Hackers Hijack DNS Server of BlackWallet to Steal $400,000

Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and has stolen over $400,000 from users' accounts.

The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server.

"The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added.

Attackers stole almost 670,000 Lumens

The attackers' wallet is located at the "GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI" address.

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XLM/USD exchange rate.

The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.

Hackers started laundering stolen funds to hide his tracks

A few hours ago, the attackers started moving funds from the XLM account to Bittrex, a cryptocurrency exchange, where they're most likely to convert the stolen funds into another digital currency to hide their tracks.

BlackWallet admins are now desperately trying to catch Bittrex's attention to block the hackers' account. According to the BlackWallet admin, the incident took place after someone accessed his hosting provider account.

"I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it," he said in a statement released earlier today.

"If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer," he added. "Please note however that blackwallet was only an account viewer and that no keys were stored on the server!"

Stellar Lumen ranks today as the eight most popular cryptocurrency, according to CoinMarketCap.

BlackWallet was also hacked in July 2017 [1, 2], but we couldn't find any details about the incident. EtherDelta suffered a similar DNS hijacking incident before Christmas 2017, but to this day we still don't know how many funds the attacker stole. Classic Ether Wallet and the Etherparty ICO website also suffered DNS hijackings.