TWA security: scams to know and how to spot them

TWA is a powerful distribution channel for legitimate projects and an equally powerful channel for scams. The lower the barrier for a user to click a link and connect a wallet, the lower the barrier for an attacker to slot a fake app into that funnel. As of May 2026 four large types of scam TWAs circulate in Telegram: clones of popular apps, drainer apps masquerading as wallets, TON Connect signature phishing, and fake airdrops.

This article breaks down each type, the detection signals, real cases from 2024-2026, the role of Telegram’s premoderation, and a final checklist that brings loss risk close to zero.

Type 1: clones of popular apps

The most common class of scam. The attacker logic is simple: the user searches Telegram for “Notcoin”, “Hamster Kombat”, “Catizen” — and lands on a fake bot with a similar username and an interface mimicking the original.

Clone signals:

• Username differs by 1-2 characters. notcoin_bot vs. notcoin_official_bot, notcoin1_bot, not_coin_bot. Telegram usernames are case-sensitive in display but not in search — scammers exploit that.
• Profile name and avatar copied one-to-one. Inside the Telegram client they are hard to tell apart.
• The first bot message asks to connect a wallet or import a seed phrase. The real Notcoin never asks for a seed.
• The bot’s channel is empty or has 2-3 fresh reposts from the real channel.

×

The main rule for clones: never open a TWA via a link from a random message. Open only from the project’s official channel, and before clicking compare the username with what is published on the site or in verified sources.

Known cases of 2024-2025: Notcoin clones collected seed phrases under the pretext of “confirm an early account for airdrop”; Hamster Kombat clones — under the pretext of “bonus captcha for income doubling.” Telegram banned such bots in waves, but new ones appeared faster.

Type 2: drainer apps masquerading as wallets

A drainer is a TWA that looks like a wallet or DeFi tool and on the first signature transfers user assets to the attacker’s address. Externally it all looks legitimate: branding, balance screen, “Swap” and “Stake” buttons.

Drainer mechanics:

1. The user opens the TWA via a link from a spam message or an ad in a TON channel.
2. The app requests a TON Connect connection.
3. Asks for “authorization” — the screen shows a standard signature dialog.
4. The transaction payload contains not an auth message but an actual transfer of TON or jettons to the scammer’s address.
5. The user signs — assets leave.

Wallet-side defense is partial: Tonkeeper, MyTonWallet, and Wallet in Telegram show “you are transferring X TON to address Y” — not every user reads it. Some wallets have improved the UI: transfer amount and recipient address in large type, warning for first-seen addresses.

Drainer app signals:

• Asks for a TON Connect connection in an app that does not need one. A calendar, chat, weather app, mini-game has no reason to ask for a wallet.
• Imitates Tonkeeper or MyTonWallet — official wallets ship as TWAs only inside specific integrations, not as standalone “new wallets.”
• Crafts a transaction with an unclear purpose immediately after connection. If the app did not explain why this signature is needed, do not sign.
• The recipient contract address is fresh, with no history. Tonscan/Tonviewer shows a few transactions over recent hours, all incoming transfers from other victims.

Type 3: TON Connect signature phishing

A development of the drainer scheme — phishing under the cover of legitimate protocols. The user expects to interact with STON.fi, DeDust, EVAA, Tonstakers — and receives a signature request. But the request is sent not from the real site, but from its clone.

Scenario:

1. The user sees a “STON.fi link” in a chat or channel like stonfi-org.io or ston-fi.app (instead of ston.fi).
2. Opens a clone site with identical design.
3. Connects the wallet via TON Connect — still safe at this step.
4. Runs a “swap” — the app crafts a transaction.
5. The transaction encodes a transfer to the scammer’s address, not the actual swap.

Defense: always compare the domain with what the project publishes in its official Twitter/Telegram. Keep a bookmark and use it instead of links from chat messages.

!

TON Connect sessions last a long time. Connect the wallet to a cloned site once, fail to close the session, and a day later a signature request arrives that feels like “a normal project action.” Periodically clear active TON Connect sessions in wallet settings.

Type 4: fake airdrops with seed import

The worst variant — an app that directly asks for a seed phrase. Attacker logic: “you must import your wallet into our app to receive your airdrop / confirm your early account / update your NFT status.” This is always a scam, with no exceptions.

No legitimate TON project ever asks for a seed phrase. Tonkeeper does not ask, MyTonWallet does not ask, Wallet in Telegram does not ask, no DeFi app asks. If an app asks for a seed, it is fraud in 100% of cases, not 99%.

Typical wrappers:

• “Confirm your wallet for the Notcoin Season 2 airdrop.”
• “Import the old wallet to migrate to the new standard.”
• “Restore access to the frozen balance.”
• “Connect your wallet to the new node to upgrade status.”

The reaction should be one thing: close the app, do not enter the seed, report the scam bot to Telegram (@notoscam_bot or via support).

The role of Telegram premoderation

Since 2024 Telegram has taken a more active stance against TWA scams:

1. Premoderation at publication. A new bot declared as a TWA via BotFather is automatically scanned: name similarity to known brands, presence of suspicious payload patterns.
2. Verified ticks. Major TWAs with large audiences get a Telegram Verified blue checkmark. It is not a security guarantee, but the absence of a tick on “Notcoin” or “Hamster” is a clear clone signal.
3. Bans on reports. Scam bots are banned in waves on user and project-team reports. Response time runs from hours to several days.
4. Transparency of BotFather creator. The inspector shows who created the bot and when. A fresh bot created a week ago claiming to be “official Notcoin” is a clone.

What premoderation does not do:

• It does not scan TWA runtime contents for drainer functions (this is a hard technical task).
• It does not block scam sites outside Telegram that TWAs link to.
• It does not keep pace with all clones — scammers register new bots faster than moderation bans them.

i

Premoderation is the first line of defense, not the last. Telegram filters out 80-90% of obvious clones and drainer apps before they get traffic. The remaining 10-20% reach users, and only personal vigilance works there.

TWA security checklist

Before opening any TWA, especially one that connects a wallet:

1. Compare the bot username character-by-character with what is on the official site or verified Twitter.
2. Look for the Telegram Verified tick on major projects.
3. Open the bot’s channel — the real project has a multi-year channel with post history, the clone is empty or has 2-3 fresh reposts.
4. Check creator info — when the bot was created, via BotFather. The real Notcoin is years old, a clone is days old.
5. Match the TWA link with the one in the project’s official documentation or Tonscan search by project name.
6. Never enter a seed phrase anywhere other than official wallet recovery flows (Tonkeeper, MyTonWallet, Wallet in Telegram).
7. Read the transaction carefully before signing — amount, recipient, action. If anything is unclear, cancel.
8. Close the TON Connect session after finishing with the app. Do not leave it active “for later.”
9. Keep large sums in a separate wallet not connected to TWAs. For experiments with new apps — a separate wallet with minimal balance.
10. Subscribe to security channels that publish fresh TON scam cases (e.g. official warning channels from wallet teams).

What to do if you became a victim

If the transaction is already signed and assets are gone:

1. Accept that the transaction cannot be reversed. TON is a public blockchain, there is no “undo.”
2. Urgently move remaining assets to a clean wallet. New seed phrase, ideally a hardware wallet (Ledger).
3. Revoke all active TON Connect sessions in the old wallet.
4. Use Tonscan/Tonviewer to check where funds went. Save the transaction hash — useful later for investigation.
5. Notify wallet support and the team whose brand the scammer used. Sometimes it is possible to add the address to a blocklist and warn other users.
6. Never pay for “recovery services.” Anyone writing in DMs offering to recover stolen funds for a percentage is a second scammer feeding on the victim’s desperation.

Wallets and users: division of responsibility

Good TON wallets (Tonkeeper, MyTonWallet, Wallet in Telegram) carry part of the load for the user:

• Show transfer amount and address in large type before signing.
• Highlight fresh addresses with no history as suspicious.
• Warn on signature attempts for non-standard payloads.
• Maintain lists of known drainer addresses and refuse to sign to them.

But the final decision is always the user’s. Technically a wallet cannot distinguish “legitimate STON.fi swap for $1000” from “drainer transaction for $1000” by structure — both look like ordinary operations. The decision “this signature is what I intended” is made by a human.

Conclusion

TWA scams in Telegram are not a “new and exotic” class of fraud — they are familiar schemes (clones, phishing, drainer), adapted to the mini-app format. Defense is also familiar: vigilance, link verification, refusing to enter a seed anywhere outside official wallets, reading a transaction before signing.

Telegram premoderation cuts off the bulk but not all. Wallets help but do not insure. The final line of defense is the user and their discipline. The checklist in this article works only if the user actually walks through it every time they open an unknown TWA. One skipped step — one lost wallet.

→