The Open Network (TON), a blockchain platform based on Telegram, has seen significant growth in 2024. The number of on-chain-activated wallets surged from around one million in January to over nine million in June. However, this rapid increase has attracted scammers, with blockchain security firm SlowMist warning of a rise in phishing attacks on the TON ecosystem in June 2024.
User Responsibility for Safety
As the TON Foundation aims to onboard 500 million users by 2028, ensuring user safety without hampering growth is a challenge. Stepan Chekhovskoi, lead smart contract auditor at cybersecurity firm Hacken, emphasized that Telegram is not responsible for the safety of TON mini-apps. While the number of mini-apps on Telegram has grown, not all adhere to security best practices. The responsibility for safety lies with the founders and project teams of these apps, not Telegram.
A spokesperson from the TON Foundation confirmed that users and projects are solely responsible for their safety, stating,
“As TON blockchain is open-source and permissionless, individual users and projects must be careful to ensure their own safety and security when undertaking network activity.”
Encouraging Security Measures
The TON Foundation has been impressed with the security measures adopted by some mini-apps on TON. For instance, Tonkeeper, a popular TON wallet, allows users to mark whether a received non-fungible token (NFT) is legitimate. The foundation also highlights the importance of an active and engaged community as a safeguard against bad actors.
An example of Telegram’s verification mark for popular tap-to-earn game Hamster Kombat. Source: Hamster Kombat
Users are advised to be cautious when transacting on-chain, as any transaction is irreversible. They should avoid clicking on suspicious links and double-check all details before signing any transaction.
Custodial and Non-Custodial Mini-Apps
According to Chekhovskoi, Telegram mini-apps, from a security perspective, are similar to apps built on other platforms. They can manage user private keys in custodial and non-custodial ways. Custodial apps must identify users using passwords and two-factor authentication (2FA). For self-custodial apps, strong encryption for private key storage is essential.
Users should also be aware of the risks associated with automated log-ins on devices, which can give anyone with device access default access to their mini-apps.
Avoiding Non-Technical Threats
The decentralized nature and ease of use of the TON ecosystem naturally attract scammers. To avoid non-technical scams, individuals should be cautious when interacting with non-official apps and those from lesser-known developers. Steve Milton, co-founder and CEO of crypto wallet Fintopio, suggests checking for verification marks on mini-apps. Telegram offers verification for public figures and organizations, helping users identify official sources.
