In the early hours of Tuesday 12th November 2024 I was checking out the listing for an auction I’m running on Fragment — the marketplace which allows Telegram users to buy and sell collectable usernames and phone numbers — when all of a sudden a message popped up from a stranger asking if my username was for sale.

I replied “yes” stating that there was already a very generous bidder for it who’d kindly offered 180 TON (~$1,000 USD at time of writing). I informed them that if they would like to place a bid then they were more than welcome to do so on Fragment. Moments later they made me this offer directly in our chat:

My existing bidder had originally approached me saying that he was representing a crypto business and that my username was one of several they needed to collect because it was in alignment with their brand. He’d provided me with all the proof I needed and walked me through the process of setting up the listing on Fragment as it was my first time selling on there. It made perfect sense as there was a clear motivation for him buying my username and I know that his organisation has deep pockets, so his kind offer didn’t seem too outlandish. On the other hand, this random Aviatora character had no clear motivation for buying my obscure username at 5x the current bid, so I instantly smelt a rat.

At first glance it seemed that the link they’d provided as proof of their bid was legitimate, but upon right clicking and inspecting the destination it was clear that it directed to a Telegram bot as opposed to Fragment’s site.

🚨They’d messed with the wrong guy!🚨

It was about 2am at this point but I wanted to keep them on the hook and couldn’t resist doing some digging, so I fired up Kali Linux on my VM and got to work.

The link was pointing here: https://t.me/FragmentOffersRoBot/start?startapp={MY_USERNAME_FOR_SALE}_price_1000 (edited out my username there)…

It looked doubly fishy as they’d capitalised that ‘B’ in ‘RoBot’ which suggests their intended username was already taken or burned from previous scamming work.

Upon clicking the link in my safe Kali security lab it loaded a Telegram Mini App.

In the above image you can see that the interface closely matches that of a specific username auction page on Fragment. While all the fields look broken and glitchy here, the clever thing about the extension to their URL ‘start?startapp={MY_USERNAME_FOR_SALE}_price_1000' was that it actually populated all the fields correctly in their app with my username and their fantastical bid of 1,000 TON.

However, the subtle but important difference with their version was that it included that ‘Accept the offer’ button. This is not a feature of a Fragment auction. Normally, the vendor has to wait for the seven day auction period to complete before the highest bidder is awarded your username.

I can clearly see how this scam would work so well on unsuspecting users, though. Preying on peoples’ greed is a powerful technique. If you’ve already got a bid on there and someone offers you considerably more than the asking price, then suddenly you see the option to accept the offer and close the deal immediately, I’m sure many would jump at the opportunity.

Of course, what actually happens is that you connect your TON wallet to their dodgy backend and you are instantly rinsed of all your funds. 🤦

Digging Deeper

Sniffing the network traffic with Burp Suite showed me that the Mini App was being fed from this website:

http://fragmentauctions.lol

It’s since been removed and when visiting directly from a normal browser you get the standard phishing warning above.

Their site was hosted with these Zomro guys currently based here (Fokkerweg 300, 1438 AN Oude Meer, Netherlands).

A pretty dodgy, B-rate looking hosting company, to be honest. Started in Ukraine, so probably a haven for scams?

Slava Ukraini, guys!

The registrant for the domain was clearly a Russian, though:

The other piece of evidence at this stage that supported the Russian origin was that from my sniffing I could see that the backend of http://fragmentauctions.lol was also talking to another site http://mamkasubacheva.pics (which throws a 404 when you visit it directly), clearly some sort of Slavic name.

Following the Money

Turning my attention to the TON crypto wallet that was to be on the receiving end of the scam:

https://tonscan.org/address/UQB33wP5PbYA5kW9ClswlBF4np5AMaYW59YVRMSCGVsoMjci#tokens

I could see that it contains around $165,000! spread across various tokens.

Looking at the history it seems that they aren’t being very smart about covering their tracks, though. They’re clearly using this wallet for all manner of shitcoin trading and ongoing scamming.

Where it gets interesting, is if you Google the wallet address, the first result that appears is relating to a token for a game launch on DYOR.io.

Looks like the first investor in the presale for this token was our scammer:

I’m not entirely familiar with the workings of DYOR, but typically, the first buyer for a token is the dev. Certainly that’s the case on most platforms for shitcoins. SOL based Pump.fun being a perfect example where the dev gets first dibs.

Looking into the socials connected to this game we can see on Telegram the principal channel listed is the Russian language version with 12,700 members and they have an English version too with 28,000 members.

Looking at the X profile for this game (https://x.com/gh_jetton), we can see that the publisher is called Ton Ton Games. They’re a relatively recent startup focused on incubating and launching Telegram based games. It’s run by a Russian guy called Daniil Shcherbakov (https://www.linkedin.com/in/shcherbakovds) currently living in Cambridge, UK.

Final Thoughts

In conclusion, if it is the case that the first investor for the presale of one of Ton Ton’s first game launches was our scammer and its dev (he’s clearly a fairly sophisticated developer to have built that fraudulent Fragment clone), then Daniil needs to improve his due diligence and vet his team better… or, perhaps he himself has some explaining to do?

It could of course be a coincidence that the first investor of the Game Hunters token was our scammer — they might have just happened upon the game launch and snapped up the first tranche of tokens right away. It could also be a coincidence that the registrar of tonton.games is the notorious Kalkofnsvegur 2 of Reykjavik, an organisation infamous for protecting the anonymity of phishing sites and ransomware operators across the globe.

PS. It looks like our scammer has popped up with the same scam on another couple of domains (they haven’t even bothered to use a new TON wallet address! 🤣):

https://csrt.site
https://fragmentcom.shop

Hosted with Lithuanian based Hostinger on the first and Zomro again on the second.

BE SURE TO READ MY LATEST ARTICLE ON A FOUNDATIONAL APPROACH TO BUILDING TRADING BOTS FOR PUMPFUN:
https://medium.com/@p05h/building-your-first-proper-pumpfun-trading-bot-with-python-a-foundation-for-automated-token-mint-ac65a430cf29