TON Wallet Safety: All my TON is gone!
TON Wallet Safety: All my TON is gone!
Do not think it cannot happen to you: our investigative reporter digs deeper
TON NEWS will be starting an investigation into the safety of TON with the help of an investigative reporter working with us in this developing series.
It is going to be a very important series of articles in the coming weeks and months which focus on TON Safety. Please be sure to share and subscribe.
Note that this series is for everyone: beginners and the more experienced.
How can I lose my TON?
There are many ways in which you can lose TON from your wallets, such as:
Telling anyone your 24 secret passwords
Accessing a wallet on an insecure internet-connected system
Clicking a link which is not what it looks like to the eye
Social engineering, being tired, poor wallet interface safety, etc
Real Life Example
Here is a recent example, the conversation taking place in one of the public Telegram chats:
What is worth noting here is that Daniel Peters is by no means the average person who is non-tech literate: he is an active Etherium and TON miner.
Also worth noting is the first of the insensitive unhelpful comments, possibly even schadenfreude, is from Yan @ TONIC, and editor of TON10.cc.
Mr Peters lost over US$1,000 from someone who “hacked his wallet”.
Our investigative reporter contacted Mr Peters and after some deeper diving established exactly how he had been hacked. And this is just one example.
In his case, when he started his wallet, he chose to use the Web Wallet which is listed at ton.org/wallets and which actual address is wallet.ton.org
He is using Microsoft Windows Operating System and a Microsoft Edge browser, so our first worry was that his browser or computer were hacked.
However, it turns out that he was tricked with a deceptive web site with a link that in the address bar after clicking looks almost exactly like the official site address and the actual web Wallet is the real Web Wallet but with a hidden problem: all your passwords are being intercepted and saved by the fake site.
First, a simple example which still fools many, because they only look at the link they are clicking on, but not at the site they arrive at in the address bar, which can change from where you thought you were going.
Remember, the approved wallet to use, recommended by the TON Foundation itself, is at the wallet.ton.org address. But now click on that link to the left. Did it go to wallet.ton.org ? No it went to a different site.
Now, imagine if it went to a site that looks exactly like the TON Web Wallet, how many people would look at the address bar? And if they did, the difference in this case is so tiny, almost no one would notice it.
The actual hackers site makes the wallet set up look legitimate. It hijacks your entry of the 24 secret passwords. Bingo: you have your actual official TON web wallet created, but, someone else also has your 24 passwords.
Much worse than in this example, the trick is much more deceptive: almost everyone who is not triple-checking everything, would fall for it.
It wasn’t a case of a different URL hiding behind some text, it goes deeper.
Using a Web wallet address is very far from safe, and the TON Foundation has done nothing about it.
At this stage of investigation we don’t want to compromise the efforts to reign in the perpetrator, so we are not disclosing the actual site and addresses involved to the public. We can give that to interested parties.
This particular scam is a very effective one, which would fool a great many. As you can see even experienced techies can be tricked by clever manipulation, add to that if you are tired, overworked, or don’t have your glasses on.
Whilst the scammer has used considerable skill to enrich himself, it is something any one who has technical skills and is ruthless could do.
It involves setting up a server looking exactly the same as the online wallet and a URL (Uniform Resource Locator / web address) that is almost identical.
What can we do?
There’s a lot that we can. We care and we’re sympathetic. We realize there is a big problem which must be overcome by TON before mass adoption can take place. Our investigative reporter has predicted many likely scenarios which will cause millions of newcomers to TON to lose their coins sooner or later.
But it is not all bad news. We understand that there is a project already underway creating solutions for many of these problems. Our readers will be among the first to know when approved, so be sure to sign up and stay tuned:
Meanwhile there is much more that we can do and we hope that the TON Foundation and TON Society will support us in this effort.
Our investigator is hoping to gather other victims together and collect evidence which can be laid before various parties that have an interest or have benefited financially. We hope they will cooperate in taking action and return some of the funds where they are in a position to confiscate.
It it not easy and will take a concerted effort. This is why cryptocurrency is favored by bad actors, but as several high profile cases have shown, they too can be rounded up and punished. It just takes us to care, cooperate, and act.
Those that care and benefit from bringing such bad actors to book or at least recover of some of the stolen funds, can also invest in that new TON Safety project which could prevent the majority of such cases from happening again.
Meanwhile thanks go out to those channels and groups that are supporting this effort, as well as those helping to distribute TON NEWS.
Please join some of those channels now: t.me/TonCentral - t.me/internationalTON - t.me/TonRelay - and show our appreciation.
And share this article with your friends and ask them to sign up too:
Thank you very much for the article! I think I actually noticed a webwallet address which looked a little different from the official one once, but I am really afraid that I could ever fall into such kinds of trap. I guess that's a very strong argument in favour of diversifying and having your TON divided in several wallets.
In any case, I'll be looking forward to more posts of this series.
One thing that I did think is that it would probably be a good idea to make the password upon maximising the app optional in Tonkeeper. Since the pin is kinda short, if we need to input it every time we want to check our wallet, that's a lot of opportunities for anyone to get to see it. Although this is also my fault because I thought about it but never suggested it to the devels
Yes. Надо быть осторожным и аккуратно все делать