With many financially-motivated threat actors targeting cryptocurrency, it comes as no surprise that users of 'Stellar', an opensource blockchain payment network, have recently been targeted in a somewhat convincing attack in an attempt to steal their holdings of Lumen (XLM), an 'altcoin' cryptocurrency.
Seemingly rising in value again (Figure 1) and likely contributing toward threat actor interest, the Stellar Development Foundation has recently facilitated the development of a European stable coin (EURB) that is to be issued by the German Bankhaus von der Heydt (BVDH), announced in December 2020, as well as being selected to develop virtual assets for the Ukraine Ministry of Digital Transformation  in January 2021.
Figure 1 - Stellar Lumen (XLM) performance (Yahoo! Finance) 
Given this renewed interest and the increasing value of the Lumen cryptocurrency, those with Stellar Lumens, and other cryptocurrencies, are advised to be cautious of any unsolicited communication, especially those that purport to offer 'prizes' or 'rewards', as well as taking steps to ensure that their private key and any hardware authentication method is only used on legitimate websites.
As is to be expected in campaigns of this nature, the initial lure email masquerades as a legitimate communication from Stellar, with the subject
Stellar community - Airdrop Program ONLINE-GATEWAY-Number: 823507 Our reference number: 5802/ 8699 12/30/2020 "-POST, and suggests that the recipient is entitled to receive a Lumen reward (Figure 2).
Figure 2 - Initial lure email
Although sent using the legitimate looking sender name '
Stellar.org-Team', the sender email address makes no attempt to mask that it is a Hotmail account, albeit potentially compromised, and therefore victims should heed this early warning as an indicator of nefarious activity.
Having clicked on the link to 'Claim XLM', the victim is taken to an initial domain, in this instance
getxlm[.]org, before being redirected to a domain mimicking the legitimate Stellar domain through the use of an internationalized domain name (IDN) homograph attack.
Homograph, or homoglyph, attacks deceive a victim into thinking that they are accessing the legitimate domain by substituting Latin characters for look-a-likes, often accented or Cyrillic characters. In this instance, the use of an 'a-grave' character in place of the
stellar.org presents an unsuspecting victim with the phishing domain
Having redirected the victim to an IDN homograph domain, a somewhat functional clone of the legitimate Stellar website, including additional content such as blog articles and newsletters, can be found. The use of a more complete website clone can help reassure a suspicious victim, allowing them to 'click around', before they are encouraged to surrender their personal data.
Subsequently, victims accessing the 'account viewer' section of the cloned website, accessible at
/account-viewer/, are presented with a page purporting to be a 'giveaway' claim page (Figure 3).
Figure 3 - Victim public key prompt
In addition to prompting the victim to enter their Stellar Public Key, a security dialog requests the insertion of their security key, although not a mandatory step, in an attempt to authenticate them to the Stellar. Notably, this prompt reveals the true identity of the nefarious domain (Figure 4), albeit the Punycode representation of the homograph domain,
xn--stellr-mta[.]com, and as such provides a second indicator of nefarious activity.
Figure 4 - Windows Security 'security key' prompt (With 'xn--' Punycode domain)
NOTE: Whilst access to this site has not been tested with a hardware key, it is likely that the flow will be similar to the manual steps documented below and end in the same result, that being the theft of XLM cryptocurrency.
Once a victim has entered and submitted their Stellar public key, an API request is sent to a legitimate Stellar URL,
[<https://horizon.stellar.org/accounts/><PUBLIC_KEY>](<https://horizon.stellar.org/accounts/><PUBLIC_KEY>), returning JSON data from which victim's current balance is obtained and presented (Figure 5).
Figure 5 - Victim balance, legitimately obtained from Stellar
Figure 7 - Updated page including the 'reward amount'
Clicking 'Claim' at this point, requests the victim to enter their 'Secret key' (Figure 8) and, whilst not tested, it is suspected that this step would utilize a hardware key if present.
Figure 8 - Prompt for the victim's Secret Key
Victims finding themselves at this stage will, when clicking 'Sign request', ultimately initiate a request to transfer funds to an account under the control of the threat actor.
Utilizing an intermediate PHP file,
SDK.PHP, hosted on the malicious website, this request uses functions from the legitimate Stellar software development kit (SDK) and appears to transfer the whole balance assuming it is greater than 100 Lumens (Figure 9).
secret, are used to authenticate the request along with the amount to be stolen,
sweep, and the threat actor's receiving account,
Given the nature of the Stellar blockchain it is possible to determine the amount received by the threat actor by querying the transactions  associated with the
Whilst in this instance only 12,047 XLM (~3,877 USD) have been received at the time of writing, campaigns of this nature will often utilize multiple receiving accounts to complicate tracking attempts.
- Always be suspicious of unsolicited emails or communications via SMS or social media, especially those with offers that seem 'too good to be true';
- Avoid entering your secret key anywhere, secret keys should treated and kept as stated, secret!
- The use of hardware wallets and keys are recommended but these should be removed and stored securely when not in use to prevent inadvertent access;
Indicators of Compromise
The following indicators of compromise (IOC) are associated with this, and similar, phishing campaigns targeting the Stellar community.
Initial Redirect Domains
Phishing Site Domains