Another day, another hack. This time, the unfortunate victims are those who have been using the Stellar Lumens (XLM) web-based wallet application, Blackwallet.co.
This was a DNS server hack which means that the attackers were able to commandeer the blackwallet DNS servers. This meant that they were able to successfully drive the users to a malicious server which hoovered up their details.
The hack occurred on Saturday afternoon January the 13th. According to a security researcher, the hackers were able to inject code that took all the funds from Stellar addresses that had over 20 XLM in them.
Familiar MO
The DNS server hack is not a new attack vector. In fact, this happened just last month in the large EtherDelta DNS hack. In that case the hackers was able to infiltrate the domain servers and steal a considerable amount of ETH.
You can see exactly how much Stellar the hacker was able to steal by observing his address on the Stellar Blockchain. According to the research by Bleeping Computer he was able to make away with about 670,000 XLM. Given the current exchange rate, that makes the loot worth $418,013.
The moment that the hack occurred, the BlackWallet team and other users tried to spread the word as quickly as possible. They reached out on Github, Reddit and Twitter among others. Unfortunately, users continued to access blackwallet and hence were redirected to the rouge server.
The “Wash” Commenced
Once the hackers were able to get a hold of the funds, they wasted no time in trying to cover their tracks. They started moving the coins to an account on the Bittrex cryptocurrency exchange.
They would most likely have bought another Altcoin such as Monero (XMR) or Zcash (ZEC) in order to “clean” the funds and move them away from the exchange without being traced.
The developer behind BlackWallet tried to desperately get the attention of staff at the Bittrex exchange. The hope was that they would be able to block funds coming from the wallet before they were sent out. Below is the tweet.
Hello @BittrexExchange , please block the account with MEMO XLM 27f9a3e4d954449da04, he hacked https://t.co/ooPMtN2HV4 and is now sending all the funds to your exchange! This is URGENT! A lot of money is involved (>$300,000) https://t.co/nH1MnpPeyw https://t.co/3NlQ01m1yV
— orbit (@orbit0x54) January 14, 2018
It is unlikely that they were able to effectively stop the funds coming through given the speed with which the hacker was able to move. Today the developer behind blackwallet said that he was in discussions with his hosting provider to see if they could get any digital fingerprints on the hacker.
He also stressed that blackwallet was an account viewer site and that they did not store private key information on their server. Hence, you would only have been susceptible if you entered your key on blackwallet during the time the hack was taking place.
Cursory Lessons
This is no doubt another unfortunate tale in the risks that cryptocurrency wallets and exchanges face when they have a central point of failure. In this case, it is the centralised DNS server.
There are many that are looking to decentralised name server solutions such as the Ethereum Name Service as the decentralised answer to the existing network architecture.
While it can be quite hard to know whether a site's DNS server has been hacked, it no doubt a wise decision to make use of a hardware wallet that stores your private keys offline.
