The BlackWallet browser-based wallet application has been compromised and 400,000 USD in user funds (in the Stellar Lumen cryptocurrency) were stolen from it. It’s still unknown who is behind this attack. To perform the attacks, hackers hijacked the DNS servers of the application. More particularly, a DNS server connected to the domain of BlackWallet was compromised.
The creator of the BlackWallet app confirmed in a statement that an unknown individual had succeeded to access their hosting provider account, which led to the DNS changes and the theft of user funds.
More about the Attack on BlackWallet
Attackers were targeting the Stellar Lumen (XLM) cryptocurrency. They succeeded in stealing approximately 670,000 Lumens which amounts to 400,000 USD.
The attack took place on Saturday (January 13) in the afternoon (UTC timezone). This is when the attackers successfully hijacked the DNS entry of BlackWallet.co, and redirected it to their hacker-controlled server. Kevin Beaumont, the researcher who analyzed the code, said that “the DNS hijack of Blackwallet injected code” and that “if you had over 20 Lumens it pushes them to a different wallet”.
Alerts were quickly propagated during the weekend after the attack happened, in an attempt to warn users and prevent them from logging into the domain. However, the alerts didn’t do much work as users continued logging. Here’s what the warning said:
If you used BlackWallet in the past then use your Secret Key and login to Stellar Account Viewer to use them. If you don’t login in the BlackWallet website your XLM is safe. Lumens are not stored in the wallets, Lumens are ALWAYS stored in the network, you just use wallets to have access to the network. If you use BlackWallet with your Secret Key then the script will steal your Secret Key and then your Lumens.
Once the theft was finalized, the stolen funds started to vanish into the Bittrex cryptocurrency exchange, reports reveal. BlackWallet made several attempts to contact the exchange so that the corresponding wallet is blocked. However, these attempts have seen no results.
The BlackWallet creator apologized for the unfortunate event and said that he is in talks with the hosting provider to get as much information as possible about the hacker. He also highlighted that BlackWallet was only an account viewer meaning that no keys were stored on the server. Nonetheless, it’s highly advisable for users that have recently entered their keys on the application, to move their funds as quickly as possible.
Keep in mind that if the main website of the application doesn’t function, the Stellar Account Viewer can be used instead.