Hackers crack BlackWallet DNS server, steal US$ 400,000

News by Mark Mayne

Attackers have made off with up to US$ 400,000 (£290,000) in cryptocurrency after an ingenious attack on Stellar Lumen (XLM) wallet, BlackWallet.

Attackers have made off with up to US$400,000 (£290,000) in cryptocurrency after an ingenious attack on Stellar Lumen (XLM) wallet, BlackWallet.

In the latest cryptocurrency security incident, hackers managed to compromise the server hosting popular web-based wallet BlackWallet and change the DNS records to point to a replica BlackWallet site.

When XLM holders logged into the new site, a script ran that transferred their balances to the hacker's wallet - if they held more than 20 XLM.  

A poster on Reddit claiming to be the admin said: “BlackWallet was compromised today, after someone accessed my hosting provider account. I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer . Please note however that BlackWallet was only an account viewer and that no keys were stored on the server!”


Thomas Fischer, threat researcher & global security advocate at Digital Guardian told SC Media UK: "The BlackWallet incident is actually an interesting and quite clever application of DNS hijacking, which can in itself be a relatively simple technique. Using social engineering techniques to access the login for the hosting provider account gave the attacker a very straightforward way to re-direct traffic to the malicious site.

“The malware that was injected into the site to move the customers' cryptocoins is the more interesting part, in that it targeted specific wallet sizes. The lesson to learn here is that web asset security is a multi-faceted thing and businesses often neglect to monitor all the important components. It's essential to have visibility into changes across the whole web infrastructure – including services like the DNS – in addition to just the web and application servers.”

Cryptocurrency Stellar Lumen (XLM) has seen considerable increased interest of late, moving from a value of $0.027 per XLM 04 November 2017 to a 04 Jan high of $0.89 (£0.64) - an increase of 229 percent. Stellar Lumen is ranked as the world's ninth largest cryptocurrency, according to coinmarketcap.

Javvad Malik, security advocate at AlienVault, told SC Media UK: “As cryptocurrencies gain popularity and value, they become a more attractive target to cyber-criminals looking to make a quick profit either by hijacking wallets directly, or by using malware to mine cryptocurrencies. Cryptocurrencies are largely unregulated, and there is little assurance around the development and security of wallets. It is imperative that Cryptocurrency wallet providers build in security into their software development life cycle, and get third party experts to validate that it is free from common flaws and vulnerabilities."

Despite of the market excitement around cryptocurrencies, the attack holds solid lessons for any business, as Stephen Moore, chief security strategist at Exabeam pointed out: “The cryptocurrency theft has grabbed the headlines, but there are some gems of advice from this attack for anyone tasked with defending systems. It would seem the attack involved credential theft of the hosting portal admin account. It's simple advice, but anything that is protected by username and password alone can and will be stolen and used against you. The immediate action should be to activate multi-factor or adaptive authentication anywhere that it is available. Businesses must have the ability to understand changes in configurations, especially core networking and DNS, and be able to identify the misuse of compromised accounts. Lastly, BlackWallet is certainly not unique here – I would expect many businesses are susceptible to this kind of incident, especially if targeted by an incentivised and persistent adversary.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews