Known as ‘Memo-phishing’ on the Stellar Network where a scammer sends random addresses a malicious memo

The Origin Story Of

This story begins at the 2nd week of February, 2020.

I was in the midst of getting back into Stellar after a long year of frequent inactivity. While trying to re-work on an earlier project that had a scam alert section, I was noticing a higher than usual amount of threads being posted on r/Stellar over the past few months into the new year.

They were all about ‘memo-phishing’ transactions, and unfortunately some people falling victim to the scams. For after 2 years of being here, I have constantly seen these types of threads being posted on r/Stellar.

To this day, memo-phishing transactions have not stopped, but I believe some actions may have prevented further victims from falling for this.

February 29

Scrolling r/Stellar, I saw this post.

There are in fact 100s of these threads on the r/Stellar Subreddit that can be searched on Google and go back years. Most of them removed by moderators and not visible because posters wouldn’t edit/remove the hyperlink after being requested to do so. It was a safety measure to remove them so no one accidentally clicks on them to go to the malicious site.

Putting a website around back-ticks (`)` https://like.this` removes the hyperlink

This specific person was another addition to the countless others who kept getting scammed. I got tired of seeing this happen so I put my head down to develop something.

March 17

Kudos to u/zxcbvnm90 for upholding the standard in the community

When I opened the thread and saw it was someone sounding the alarm, I was glad. It actually inspired me as well and I’ll explain why below.

While at my day-to-day job, I miraculously got a light-bulb moment in the middle of my shift:

If you ever see someone potentially getting scammed and they are unaware of it, you would usually help or in some cases simply shout “SCAM”, just like the images shown above.

In general, no one wants to get scammed nor do they want the scammer to get away with stolen funds. If you can’t get your funds back, you might as well get some blood out of it, even if it can slow their operations down.

If you can’t get your funds back, you might as well get some blood out of it

Seeing it dozens of times on r/Stellar (like the image above), I figured the best way is to literally shout ‘SCAM’ to the person who is being phished.

It was a brute force attempt at best, yet the only temporary fix I could come up with at the moment that wouldn’t require dozens of hours of coding, manpower, money, and time.

I started to go through the Stellar Developer Guides to figure out what to do next.

April 30th

April 30th was a strange day for me. I was trying to figure out what to do about seeing: (11,326 XLM was stolen in a memo-phishing scam)

If anyone knows my posts, they’d know that I posted a thread on r/Stellar over a year ago:

The scam project / airdrop I was trying to put a spotlight on was connected to memo-phishing transactions (details inside the Reddit post). (28,668 XLM was stolen in a ‘project fork’ scam)

I actually went back to the Reddit post to see if it was identical, if I was seeing doubles or I went crazy. Nope, it was simply two different people who got scammed, potentially by the same group.

Strikingly familiar, it hit close to home.

I started to realize that this scam issue isn’t going to go away because it’s a highly profitable perpetual money machine with low operating cost. The scammers profiting off of this are milking the system and its participants by committing fraudulent acts (especially on new people who don’t know what to do; education is paramount in our space).

With just 3 XLM you can send over 100,000 transactions at the minimum fee cost of 0.00001 XLM (100 stroops). Those 2 simple transactions (plus the one on February 29th) over 2 years was over 40,000 stolen lumens. In those 2 years I can only imagine how much more XLM was stolen.

Fighting the crime

At the beginning (mid-May), I was manually building transactions to send out warning messages to those accounts that were sent a ‘memo-phishing’ transaction. I soon had to upgrade.

Less than a week later, my bot went live:

The details of the bot is out of the scope of this article and will be discussed at a later date.

tl;dr — Monthly reports


When I started around mid-May, the number it was catching was around 200~ per day across 2–3 different addresses/bots (multiple addresses would spam at the same time). These are your regular fake airdrop memo-phishing transactions where they give you a small amount of XLM and attach a website that is a spoofed version of the Stellar Account Viewer. They basically fool you into believing you are getting an airdrop and they steal your secret key when you input it in the field.

4,906 transactions in Month of May (on May 18 the bot sent 2,384 transactions to previous addresses on a previous date)


I believe in June the scammer started to get aware of my actions as there were many breaks in between. The number of addresses/bots spamming at the same time also went up from 4 to sometimes 12 as shown in the huge spikes in payments history. **Please be aware of the end of June when the Staking Community Email phishing started** (notice the break and the bot starting up 3 days later on June 29). After the email-phishing started the bot went back to its normal operation of sending transactions daily.

46,391 transactions in Month of June; I believe at this time the scammer caught on and took a break until Mid-June where over 20,000+ transactions were sent

Stellar Staking Community Marathon Email-Phishing Scam

Stellar Community Staking Marathon Email-Phishing Scam

On June 25th, phishing emails started to get released to the community under the guise of ‘staking lumens using inflation’. It was nonetheless a genuine scam that was trying to build off the hype of the DeFi wave of ‘staking’.

I was not surprised in the change of tactics when the bot stopped as this seemed to be almost routine.

End of June — Beginning of July is when ‘Stellar Community Staking Marathon’ email-phishing scams started to appear

During the email-phishing campaign (known here as the ‘Stellar Community Staking Marathon’ scam), the scammers only had one bot running that started a couple days after the first batch of emails appeared.


Up until mid-July it sent around 300~ per day. After the 1-week break it started up at the end of July and sent over 3,000 transactions in one day.

On average less than 300 per day, with a week break, until the end of July with a whopping 3,704 transactions in one day; 7,744 transactions total in Month of July


Since the end of July there was no activity until the end of August when our bot detected over 30,000 transactions from 4+ addresses/bots. The scammer even attempted to try and play with the bot at the end of their spam (possibly to figure it out) and gives up spamming after that.

51,761* transactions (*20,000~ may have been duplicate because of a temporary bug, it’s fixed now) in Month of August


September had no activity other than the memo-phishing spam spilling over from August.

4,178 transactions in Month of September


October only saw activity recently with a token called ‘DaddyCoin’ spamming telegram, twitter and website links in the memos with some messages claiming it to be an airdrop. After preliminary investigation it was concluded it is a scam.

47,465 transactions in current Month of October (ICO / airdrop scam : DaddyCoin)

As one can see from the images above, the scammer went from a ‘set it and forget it’ type of bot into one that spams thousands within days.

In the end, what was a recurring event with sending out thousands of scam transactions has turned into a failed phishing attempt for this scammer.

They haven’t gotten past the wall yet, and they can keep trying.

The Takeaway

Should be quite simple: there is a scammer that is in the community for over 2 years while using the Network as a medium to deliver scams, and they’re profiting from it immensely.

Memo-phishing is not their only tactic since email-phishing has been their new go-to ever since July. Truly speaking, I believe if more research is done it can be found that it’s connected to previous email-phishing and exit-scams done in the past.

I can conclude that this scammer possibly is a team of at least 2 persons and that they will try whatever attempt they can to get Stellar Lumens (XLM) in their hands, whether it be from gaming an airdrop and getting away with 100,000s of XLM, making fake projects and exit-scamming, fake ‘forks’ of the Stellar Network where they promise you an airdrop, the list goes on.

Whatever it is though, we as a community are fully aware and constantly watching.

Initially I believed they were only in the Stellar community but as time has passed I believed this is just one of the communities that they’re scamming on-top of others. There seems to be a connection between the scammer in the XRP and the XLM community as both communities got a ‘Staking Community Marathon’ scam to appear at the same time.

This problem is not only in the Stellar community and in fact a problem in cryptocurrency in general. More effort is required to combat this type of fraud in order to ensure our space is safe.

I had hoped when I started this that I can remove all the scammers and make this cryptocurrency a safer place than others. I still believe it can be done to the point where this is the safest currency in the world and almost no scammer would attempt to steal on a public ledger.

With your effort and support, this community can be a much safer place. Let’s make this community scam-free today!

I do hope this is making a difference and people aren’t falling for these phishing attacks. The bot is constantly getting re-tweaked and developed to prepare for the worst. The bot is live 24/7 and I manually check it every few hours.

The takedown services are now Live as well so please contact if you find any scams happening to Stellar community members. Memo-phishing, email-phishing, anything.

If you have had funds stolen, or know someone that had them stolen, you can contact as well.

Stay tuned and always, stay safe!

Resources used:

Stellar Network
Stellar.Expert Ledger Explorer