On Sunday, November 29, we became aware of a phishing attempt that reached some members of the Stellar community. The phishing emails purported to be sent by Stellar Development Foundation (SDF), claimed that a request to generate a new secret key had been received for the recipient's Stellar wallet, and asked the recipient to click buttons in the email to cancel or authorize this request. Recipients who clicked on the buttons were taken to a domain controlled by the attacker that prompted the recipient to enter information, such as their secret key, which could be captured by the attackers.
SDF did not send these emails, cannot reset accounts, cannot generate or reset a new secret key, and as we regularly make clear in our communications, we will never ask for secret keys.
Upon learning of this attack, our team responded quickly to disrupt the phishing activity so that anyone who clicked on a link in the email would see an error message and would not be taken to the attacker-controlled domain. We also alerted the Stellar community.
We also began an investigation into the source of this attack. The attackers did not gain access to any of the Stellar network infrastructure. By design, neither SDF nor any third-party can ever access, reset, reverse, modify, view or store users’ account information on the Stellar network. There is also no indication that the attackers gained access to any of SDF’s infrastructure or systems. Instead, what we have learned is that the attacker gained access to the API keys used to access a third-party email service that we had authorized to send certain notification emails from a Stellar domain on SDF’s behalf. These notifications related to upgrades from the legacy Stellar network to the current network, launched in 2015. Initially, the phishing emails were sent from this Stellar domain to email addresses that were on a list maintained and used by the third-party email service. After we terminated the attacker’s ability to send the phishing emails from the Stellar domain, the attacker sent the same phishing emails from domains associated with other (non-Stellar) customers of the third-party email service. We understand that the third-party email service worked with those customers to disrupt this second wave of phishing emails. For the phishing emails the attackers sent from our own domain, to date, only about 2500 were opened by the recipients.
As to how the attacker gained access to the API keys used to access the third-party service, our investigation is ongoing and the third-party email service is assisting in our efforts. We have also referred this incident to law enforcement.
We are very thankful for the members of the Stellar and cybersecurity communities who shared valuable information about this attack and for those who took steps on their own to help limit its reach and warn the community.
Unfortunately, cyber fraud is rampant and has only increased during the COVID-19 pandemic. We encourage everyone to review our security guide to learn more about protecting yourself from scams and phishing attempts like this one. The broader Stellar ecosystem is also a great source to find real-time warnings about scams. For example, there is a Keybase channel where members of the Stellar community share information about scams that are identified in the ecosystem (stellar.public#-scam-alert-). You can also find this type of information on Reddit and report scams to community-driven efforts like stellarscam.report and stellar.expert.