You open Tonkeeper in the morning and there it is: a new token called “TON Foundation Airdrop 2026”, balance 1,500 units, description quoting a $0.42 spot price. Your inner calculator whispers: $630, free. It feels like all you need to do is tap “Swap to TON” and collect. In reality the thirty seconds between I saw it and I signed it are the single most common loss vector on TON in 2025-2026. This is not a phishing drainer, not a fake Fragment — it is a dust attack with a honeypot jetton, and it arrives at your wallet without a single click on your side. Here is how it works and what to do.
TL;DR
- Dust attack — broadcasting tiny amounts of TON or unfamiliar jettons to thousands of wallets to profile owners or to bait them into a malicious interaction.
- Fake airdrop — an unsolicited jetton that mimics a real brand drop (TON Foundation, Notcoin, DOGS, Hamster) but has custom transfer logic that drains funds when you try to swap.
- TON is more exposed than EVM chains here because each jetton is its own contract with its own logic, not a uniform ERC-20.
- The cardinal rule: do nothing with a dust jetton. No swap, no transfer, no “let me verify” via the URL in its metadata. Just hide it.
- Tonkeeper and MyTonWallet auto-hide known spam, but coverage is not 100 percent — the first hours of a fresh honeypot are unflagged.
What a dust attack is and what the attacker actually wants
A dust attack is an old Bitcoin practice: send a microscopic amount to thousands of addresses, then use later on-chain activity to cluster them into one identity. On TON the same logic applies but with two extra motives.
Motive 1 — profiling. An analytics company (legitimate or grey-market) sends 0.001 TON or a marker jetton to tens of thousands of addresses, then watches which of those addresses later sweeps the dust together with a main balance. That sweep links the two. The resulting map ends up sold to OSINT firms, ad networks, or as part of compliance analytics for exchanges.
Motive 2 — honeypot bait. This is the criminal track. The attacker does not send neutral dust but a specifically crafted jetton that looks valuable. The goal is to provoke the holder into signing a transfer or a DEX swap. At that moment the contract’s custom logic kicks in and funds leave the wallet.
You cannot tell these two motives apart by looking at the token. You also do not need to — the response is identical: do nothing, sign nothing, hide it.
How honeypot fake airdrops actually work
The scenario that catches the most wallets in 2026:
- Day 0. Attacker deploys a jetton master named “TON Foundation Airdrop”, “Notcoin Season 2”, “DOGS bonus”, “Telegram Premium Drop”. Metadata is faked: TON Foundation logo, copy about “rewarding active users”.
- Day 1. A script sprays 1,000-5,000 units of this jetton to addresses that have shown activity in the last 30 days, harvested from tonviewer / tonscan indexers.
- Day 1-3. The holder opens their wallet, sees a “free” token whose description claims a price of a few cents to a fraction of a TON. They head to a DEX, or to the site linked in the token description, and try to sell.
- Signing moment. The packed transaction sends a jetton transfer plus, hidden alongside, either an outgoing operation that empties the wallet’s TON balance, or an approval-like grant for another jetton, or a forward message that triggers a drainer contract. The implementations vary, the outcome does not.
This is technically cheaper than a drainer site. The attacker does not need to buy Telegram ads, clone Getgems, or drive traffic. The token itself is the ad, the bait and the payment instruction in one package.
Why TON jettons with custom transfer logic are dangerous
TEP-74 defines the jetton interface: which messages it must accept, which it must send, how to track balance. But TEP-74 is an interface, not a ban on extensions. Inside the jetton master and the jetton wallet you can wire any logic that runs during transfer.
What attackers actually do:
- Skim TON on every transfer. The jetton wallet on a transfer also fires an internal message to the attacker’s address carrying a chunk of remaining TON balance. The user thinks they are moving only the jetton, but the gas accounting masks a sizeable native-TON outflow.
- Reject sell, accept buy. The contract accepts transfers only from a privileged address (say, the attacker’s own DEX pool) and rejects them from regular wallets. The victim sees “Insufficient gas” or “Transfer failed”, keeps retrying, burns TON on gas — and can never sell.
- Trigger a drainer. The jetton transfer triggers a forward message that hits a drainer contract. The user’s signature authorises one operation, but that operation chains into several others through forward routing.
- Phishing URL in metadata. The jetton description carries a link to “swap.ton-foundation-airdrop.app”. The victim opens it, connects via TON Connect, and from that point it is a standard drainer flow.
On Ethereum a honeypot is usually engineered on the DEX-pool side (modified transfer fee, blacklist on sells). On TON you can attack at the jetton-contract level directly, and a user trained on ERC-20 semantics gets caught precisely by this difference.
Spotting dust and fake airdrops: sender, master, Re:Doubt
A minute of checks is enough.
1. Sender — who sent it. Open the receive history for this jetton in Tonkeeper or tonviewer. If the sender is one address that has pushed the same jetton to thousands of other wallets in a short window, that is a mass broadcast. Real airdrops from Notcoin, DOGS, HMSTR used a claim flow on the project’s site, they did not land in your wallet on their own.
2. Jetton master address. Every jetton has a master contract. Open it on tonviewer and look at:
- holder count;
- transfer volume;
- whether the project’s official Telegram channel references this contract;
- whether the address matches what the official brand site publishes.
The real TON Foundation never sprays jettons “from itself”. Any “TON Foundation Airdrop” sitting in your wallet is fake by default.
3. Re:Doubt and third-party scoring. The redoubt.online service and Tonkeeper’s built-in scam flags mark known dust tokens. If a jetton is flagged, case closed. If it is not flagged and you do not remember claiming it manually, treat it as a potential honeypot.
4. Project Telegram channels. Notcoin (@notcoin_bullet), DOGS (@dogsofficial) and TON Foundation (@toncoin) pin posts confirming each real distribution. A drop “only in your wallet, no announcement” matches nothing these channels publish.
Why you must not try to sell or forward the dust
The deepest trap is psychological: the holder sees free money and rushes to dump it before “everyone else” does. That haste is the very trigger the honeypot is built around. Concretely, you must not:
- Swap on a DEX. STON.fi or DeDust assembles a swap transaction signed by the holder. Inside it is a jetton_transfer toward the pool, and that is where the honeypot’s custom logic fires.
- Send a direct transfer to another wallet. That call can trigger the skim path and drain native TON.
- Visit the URL in the token’s description “just to see the price”. That URL is the drainer invitation.
- “Burn” the token to a null address. Even this benign-looking move requires signing a transfer, and any custom hook in the contract still runs.
The rule is simple: a dust jetton is not meant to be sold. It is meant to be attempted. You should not go anywhere near it.
!The freebie effect
The more “valuable” the token looks in your wallet, the more aggressively you want to act. That is engineered behaviour — inflate the apparent value, switch off careful thinking. If a jetton “is worth $600” and arrived for free, it is not worth $600, and you are not going to outrun anyone. That is the rule.
What to do: hide in Tonkeeper, do not engage
Step by step.
Tonkeeper. In the tokens list, long-press the dust jetton then tap “Hide”. Tonkeeper does not erase the token from history, just removes it from the main list. Alternative: Settings → Manage tokens → toggle visibility per token.
MyTonWallet. Settings → Privacy & Security → Hide spam tokens. Switch the filter on if it is off — it auto-hides tokens from the built-in blocklist.
Tonhub. Per-token menu has a Hide / Mark as spam option. Stored locally on device.
After hiding, do nothing more with the jetton, ever. Not a year later, not “when you clean up the wallet”. Just ignore. Sitting in history carries no risk; the risk comes from interaction.
Strategies for active users with multiple wallets
If you connect to dApps regularly, mint NFTs, or farm drops, the stream of dust tokens will be constant. A few working habits.
Risk-tiered wallet segmentation. A cold wallet (Ledger) holds the main stash, never connects to dApps, never receives airdrops. A warm wallet handles day-to-day swaps with a $50-200 balance. A burner wallet participates in new drops and connects to unknown dApps with a near-zero balance. Dust tokens and fake airdrops mostly land on the warm and burner wallets — that is where you bury them without emotion. More in our safe drop-farming guide.
Do not consolidate from burner to main. If you received dust on the burner and then swept native TON back to your warm wallet, on-chain analytics link the addresses. Better: cash out via an off-ramp or via an isolated new address.
Revoke TON Connect sessions regularly. Once a week — Tonkeeper → Connected apps → revoke everything except the bookmarks you actually use. This shuts down side-channel drainer scenarios, including those baited by dust tokens with phishing metadata.
Never enter your seed anywhere. A dust token that links to a site asking you to “enter your seed to verify eligibility” is not a honeypot or a drainer — it is direct theft. See our drainer sites breakdown and top-10 Telegram scams for adjacent patterns.
Inspect jetton metadata before anything else. Before you do anything with a new jetton, open tonviewer.com, check the master address, holder count, transfer history. If nothing matches what the name claims, it is fake. The mechanics of jettons are covered in our jetton standard article and the TEP-74 deep dive.
Conclusion
Dust attacks and fake airdrops are the cheapest, most scalable class of attack on TON in 2026. The attacker buys no ads and clones no sites — they spray a honeypot jetton and wait to see who tries to sell. The victim arrives unprompted. That means the main defence is behavioural, not technical: train yourself to see a jetton that “appeared from nowhere” and not react.
Technical controls (Tonkeeper’s spam filter, Re:Doubt, scoring services) help, but they always lag a fresh campaign by several hours. The exposure window is exactly that lag period when a new token is not flagged yet. In that window only the habit works: a new jetton is not money. A new jetton gets hidden and forgotten.
