Scams are an unfortunate outgrowth of any industry involving money, including crypto. The Stellar Development Foundation team hates to see anyone in the Stellar community targeted or hurt by scams.
This resource is an update to our 2017 security guide and is intended to: provide an overview of basic ways to protect yourself from scammers; make you aware of some common scam types; and answer some of the most frequently asked questions.
SDF is a non-profit organization that supports the growth and development of an open-source distributed ledger protocol called “Stellar” or the “Stellar network.” The Stellar network is run by a global set of independent validators and is publicly available for use. SDF:
The SDF team will:
Our official site is https://www.stellar.org/. To access the site, type the URL into your browser address bar and then bookmark the site. Only use the bookmark to visit the site. Scammers can create fake websites that look very convincing, so always check the full URL before entering any personal information — make sure, for example, someone did not replace a lowercase “L” with an uppercase “i”! or that there are no additional letters following “.org/” in the domain address such as “stellar.org.jp/”.
You can also find official announcements from SDF on our active social media accounts, which are:
All official partnerships and announcements are made on our social media and website — do not fall for any third party rumors or speculation. If you see a reposted announcement in any other forum that does not contain a link to the original information on our website, it is fake. Only trust what you see on the https://www.stellar.org/ website. If you are unsure if an account you come across is affiliated with SDF and it is not listed above, it is not an official SDF account. (e.g. Telegram, WhatsApp, etc.)
The SDF team will only email you from emails using the @stellar.org domain and will never ask for sensitive information like private keys.
When in doubt, please fill out this form (https://www.stellar.org/contact) and we will instruct you whether a communication is actually from SDF.
In these scams, malicious entities set up dummy websites and collateral material to induce you to enter your secret key. If you enter your secret key into their dummy website, they can capture it and use it to drain your account.
Be Alert: Always verify the domain and email addresses where the communication is coming from. Anything but an ‘/’ right after stellar.org should be a dead giveaway that it is not the correct domain. In addition, check the website certification. Always double check any place you are entering your secret key.
In addition to verifying the correct sender email address, read through the email or web copy for some clues. Scammers are often inconsistent with grammar and brand guidelines – if something doesn’t sound like it’s been proofread, pay attention. If in doubt, follow the steps listed in the blog’s first section to contact SDF directly.
In these scams, malicious actors pose as the representative of a legit organization, ask for your secret key to resolve an issue, and, once they have it, drain your account of funds.
Be alert: Never give away your secret key. The SDF team will never ask you for your secret keys and will never contact you through DMs to provide support (we doubt any other legitimate organization would ever ask for your private key either, so be cautious of anyone asking for your private key). SDF support conversations always happen in a public forum and never involve requests for private keys.
In these scams, malicious actors issue bogus assets that mimic legit assets, and sell them as if they are the real thing. These sales of bogus assets may happen after the real asset is announced, but before it is actually available.
Be alert: You are responsible for conducting your own diligence on assets, products, or services on the Stellar network and we encourage everyone to exercise caution before deciding to engage with them. Here are a few suggestions for getting started - but this is not an exhaustive list.
Always check to make sure that the domain tied to the asset is correct. How to check depends on what you’re using to interface with the Stellar Decentralized Exchange (Stellar DEX or SDEX). For instance, if you’re using the LOBSTR wallet, you could check to see which domain is tied to the asset in order to make sure the one you’re engaging with is the correct one. To verify the correct domain for whoever is issuing the token, you might:
Red flags for assets include: domains that redirect to stellar.org; domains that don’t have a web page setup; assets with very few funded trustlines; and assets that were sent to you in tiny amounts through a claimable balance.
In these scams, malicious actors issue and sell assets falsely claiming that the asset represents something that it does not, in fact, represent.
Be alert: If it’s too good to be true, it’s probably not true. Always verify that tokenized assets are actually backed by real assets. For example, if someone is offering to sell you a U.S. dollar stablecoin for only thirty cents per dollar, it’s probably a scam. If someone wants to sell you a tokenized precious metal and they have no proof that the metal is really backing it, it probably doesn’t exist. If someone is offering to sell tokenized stocks far below the market price, it’s probably a scam. Again, conduct your own research to satisfy yourself that claims are true before engaging.
According to CoinMarketCap, “a crypto faucet is an app or a website that distributes small amounts of cryptocurrencies as a reward for completing easy tasks.” Faucets give dust (very small amounts of assets) out on a daily basis for little-to-nothing, such as watching a video, filling out CAPTCHAs, and clicking a link. Per CoinMarketCap, “Some websites may infect your device with phishing malware, ransomware and spyware.”
Be alert: While legitimate “learn and earn” programs, which can be classified as “crypto faucets,” do exist, there are many faucets that only serve to scam. We recommend that you conduct your own research and only interact with learn and earn programs offered by trusted entities.
In these scams, malicious actors impersonate an SDF team member on social media to reach out to ecosystem partners, and attempt to induce the recipient to send crypto in exchange for a larger value in another token, or provide their secret keys or other sensitive info.
Be alert: Once again, SDF team members will never ask you for your secret keys nor ask you to send or deposit funds to any wallet address, especially through private channels on social media. If you receive this sort of outreach and are unsure about its veracity, If in doubt, follow the steps listed in the blog’s first section to contact SDF directly.
We are sorry to hear that you were victimized by a scammer. As a victim of fraud, we recommend that you contact law enforcement for assistance. In the U.S., one place to report this type of issue is the FBI’s Internet Crime Complaint Center: https://www.ic3.gov/default.aspx.
SDF is a non-profit organization based in San Francisco, California, that furthers equitable access to the global financial system through, among other things, supporting the growth and development of an open-source distributed ledger protocol called “Stellar” or the “Stellar network.” The Stellar network is run by a global set of independent validators and is publicly available for use. SDF does not and cannot control the operation or public usage of the Stellar protocol or Stellar network, and does not have access to or control over Stellar accounts created and used by individuals to access the network.
Accordingly, SDF does not have the capability to freeze, access, or return tokens held in a Stellar account.
These are our official social media accounts where we actively post official announcements:
If you come across an account you are unsure is affiliated with SDF and it is not listed above, it is not an official SDF account. (e.g. Telegram, WhatsApp, etc.)
Once again, the SDF team will NEVER ask you for your private keys. We will NEVER ask you to send or deposit funds to any wallet address.
Do not engage with scam emails or suspicious links. If you come across something that you suspect is a scam and want to alert the SDF, please reach out to [email protected] or fill out the Contact Us form (https://www.stellar.org/contact).
The Stellar community is also a great source to find warnings about scams. For example, there is a channel on the Stellar Developers Discord where members of the Stellar ecosystem share information about scams that are identified in the ecosystem (#spam-reporting).
Anyone can issue tokens on the Stellar network and send them to you, and sometimes people blast out claimable balances to phish for buyers in the hopes of them clicking a link tied to the asset – think of this like email spam.
Claiming these dust transactions will cause you to establish a trustline with the asset. Besides setting a reserve for .5 XLM on your account, this will also make the token look more established in the ecosystem and may cause others to engage with it because they see it has a high number of funded trustlines established.
If you are suspicious of a token, do your research before deciding whether to engage with it. You can ignore claimable balances you don’t understand or trust.
SDF does not control the activity on the public, decentralized Stellar network. While there are plenty of legitimate, independent businesses and developers who build on the Stellar network, we urge all Stellar ecosystem participants to exercise caution and conduct their own diligence on any products or services before deciding whether to engage with them.