Blockstack Counterattacked a Phishing Attempt on Its ICO

When phishing sites tried to con investors during its recent ICO, Blockstack used its tech expertise to turn the tables on the tricksters.

AccessTimeIconNov 30, 2017 at 11:00 a.m. UTC
Updated Sep 13, 2021 at 7:12 a.m. UTC

When criminals tried to con investors during its recent initial coin offering (ICO), Blockstack, a startup building a decentralized internet, used its tech expertise to turn the tables on the tricksters.

Scammers hoping to lure investors feeling left out because the firm limited its token sale to accredited investors only set up phishing sites by copying the entire code.

But doing so meant the fake sites were actually in contact with a server that Blockstack controlled, which fed the top banner of the legitimate site with tweets from the company's Twitter account.

And that connection allowed the Blockstack team to undermine the phishing sites with what was effectively their own man-in-the-middle counterattack.

In a man-in-the-middle attack such as this, data is changed on a trusted website by someone who manages to insert themselves between a visitor and a publisher. For example, someone can create a Wi-Fi hotspot that changes a webpage before it reaches your browser.

Blockstack developers, though, used the attack for good, putting themselves in-between their own twitter feed and the scam websites. The team's simple solution used the backdoor into the banner to warn those who potentially could have lost funds that the sites were not legitimate (see below).

CoinDesk - Unknown

"The server was fetching tweets from Twitter and formatting them for the website," Blockstack co-founder Muneeb Ali explained to CoinDesk in an email. "For all requests for data not coming from, we displayed the 'THIS IS A PHISHING SITE' message instead of the tweet text."

The Blockstack team provided CoinDesk with two different URLs used by the phishing scheme, which, for security reasons, we are not disclosing in this article.

"We had a couple of phishing sites that came online, where they were trying to direct traffic to them," Ryan Shea, also a co-founder, told CoinDesk, adding the company took extra precautions:

"We made it very clear to only trust So we primed everyone ahead of time."

One of the most widely anticipated token sales of 2017, the Blockstack ICO was an attractive one for scammers to try and exploit, since hype can make links to their fraudulent sites shared on social media blend into the "noise" (much like fraudsters solicit donations to fake charities in the wake of natural disasters).

Blockstack's token sale is nearly closed. Still, one of the two phishing sites remains active with a redesigned front page (eliminating the tweet stream banner) and offering a 10 percent discount on ... absolutely nothing.

We probably don't need to say this, but, buyers beware.

CoinDesk - Unknown
Screenshot taken Nov. 29 from one of the two phishing sites.

Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Blockstack. 

Fish hook image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.