Stellar Scam: How a Dangerous Crypto Phishing Scam has Gone on for Weeks

(While Facebook does nothing, despite numerous reports)

I was recently a target in a phishing scam, and would like to warn others about this evil yet ingenious scam. About a week ago, I noticed an alert on Facebook saying that Stellar Lumens had shared my Facebook cover photo (a digital art piece that I made last year), which was fairly surprising to me.

When I looked more closely at the post, it said that I had won a prize of some Lumens, the native cryptocurrency of the Stellar decentralized payment network. Now, before you say “Well, that sounds like an obvious scam,” you should realize that Stellar has a long history of giving out free Lumens to people, as illustrated below in one of their official blog posts:

One of many giveaways of Stellar Lumens.

In fact, if you look at Stellar’s website, their mandate even includes the following:

Distribute the native currency of the Stellar ecosystem, lumens, to the world to expand the reach of the network and create a more inclusive digital economy

So it’s actually not crazy at all to think it might be legitimate. Here is what the post looked like on my iPhone so you can judge for yourself:

The bait…

Looking through the post, everything seemed real at first glance, at least to my eyes. As your eye scans across the blue link leading to the “prize,” the layout could easily fool you into thinking that the URL is going to stellar.org, when in reality it’s actually going to a subdomain of stellar-lumens.info!

Worse, when you follow the link in the Facebook app, you see a slick looking website with a big blue button to claim your prize. This leads you to another screen that looks precisely like the real Stellar web wallet. Since this is a targeted scam, the victims are likely to recognize the look and feel of the authentic Stellar website and be further fooled into typing their secret private keys into the phishing site, potentially costing them hundreds or even thousands of dollars worth of cryptocurrency.

Again, you be the judge — would this fool you?

The fake phishing site (stellar-lumens.info) on the left, and the actual site (stellar.org) on the right.

At this point, I was certain I had uncovered a sophisticated scam, and so I tried to do what any responsible person would: report it to Facebook so they could immediately take it down.

So began an excruciatingly frustrating process that has still not been resolved a week later. In fact, it’s far worse than just that. After reporting the post, I attempted to block the fake Stellar Lumens account, which the Facebook said was done. Imagine my chagrin when, the next day, the fake account shared another of my images in a similar post. Again, I dutifully reported the post using the limited tools provided in the Facebook app. I doubted it would do anything, but hoped for the best.

The last straw was today, when it happened one more time. This time, I started thinking about all the people who could be hurt by this scam, and how Facebook was acting irresponsibly by allowing the scam to persist on their service long after it had been reported (I had even taken the time to write a message to Facebook support explaining that it was a phishing scam rather than generic spam, which is annoying but harmless).

So I attempted to report it one more time, but this time documenting the process with screenshots:

The reporting process seem reasonable so far… too bad it doesn’t actually work!

You might notice that there is no way to report phishing specifically — the best you can say is that it looks like spam.

Facebook needs to take a hint from Google in this department, and offer phishing reporting as a separate procedure (with higher priority), similar to how Gmail has worked for years:

The best you can do at the moment — at least if you are using the Facebook app interface, which is probably the case for most users— if you want to report a scam like this is to indicate to Facebook that you are unhappy with the resolution of your problem by choosing the 😦 emoji in the review screen. You can then type in the message, as I did below in the following screenshots:

The only way to report a phishing scheme using the Facebook app.

Clearly, something is very broken with the way Facebook regulates content on their platform, and it’s now causing people to be actively harmed. What finally spurred me to write this article is that I found a Reddit post describing the same scam in detail, but dated from January 5th, nearly a whole month ago at this point:

This scam has been publicly identified for nearly a month with no action from Facebook and numerous reports (from me).

All of this raises interesting legal and ethical questions. At what point does Facebook become complicit in this crime? Are they really doing enough to protect the users they are profiting from through ad sales? What duty of care is owed to the public when financial matters are at stake? While I’m not an ethics professor on the faculty of a law school, it seems pretty clear to me that Facebook has fallen woefully short of the mark here.

Perhaps a Facebook employee will see this and agree, and get some changes made to the Facebook system. I hope they do so, and quickly, for the safety of all users.

And I would further say that Stellar is at fault here as well — they need to do a better job of policing their brand on the internet. They owe the users of their currency the courtesy of actively protecting them from scams like this.

For now, it seems the best we can do is to remain vigilant and warn each other when scams like this pop up, which is likely to happen at an increasing pace given the rising popularity of cryptocurrencies.

Hedge Fund Quant based in NYC