Cyber Incident Victim: BlackWallet

On January 13, 2018, cybersecurity researcher Kevin Beaumont reported that an unidentified attacker stole approximately 670,000 Stellar lumens (valued at $444,000 at the time) from cryptocurrency wallet service BlackWallet. The theft occurred after the attacker compromised BlackWallet’s domain name system (DNS) server during the preceding weekend. By hijacking the DNS, the attacker inserted malicious code that automatically redirected user deposits of 20 lumens or more to a separate wallet under their control. The fraudulent code operated undetected until the theft was reported, allowing the attacker to accumulate funds over an unspecified period. Blockchain records indicated the attacker began rapidly transferring stolen lumens out of the initial collection wallet shortly after the theft. By 7:30 p.m. UTC on January 15, nearly all stolen funds had been moved, leaving fewer than 100 lumens in the compromised wallet.

The creator of BlackWallet, identifying themselves via a Reddit statement, attributed the breach to a compromise of their hosting provider account, which enabled the DNS hijacking. Upon discovering the attack, the creator contacted the hosting provider to request immediate takedown of the BlackWallet website, rendering it inaccessible by the time CoinDesk published its report. The creator also disclosed that a significant portion of stolen lumens had been transferred to an account at cryptocurrency exchange Bittrex and confirmed attempts to contact Bittrex to freeze the assets. No confirmation was provided regarding whether Bittrex acted on this request or recovered any funds. The incident resulted in complete operational disruption of BlackWallet, with no public timeline for restoration, and left users unable to access their remaining holdings through the platform. Financial losses were confined to lumens exceeding 20 units deposited during the attack window, though the exact number of affected users was not disclosed.