This is the first in a series of posts that will take a look at scams seen involving the Stellar Network. We’ll talk about how they work, what to watch out for, and as well as ways to protect yourself.

A few weeks ago I was shown a post about a proposed hard fork of the Stellar network called Stellar Activity. This fork promised to improve upon the original Stellar by implementing the Lightning Network as well as a few other minor details.

It has a fancy logo, a website, and a moderate sized telegram channel. But most important was that it offered to give you (for free) 2 of a new token called XLA for every 1 XLM you hold. Now this sort of thing isn’t too uncommon in the world of cryptocurrency, in fact it’s how Bitcoin Cash was born (and any number of other Bitcoin clones). However, this one is 100% a scam designed to part you from your hard earned XLM.

Let’s first look at some of the red flags and then finally take a look at the actual mechanism it will use to steal your XLM.

Red Flag #1: They promise bounties for sharing their tweets/posts.

The scammer only makes money with the hard fork scam if lots of people hear about it, so they trick people into spreading their scam by promising them additional free coins from the fork. They also require people to join their telegram channel, which makes it look like there is more active community behind the project than there really is.

Users participate in the bounties are expected to reshare Facebook, Instagram, and Twitter posts and report back to the forum with their results. One poor user was admonished by the scammer for only sharing on Twitter and not Facebook!

Sorry bimol, this one’s not going to work out for you.

Legitimate projects will be focused on technology, not virality, and certainly would not be paying users to share or retweet, so please don’t be a part of the problem and join any of these bounty programs like this one.

Red Flag #2: They offer you special deals for your XLM.

If getting 2 for 1 wasn’t good enough for you then boy does Stellar Activity has a deal for you: 30 for 1! All you have to do is send XLM directly to a Stellar address that they provide and you’ll then be the proud owner of 30 XLA tokens. What a deal.

Let’s stop for a second to think about how silly this really is: you have to send XLM, which is an actual popular cryptocurrency and send it to some random address that promises you to send you 30 of some token that currently has no value because it doesn’t even exist yet (hey, this sort of sounds like your average ICO… but I digress). Don’t worry that you don’t get your XLA right, the scammer reminds you that you don’t get it until after the fork.

There’s also a false sense of urgency created by the limited number of “slots” they have to claim the offer. I wonder what happens if they sell out? Spoiler: they’ll extend the offer.

Unfortunately, people fall for it, just check out the wallet where you’re supposed to send things to. Remember: even if this was legitimate offer (which it is not), you have no clue how much the coin will be worth when it launches.

Huge Massive Elephant Sized Red Flag #3: The Special Wallet

The operator of this scam promises that everyone can use their own normal wallets to be able to claim the hard fork, you just can’t hold your coins on an exchange like Binance. What their really doing is setting up for a sleight of hand later which is designed to steal your secret keys and your XLM.

Shortly before the proposed fork date, they released an “official” Stellar Activity wallet. All you have to do is enter your secret key there to claim your XLA. How easy and safe is that? It’s the official wallet for the hard fork, so what could go wrong? Well hopefully most of you have figured out what happens when you do that: Poof. Lumens gone.

Now that’s a bit of a letdown after all of this… she just wants me for my secret key, but let’s look into detail about how the theft process actually works.

So I loaded up the scam wallet’s website and was presented with a simple UI that looks like the legitimate Stellar.org Account Viewer.

For claim fork, not spoon.

I first took a look at the source code to see if there’s anything tricky going on.

Just some innocent tracking scripts, complete with commented out code.

Awesome, I don’t have to go digging into minified JavaScript or looking for obfuscated code, this one is hiding in plain site. The “googleanalyst” function looks like it’s making an innocuous request to googleanalytics.php, which is probably just going to be used to sell my browsing history to advertisers, right? Unfortunately no, this is where your secret key gets uploaded to. It’s not being sent to google at all, it’s being scam to the owners of the Stellar Activity scam.

Just to prove my theory, I decided to generate a new secret key and enter it here. Luckily it didn’t check to see if the account was activated before it tried to send it off so I didn’t have to try with an account that had real XLM in it to prove my point.

Hello, Google? I want my XLM back.

You can see that it sends the form data (my secret key) directly to xlawallet.com. This is Jim. Jim entered his secret key into a hard fork wallet and now his XLM are gone. Don’t be like Jim.