Unknown hackers recently managed to hack the DNS server of BlackWallet.co, a web-based application for Stellar Lumens (XLM). According to Bleeping Computer, the attackers managed to steal the equivalent of over $400,000 from unsuspecting users.
BlackWallet’s DNS server was hijacked on January 13, and started redirecting users to the hackers’ server. This meant users were sent to a copy of BlackWallet that gave hackers access to their funds once they entered their credentials. In a statement on Reddit, BlackWallet’s creator confirmed the hack did occur, and revealed the attackers’ wallet.
Security researcher Kevin Beaumont managed to analyze the code before the BlackWallet team regained access to the domain and took down the fake website. According to him, “the DNS hijack of Blackwallet injected code.” The code, in turn, stole funds from users who had over 20 Lumens in their wallets.
The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet. pic.twitter.com/Eiwb8UR1Nn
— Kevin Beaumont (@GossiTheDog) January 14, 2018
In its statement on Reddit, BlackWallet’s creator added that those who have entered their key on the website may want to move their funds to another wallet to keep them safe, using the stellar account viewer. He noted, however, that “blackwallet was only an account viewer” and that no keys were stored on its servers.
The team behind the website and other XLM owners attempted to warn users of the risks of accessing BlackWallet. Warnings were visible Twitter, Reddit, Github, and even on GalacticTalk forums. Users, however, continued to enter their credentials on the rogue website, and saw their funds get stolen.
According to reports, the attacker managed to steal 669,920 Lumens. At press time these are worth over $416,000. One Lumens is currently trading at $0.621 and is up by 1.2% in the last 24-hour period, according to Cryptocompare.
Hackers are laundering stolen Lumens
Researchers further noted the attackers cleaned up their wallet and sent the funds to cryptocurrency exchange Bittrex. Using the exchange they’ll be able to sell their Lumens for privacy-centric cryptocurrencies to hide their tracks.
However, if their account is verified on Bittrex, or if they misstep using while using the platform, their identity or IP address may be revealed. The Stellar community is now attempting to contact Bittrex before it is too late.
Hello @BittrexExchange , please block the account with MEMO XLM 27f9a3e4d954449da04, he hacked https://t.co/ooPMtN2HV4 and is now sending all the funds to your exchange! This is URGENT! A lot of money is involved (>$300,000) https://t.co/nH1MnpPeyw https://t.co/3NlQ01m1yV
— orbit84 (@orbit0x54) January 14, 2018
BlackWallet admins are also in contact with their hosting provider, to gain information to see if something can be done. Notably, BlackWallet was also hacked last year, according to a thread on GalacticTalk.