a single transaction, whether they be BRC-20s, Ordinals, Runes and even Bitcoin.
Blockchain forensics firm Chainalysis reported in May that it spotted the first Bitcoin drainer disguised as the website of Magic Eden, a non-fungible token marketplace that supports Bitcoin Ordinals trades.
This drainer stole about $500,000 across more than 1,000 transactions as of April 2024, Chainalysis said.
But Cos says that an even earlier incident suggests that Bitcoin drainers are already a year old.
In June 2023, a social media user reported a scam disguised as a BRC-20 project promoted alongside a suspicious phishing link.
The rise of TON presents a new frontier for drainers, expanding their lifespan as the Ethereum draining business becomes tougher.
Some of the most successful drainers have decided to retire, with Pink Drainer hanging up their boots after looting $85 million. Inferno Drainer closed in late 2023 after stealing $70 million, but in May started becoming active again.
TON’s exploding user base of crypto newbies and Telegram’s privacy features are providing new opportunities and a fresh sea of victims for illicit actors. The absence of reliable security tools like Blockaid on the TON network (for now) exacerbates the vulnerability of these users.
This is part of the ongoing “cat-and-mouse game,” as Niv calls it, in which security firms and cybercriminals battle to outmaneuver each other.
Once a security measure has been set up for the TON network, a new threat is bound to appear, as recently observed with rare incidents on Bitcoin, where a UTXO model presents an efficient draining scenario for bad actors.
The operator of Violet Drainers calls this phase of private drainers and threats in multiple blockchains the “new era of draining.”
But Blockaid claims that they are a step ahead of the drainers and that they are still able to identify and track draining activities whether they operate publicly or privately.
week.
The post As Ethereum phishing gets harder, drainers move to TON and Bitcoin appeared first on Cointelegraph Magazine.