Dusting and De-anonymization Attacks via Telegram
Attackers use Telegram to execute the social-engineering phase of dusting attacks, contacting victims whose wallet identities have been linked to their Telegram presence through on-chain analysis.
Part of: Dusting and Deanonymisation Attacks
Last reviewed: 9 June 2026
Dusting attacks create intelligence about wallet ownership by tracing fund flows, but the intelligence only becomes actionable when the attacker can connect a wallet address to a real person. Telegram is a critical link in this chain: many crypto users have publicly connected their wallet addresses to their Telegram accounts through airdrop registrations, token launches, bounty programs, or community role verifications.
Once an attacker correlates a dusted wallet with a Telegram identity, the social-engineering phase of the attack can begin on the very platform where the victim feels most comfortable. This combines the on-chain intelligence gathered through dusting with the communication channel the victim uses daily, making the follow-on phishing attempt highly targeted and credible.
How this scam works on Telegram
After linking a wallet address to a Telegram username through on-chain analysis and public registration data, an attacker contacts the victim on Telegram appearing to know specific details about their holdings. The message may reference a wallet address, a recent transaction, or a token balance that the victim knows is accurate, creating an immediate sense of credibility.
The attacker then deploys a follow-on scam: a support request requiring a seed phrase for a claimed wallet migration, a compliance verification requiring a test transaction to an attacker-controlled address, or an extortion threat demanding cryptocurrency in exchange for not exposing the victim's financial holdings publicly. The combination of accurate personal detail and urgent language makes these attacks substantially more effective than generic phishing.
Common red flags
- A Telegram message references your specific wallet address or transaction history without you having shared it in that conversation
- The contact claims to be from a project's security team and cites your wallet balance as context for urgency
- Message arrives shortly after you completed an on-chain transaction or registered for an airdrop using your wallet address
- Contact requests a seed phrase, private key, or test transaction to a new address for any verification or migration purpose
- The message combines accurate on-chain information with pressure to act quickly before a fabricated deadline
- Contact offers to help you protect your wallet from a security threat they claim to have identified through on-chain monitoring
How to protect yourself
- Do not publicly link your wallet address to your Telegram username in airdrop registrations or community verifications where it can be indexed
- Use separate wallet addresses for public interactions versus significant holdings
- Never share seed phrases or private keys in response to any Telegram message, regardless of the claimed context
- Treat any Telegram message referencing your on-chain activity as a potential targeted phishing attempt
- Report suspicious Telegram messages immediately to the project's verified support team through the official channel
- Enable Telegram's privacy settings to limit who can find your account through your phone number or username
How to report it
- Report the Telegram account to Telegram at abuse.telegram.org
- Notify the legitimate project team if the attacker is impersonating their support function
- Report extortion to local law enforcement and to the IC3 at ic3.gov
- Flag the attack wallet address on relevant block explorer phishing databases
Frequently asked questions
How do attackers connect my wallet to my Telegram account?
Airdrop registrations, bounty programs, and community role verifications that require submitting a wallet address linked to a Telegram username create publicly indexed records. These are scraped and combined with on-chain data to build target profiles.
Is it safe to use the same wallet for all on-chain interactions?
Using a single wallet for all interactions maximizes the amount of information an attacker can gather through clustering analysis. Separating high-value holdings into addresses that are never used for public registrations significantly reduces targeted attack risk.
What makes Telegram-targeted dusting attacks more dangerous than generic phishing?
Generic phishing is untargeted and easier to dismiss. When a message demonstrates knowledge of your specific wallet balance or recent transaction, victims are much more likely to believe it is from a legitimate source and act on the request.