XRP forensics

A new kind of spam surfaced on the XRP ledger a few days ago. Where the most common method has been to advertise fake airdrops or giveaways through “reply spam” on Twitter, and fake YouTube streams, the new approach was to target users directly, in their accounts.

The attackers had a plan:

1) Make a replica of Ripple Insights, using special characters in the domain name to make it look legitimate (rippłe != ripple)

2) Add an article about a massive airdrop, promoting a new “Claim” feature in XRPL

3) Link to a replica of the Bithomp website, from the article, with a tool to use said “Claim” feature. A fake tool, which only serves to send secret keys to the attackers’ website so that they can take full control of the account.

In the afternoon of January 16, the attackers made the first tests. Small payments of 88 drops (0.000088 XRP) were sent through the ledger, with memos like “Welcome magic!” and “Magix!!” (initial testing). A few days later, when the fake websites were ready, presumably, the attack started: thousands of 88 drop payments were sent out to XRP accounts directly (seemingly targeted by balance), with a link promoting a fake airdrop, with no purpose other than to lure secret keys from the recipients.

We do not yet have an estimate of how many funds were stolen in the attack.