One in the field is not a coin: Durov's new platform has attracted a record number of scammers

The new Cocoon platform, which Pavel Durov launched at the end of November, was promptly used by fraudsters. It allows you to mine the TON cryptocurrency, which is actively used in the Telegram ecosystem. In less than a month, Cocoon has become the target of the attention of intruders of various categories — from fake investors and phishing mailings to fake recommendations on behalf of celebrities used for illegal manipulation. Izvestia found out that there are additional legal risks for active Cocoon users from the Russian Federation. For more information, see our article.

How Cocoon attracted cybercriminals

In December 2025, fake "mining bots" began to spread on Telegram, promising to earn money by connecting a video card to the Cocoon network. In practice, they steal access to users' crypto wallets or require making an "activation deposit." At the same time, fake websites are also spreading, visually imitating the official resource of the project: visitors are offered to connect a TON wallet to participate in the "early pool", which actually leads to its compromise and subsequent withdrawal of funds. Dmitry Poida, an investigative analyst at the Shard provider, told Izvestia about this.

Photo: IZVESTIA/Yulia Mayorova

— Another area of deception is the so—called ICO clubs (platforms for initial coin offerings) and pseudo-investment societies, which collect money from newcomers under the guise of collective participation in the Cocoon presale. At the same time, it is important to understand that Cocoon does not have a separate coin-token, and all calculations are carried out exclusively in the TON crypt. Scammers are promoting the non-existent "Cocoon Token", "Cocoon DAO" and "Durov AI coins", using the name of the Telegram founder to create imaginary trust, the expert said.

According to Konstantin Larin, head of the Bastion cyber intelligence department, fictitious investment proposals, fake token resale transactions, pump-and-dump schemes, as well as other manipulations with cryptocurrencies, often carried out allegedly on behalf of celebrities, are associated with Cocoon. In addition, there are classic phishing attacks that exploit trust in Pavel Durov's brand and Telegram, and mass mailings disguised as official resources and containing false calls like "connect equipment to the Cocoon network" or "get a grant for developers."

Photo: IZVESTIA/Yulia Mayorova

— For investors and ordinary users, there may be risks of financial losses due to investments in fraudulent projects or participation in schemes masquerading as Cocoon. For miners, in turn, there are threats related to inefficient use of computing resources, infection with malicious software or the involvement of devices in a botnet," he explained.

Card with a bit: a surge in black mining has been recorded in Russia

Which regions are the leaders in the number of illegal digital asset miners

Fake websites, which are visual clones of the official resource, are working in parallel. They offer users to "connect a TON wallet to get early access," which in practice leads to its instant compromise and subsequent withdrawal of funds, recalled cybersecurity expert Igor Bederov.

Photo: IZVESTIA/Sergey Konkov

— Specific statistics on the new schemes are just being formed, but a noticeable increase in the number of incidents is already being recorded. This dynamic is likely to continue: under the guise of the Cocoon brand, attackers offer resale deals for "shares" or "guaranteed access" to non—existent platform services, as well as other token manipulations, the expert added.

Additional risks for Russian miners

With decentralized networks like Cocoon, there are always vulnerabilities and risks for abuse. They can be very different — from node substitution and unauthorized use of computing power to the use of infrastructure for questionable or illegal tasks. At the same time, the end user often does not have a transparent understanding of what processes are performed on his equipment, said Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technology and Communications, federal coordinator of the Digital Russia party project.

Photo: IZVESTIA/Anna Selina

According to the product manager of Sphere.Distributions and licenses" by Maxim Golovkin, such services are associated with the spread of threats such as protestware ("find and neutralize"), which, according to his forecast, will increase in 2026. Such vulnerabilities contain political or protest elements introduced by developers into open source projects. They are difficult to identify because they are not classified as malicious in other countries, and databases, including NVD and OSV, are updated with a delay. Similar threats also affect users of the Telegram ecosystem through lightweight applications that work inside the messenger and do not require a separate installation on the device.

In office style: a miner is being distributed in Russia under the guise of Microsoft products

What threats are users facing and how to protect themselves

Stanislav Yezhov, Director of AI at Astra Group, recalled that mining has been legalized in Russia since November 1, 2024. The Cocoon platform is technically closer to providing computing services for tokens than to classic mining, but the tax qualification of such operations has not yet been fixed. In conditions of uncertainty, the Federal Tax Service of Russia may reclassify income, followed by additional fines in the amount of 20-40%, he believes.

Photo: TASS/Alexander Ryumin

— The main risks are related to trust in technology and its operators. Dependence on foreign cloud services could repeat the situation in 2022, when many critical services were temporarily shut down. Therefore, it is extremely risky to build key functionality on foreign solutions like Cocoon," said Dmitry Sluzhenikin, assistant head of the Gazinformservice Analytical center, secretary of the Consortium for Security Research of Artificial Intelligence Technologies.

Currently, violations in mining are most often prosecuted under the article on unauthorized connection to energy resources — a fine of up to 400 thousand rubles. In addition, the draft law of the Ministry of Finance considers the introduction of direct sanctions for violations in the field of mining. For citizens, fines can amount to 200 thousand rubles with confiscation of equipment, said Vasily Ermolin, partner at Ermolina & Partners law firm.

— Cocoon differs in that it does not come "into the void", but relies on Telegram, which immediately provides AI query traffic and a ready-made economy around the TON token. This automatically makes the project more viable than many previous attempts to create a decentralized "GPU market," said FabricaONE, Director of AI Technology Development.AI Nikolay Trzhaskal.

Photo: IZVESTIA/Dmitry Korotaev

Cocoon's mining economy is significantly different from Bitcoin mining. A video card of at least NVIDIA H100 is required for operation, the price of which in Russian retail is 2-3 million rubles, even without taking into account the server infrastructure, said Lidings partner Dmitry Kirillov. This is 10-15 times the cost of bitcoin mining equipment (ASIC). Taxes on income from such mining will have to be paid by both "home" and "industrial" miners.

In general, users may face both direct financial losses due to fluctuations in the exchange rate of the coin, and subsequent questions from the tax authorities regarding the declaration of income and the legal status of the received digital assets, Anton Nemkin said.

It is important to remember that using the earned TON to pay for goods and services within the Russian Federation is prohibited by the CFA law. That is, you can "mine" them, but in order to spend them, you will first have to sell them on the stock exchange for rubles, said Egor Kirillov, a leading business analyst at Nanosemantics Group.