Stellar Staking Email-Phishing Scam and the Ledger.com Data Breach - Stellarscam.report

Memo-phishing connection to Email-phishing In our first blog, which explained our origin story behind stellarscam.report as well as the memo-phishing detection bot with the monthly reports from mid-May to mid-October, I had posted that were could be a possible connection between the memo-phishing happening on the Stellar Network and the email-phishing that started to appear in the thousands in June due to the small coincidence in timing of the scammers taking a 2 week break before resuming their scammer bot a few days after the first batch of the email-phishing appeared. More information that is to be brought to light to add onto this conclusion: Red arrow indicates June 25th, the start of the email-phishing. Please note the week breaks from June 4th — June 11th and June 19th to June 29th In June there was multiple ‘week long breaks’ in between the ‘usual’ routine of what the memo-phishing scammer did before. It was at this time the Stellarscam.report team suspected that the scammer was fully aware of our actions and they were planning to do something different. Our suspicions was correct as the number of accounts the scammer used to spam the network tripled from their usual 4 accounts to 12 accounts in June. For the sake of convenience, accounts = the scammer bots. The more accounts/bots, the more transactions that can be sent within an hour. The timing also was different, as the bots usually sent out a few transactions every minute throughout the week compared to now sending out dozens of transactions per minute collectively in a couple days. Four days after the first email-phishing batch on June 25th and the scammer bot resumed (June 29), but this time the bot went back to its original ‘couple transactions every minute’ routine. You can review the monthly reports from mid-May to mid-October to see the difference in patterns found at the bottom of this blog: Stellarscam.report Monthly Reports mid-May to mid-October. The email-phishing seems to be potentially premeditated. On June 25th, the emails were already spoofed, the domains were registered, the hosting services where the spoofed websites were stored was all in place. All that they needed was the targets and due to the Ledger database breach, they had potentially thousands of suspected XLM users to target. Over 40 unique reports by individuals reporting scams to stellarscam.report were all connected to having either a Ledger hardware wallet or using the official Ledger.com website with their email address. It should be known that memo-phishing transactions were happening on a daily basis throughout 2019 and in the beginning of 2020. Since our detection bot has gone live, and especially since June 25th, it is apparent that the scammer has stopped focusing their efforts on memo-phishing and rather focusing on something else. In fact, August seems to have been the last ‘real’ attempt of memo-phishing and anything after that is simply the scammer ‘trying’ to overload our detection system but always failing. This was even more obvious when we made our first public announcement of the bot on Reddit on October 27th, and the scammer bot resumed, this time with ‘50’ accounts/bots on October 30th. However, all they really spammed was Keybase & Blockchain.com airdrop accounts. This didn’t make sense because Keybase has a UI feature that doesn’t show small transactions and Blockchain.com doesn’t show the memos being received so at the end of the day, this scammer really wasn’t actually doing anything but spamming the network and trying to get over our wall, which they couldn’t. Even though we caught every single transaction, the scammer came back a few days after with 100 bots. A few days after that they stopped until resuming back on November 19th (UTC). While the scammers were working on memo-phishing, they were registering domains, hosting servers, and making spoofed websites etc. for the sake of spamming malicious memos on the Stellar Network. Memo-phishing has basically stopped today or isn’t even happening anymore like it used to since our bot has gone live. However, email-phishing has been on the rise since June 25th while memo-phishing has gone down. This suspicion was further confirmed on November 22nd, when stolen funds from email-phishing that was dormant and reported to our team were detected to have moved to an exchange in between the same time the scammer turned on their scammer bot. The scammer bot was sending out malicious memos linking to a fake website in the usual ‘couple transactions per minute’ routine: Memo-phishing in November 20–25From November 20th to 25th, there was (1) account with stolen funds moved on November 22nd. Another account that was stolen and reported was moved less than 8 hours after the scammer bot stopped. These funds were reported to the exchanges and they responded saying they seized them. The Final Verdict Stellarscam.report’s team has concluded (with the information above) that the email-phishing campaign called ‘Stellar Staking Marathon’ or ‘Stellar Staking inflation mechanism’ or ‘Stellar Staking distribution’, is directly connected to the Ledger database breach. The connection is the same scammers that spammed the Stellar Network with malicious memos in the transitions are now using the emails from the Ledger database breach to manufacture spoofed emails in order to further commit fraudulent acts on community members. Whether they were part of the actual Ledger database breach is not fully apparent as the data leak was supposedly ‘sold on the internet’ and there is no final conclusion on how early the data breach actually was. The investigation in that specific regard is still on-going with law enforcement. November 29 SDF Email Incident On November 29 it was made aware that community members are getting scammed from email-phishing but some of them didn’t have a Ledger wallet. It is concluded in the SDF Statement that what: we have learned is that the attacker gained access to the API keys used to access a third-party email service that we had authorized to send certain notification emails from a Stellar domain on SDF’s behalf. These notifications related to upgrades from the legacy Stellar network to the current network, launched in 2015. What should be apparent by now is that both the SDF and the Ledger company were being targeted by what seems to be an identical attack vector to gather email addresses from API keys. A snippet from the Ledger.com July 14th blog: To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible. The investigation in this specific regard is still on-going with law enforcement.