I came across this very sophisticated Stellar Lumens (XLM) scam today and I wanted to alert you about this so you can stay safe and protect your wealth as the crypto bull market returns.
I include screenshots to explain how the scam works and to point out some of the features to look out for and identify this as a scam.
Figure 1. The announcement email
How does the scam work?
A very legitimate looking email from Stellar (see Figure 1) announces extremely good news for the XLM community. The campaign is believable, given the Stellar Development Foundation’s strategy to increase adoption of XLM through airdrops with strategic partners (e.g. Keybase and Blockchain wallet airdrops) and increasing value of XLM through supply reductions (e.g. XLM burning event).
All the links take you to a blog post (see Figure 2). The blog provides further details of the airdrop and explains the mechanism for calculating how many free XLM you will receive. There are a number of links on the page. Most people would probably just click on the ‘claim lumens’ link and move to the claim screen. However, the links to join Stellar social channel on Keybase and to developer documentation take you to genuine Stellar sites, however the links to the Community and Stellar Development Foundation are broken.
Figure 2. Blog explaining airdrop
Once you click on the 'claim lumens' link, you are taken to a Stellar Account viewer page. It looks official, with the address even looking legitimate. Users are asked to enter their public key. What makes this scam very convincing is that it links to the XLM blockchain and returns a valid balance. It then calculates how much you will receive from the airdrop (looks to be ~25% more XLM rounded down to the nearest whole XLM). Obviously this is attractive and most people will now be salivating about their good fortune. You are then directed to a claim screen.
Figure 3. Claim your lumens
Now we get to the main event. There are links that suggest that you can sign the claim using a hardware device, but attention is immediately drawn to the filled in button 'sign request'. This is where they harvest your secret keys. Now with your public and private keys, they are free to take your crypto at will.
Figure 4. The harvesting
What gives this away?
- The email address should be an immediate red flag. It does not appear to be from a legitimate source, even though the content itself looks very professional and legitimate.
- The broken links are a good indication that the authors are not who they say they are.
- Genuine projects will never ask you for your private keys. I think this is a safe assumption to make and there are no circumstances ever, where you should disclose your private and public keys to a 3rd party. Once they have this….it’s their crypto.
Bad actors are getting really sophisticated and you are not safe out there. Some have the resources and ingenuity to develop sophisticated ways of catching you off guard and harvesting your crypto. They imitate sites of genuine companies, design their pages to look legitimate and will even link to genuine content. Please stay safe out there and NEVER EVER EVER give your private key pairings to anyone!