BlackWallet cryptocurrency site loses users’ money after DNS hijack

Another site in the booming cryptocurrency wallet sector has been hacked after what looks like a DNS hijacking attack.

The victim this time is BlackWallet, whose users reportedly lost 670,000 of a currency called Stellar Lumens (XLMs) worth around $425,000 at the point they were stolen on the afternoon of 13 January.

News that something was amiss first emerged in a Reddit posting claiming to be from the site’s admin:

BlackWallet was compromised today, after someone accessed my hosting provider account. I am sincerely sorry about this and hope that we will get the funds back.

A security researcher who took a look at before it was taken down tweeted:

The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet.

The stolen XLMs were reportedly siphoned off to the Bittrex cryptocurrency exchange, before (most likely) being laundered into another cryptocurrency.

Once they have control over any domain, attackers clearly have a lot of power to manipulate, monitor or redirect users logging in, but the deeper question always comes down to how they got this far.

The person claiming to be BlackWallet’s admin mentions that the attacker accessed the site’s hosting provider account, which could have happened in one of two ways.

Either the attackers got hold of the credentials through some kind of remote compromise or had the account reset by tricking staff at the DNS hosting provider.

Wrote BlackWallet’s admin:

I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer.

This hints that an account reset was to blame, although this will probably never be confirmed.

The defence against this is to identify people claiming to be account holders using a combination of multi-factor authentication and phone call checks to more than one registered number.

The lack of these checks – and other weaknesses in credential security – has led to a series of attacks on cryptocurrency wallets using DNS hosting as a convenient backdoor.

Just to give a flavour, before Christmas, currency exchange EtherDelta suffered a reported DNS takeover – the consequences of which are still not clear.

Similarly, last July Classic Ether Wallet users lost money to attackers who it was suggested had phoned up the German hosting company and passed themselves off as legitimate.

In 2016,’s domain was taken over for several hours, leaving wallets inaccessible.

Wallet companies are seen as having valuable cryptocurrency to steal and DNS is a simple way to get to it. Anyone in this sector has surely been well warned by now.

As of 18 January, BlackWallet is still unreachable.