Stellar Staking Email-Phishing Scam and the Database Breach

🚨ALERT🚨: If you have a Ledger hardware wallet, or ever used the website to put your email there then you may be exposed. Go to to see if your email is being targeted by scammers.

Image for post
Image for post

DISCLAIMER: I have given every effort to provide information that is accurate. However, I give no assurance and take no responsibility for matters arising from changed circumstances or other information or material which may affect the accuracy of this posting. If there is something you know that goes against the information provided below, please contact me ASAP.


Scammer’s bot — an automatic script that sends transactions with a malicious memo to accounts on the Stellar Network in order to attract the user to go to the malicious website where their Lumens (XLM) will be stolen.

Memo-phishing detection bot —’s fraud detection and shrill alarm bot. Watch the bot detect and send out warnings LIVE 24/7. You can view the history of transactions sent since mid-May by clicking the payments tab.

Stellar Staking Marathon Email-phishing Scam — An email-phishing campaign targeting Stellar (XLM) users that started on June 25th, 2020.

Ledger company — A hardware wallet manufacturer that is used for the storage of and transactions in cryptocurrencies, with its headquarters in Paris, France.

Ledger database breach — an event that comprised of a security breach at the Ledger company which exposed over a million email addresses and over 270,000 individual’s personal information which included first and last names, postal addresses and phone numbers.

The team has long suspected that the email-phishing that began on June 25th, 2020 was somehow connected to a database breach which included emails of individuals who were known to own cryptocurrency.

After reviewing and assisting reports from over 40 unique individuals, the connection between all of them is that they either:

a) owned a hardware Ledger wallet


b) went onto the website to put their email address there.

The team is now warning the individuals who ever owned a Ledger wallet or went onto the website to go onto in order to see if their email is exposed from the Ledger database breach.

If you have gotten scammed from email-phishing under the guise of ‘Stellar Staking’, you need to check as well because your personal information may be exposed and you may be targeted for further attacks or threats because the information is now publicly posted.


On June 25th, 2020, the Stellar community was attacked by a campaign of email-phishing attempts. To this date these emails are still being sent out, in selective batches.

On July 14th, 2020, the Ledger company announced that their database was breached and email addresses were exposed as early as the 25th of June 2020.

A snippet from their blog:

On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, we discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database — used to send order confirmations and promotional emails — consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.

A key thing to point out is Ledger company says it was ‘further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database — used to send order confirmations and promotional emails — consisting mostly of email addresses’.

It was made aware at that time that this database included over 1 million email addresses and ‘a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products’.

On December 20th, 2020, these email addresses were found to be posted on Raidforums by a random poster.

Image for post
Image for post
December 20th, 2020

Although Ledger company initially stated in their July 14th blog that around 9,500 customers had their personal information exposed, it has now been made aware by the person who posted the data leak on Raidforums that there was actually over 270,000 individuals who had their first and last name, postal address, phone number and the product(s) they purchased exposed.

The list has been uploaded to It is claimed on their website that “the data was initially sold before being dumped publicly in December 2020”.

Please check to see if your email was exposed:

Memo-phishing connection to Email-phishing

In our first blog, which explained our origin story behind as well as the memo-phishing detection bot with the monthly reports from mid-May to mid-October, I had posted that were could be a possible connection between the memo-phishing happening on the Stellar Network and the email-phishing that started to appear in the thousands in June due to the small coincidence in timing of the scammers taking a 2 week break before resuming their scammer bot a few days after the first batch of the email-phishing appeared.

More information that is to be brought to light to add onto this conclusion:

Image for post
Image for post
Red arrow indicates June 25th, the start of the email-phishing. Please note the week breaks from June 4th — June 11th and June 19th to June 29th
  1. In June there was multiple ‘week long breaks’ in between the ‘usual’ routine of what the memo-phishing scammer did before. It was at this time the team suspected that the scammer was fully aware of our actions and they were planning to do something different. Our suspicions was correct as the number of accounts the scammer used to spam the network tripled from their usual 4 accounts to 12 accounts in June. For the sake of convenience, accounts = the scammer bots. The more accounts/bots, the more transactions that can be sent within an hour. The timing also was different, as the bots usually sent out a few transactions every minute throughout the week compared to now sending out dozens of transactions per minute collectively in a couple days.
  2. Four days after the first email-phishing batch on June 25th and the scammer bot resumed (June 29), but this time the bot went back to its original ‘couple transactions every minute’ routine. You can review the monthly reports from mid-May to mid-October to see the difference in patterns found at the bottom of this blog: Monthly Reports mid-May to mid-October.
  3. The email-phishing seems to be potentially premeditated. On June 25th, the emails were already spoofed, the domains were registered, the hosting services where the spoofed websites were stored was all in place. All that they needed was the targets and due to the Ledger database breach, they had potentially thousands of suspected XLM users to target.
  4. Over 40 unique reports by individuals reporting scams to were all connected to having either a Ledger hardware wallet or using the official website with their email address.
  5. It should be known that memo-phishing transactions were happening on a daily basis throughout 2019 and in the beginning of 2020. Since our detection bot has gone live, and especially since June 25th, it is apparent that the scammer has stopped focusing their efforts on memo-phishing and rather focusing on something else. In fact, August seems to have been the last ‘real’ attempt of memo-phishing and anything after that is simply the scammer ‘trying’ to overload our detection system but always failing. This was even more obvious when we made our first public announcement of the bot on Reddit on October 27th, and the scammer bot resumed, this time with ‘50’ accounts/bots on October 30th. However, all they really spammed was Keybase & airdrop accounts. This didn’t make sense because Keybase has a UI feature that doesn’t show small transactions and doesn’t show the memos being received so at the end of the day, this scammer really wasn’t actually doing anything but spamming the network and trying to get over our wall, which they couldn’t. Even though we caught every single transaction, the scammer came back a few days after with 100 bots. A few days after that they stopped until resuming back on November 19th (UTC).
  6. While the scammers were working on memo-phishing, they were registering domains, hosting servers, and making spoofed websites etc. for the sake of spamming malicious memos on the Stellar Network. Memo-phishing has basically stopped today or isn’t even happening anymore like it used to since our bot has gone live. However, email-phishing has been on the rise since June 25th while memo-phishing has gone down.

This suspicion was further confirmed on November 22nd, when stolen funds from email-phishing that was dormant and reported to our team were detected to have moved to an exchange in between the same time the scammer turned on their scammer bot. The scammer bot was sending out malicious memos linking to a fake website in the usual ‘couple transactions per minute’ routine:

Image for post
Image for post
Memo-phishing in November 20–25

From November 20th to 25th, there was (1) account with stolen funds moved on November 22nd. Another account that was stolen and reported was moved less than 8 hours after the scammer bot stopped.

These funds were reported to the exchanges and they responded saying they seized them.

The Final Verdict’s team has concluded (with the information above) that the email-phishing campaign called ‘Stellar Staking Marathon’ or ‘Stellar Staking inflation mechanism’ or ‘Stellar Staking distribution’, is directly connected to the Ledger database breach.

The connection is the same scammers that spammed the Stellar Network with malicious memos in the transitions are now using the emails from the Ledger database breach to manufacture spoofed emails in order to further commit fraudulent acts on community members.

Whether they were part of the actual Ledger database breach is not fully apparent as the data leak was supposedly ‘sold on the internet’ and there is no final conclusion on how early the data breach actually was. The investigation in that specific regard is still on-going with law enforcement.

November 29 SDF Email Incident

On November 29 it was made aware that community members are getting scammed from email-phishing but some of them didn’t have a Ledger wallet.

It is concluded in the SDF Statement that what:

we have learned is that the attacker gained access to the API keys used to access a third-party email service that we had authorized to send certain notification emails from a Stellar domain on SDF’s behalf. These notifications related to upgrades from the legacy Stellar network to the current network, launched in 2015.

What should be apparent by now is that both the SDF and the Ledger company were being targeted by what seems to be an identical attack vector to gather email addresses from API keys.

A snippet from the July 14th blog:

To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our e-commerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible.

The investigation in this specific regard is still on-going with law enforcement.

Report your situation

Since June 25th 2020, over 1 million XLM has been stolen and over $100,000 USD has been transferred to crypto-currency exchanges due to email-phishing under the guise of ‘staking lumens’.

If you have had your XLM stolen due to this fraudulent act, please make a report case on as well as report it to (your report on is automatically relayed and reported to Your case will be archived and the information from your report will be used to track down this scammer.

If you are a law enforcement agency, cybersecurity firm, cryptocurrency exchange, or an entity that would like to know more information about this specific case and the raw data behind it, please contact me at

Thank you for reading.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store