Phishing Alert: Technical report on Zollo scamming incident
7th April, 2019
This report, compiled by Zilliqa Research Pte. Ltd, comes in response to a phishing attack which used the Zilliqa name, among others, to scam users on April 6th, 2019. This report outlines all the known facts related to this incident and outlines security recommendations to all those who received communications from this fraudulent entity, which calls itself ‘Zollo.’
Please be wary that “Zollo” is claiming to be in partnership with Zilliqa and Maker DAO to provide a free “token distribution” of ZLO (Zollo token). Users have been asked to provide sensitive information during the sign-up process for this scam token distribution.
We would like to clarify to every single member of our community that there is no partnership between Zilliqa and Zollo. Additionally, we would like to stress that security protocols have always been of the utmost importance to Zilliqa. We are not aware of any security breaches on our end.
Information being targeted: Based on our analysis so far, the information being requested from users includes:
- Ethereum address
- Private key
- Mnemonic phase (12/24 words)
- Keystore and related password
Address used by the scammer
This is the currently known address used in this incident. The address has been reported to Etherscam database.
Timeline of incident
|March 12||Registration of
|March 20||Registration of
|April 6||First report of Zollo scam|
|Notified Zilliqa community on Slack, Telegram, Reddit and mailing list of the ongoing scam incident|
|April 7||Reporting of known address
|Reporting of fraudulent domain to Google Safebrowsing, IE’s SmartScreen filter, and Etherscam database|
Platforms used in the scamming incident
In this incident, the attacker mainly used the following 4 platforms to reach out to potential target
- Fake Zilliqa blog:
- Zollo website:
The fake blog, email, and telegram channel have been used to direct the user to
Fake Zilliqa Medium blog
A website masquerading as Zilliqa medium blog was created. It features a Medium blog layout but it is not hosted by Medium. On the website, it mentioned that Zollo was a joint venture between Zilliqa, Maker DAO, and Ethereum and that it is conducting a free token distribution event.
The Zollo website features a modern looking website with a counter to the distribution.
The registration link will lead you to a sign-up page, which may be used to extract information such as:
- Ethereum address
After providing the information, the site will proceed to ask you to add wallet or use Metamask to claim Zollo (ZLO) tokens.
The site displays a fake Metamask wallet. The fake wallet is designed to steal the mnemonic phrase and password of the victim’s wallet.
It is designed to show invalid password (regardless of the validity of password) and proceed to ask the user for the mnemonic phrase in order to recover their Metamask wallet.
The Zollo wallet asks the user to import their wallet by providing one of the following:
- Private key
- Mnemonic phrase
- JSON keystore and password
Again, it is an attempt to harvest such information from the user.
Zollo wallet requesting sensitive information
Emails were also sent to numerous people. At this point in time, we are unable to confirm where the mailing list came from.
At the point of incident, Zilliqa has stringent measures in place for our mailing list
- Strong and complex password
- 2-factor authentication
- The use of non-zilliqa emails to subscribe to, and monitor, the official Zilliqa mailing list
- Limited staff access to the mailing list
- All emails sent from mailing list are in compliance with SPF, DKIM, and DMARC
Analysis of the phishing email
In this incident, the email was sent from
Zilliqa email@example.com. This domain is currently not registered and does not belong to Zilliqa.
A Telegram channel was created and is mainly used to spread the message of the fake token distribution event.
If you have provided your email and password, we suggest changing your password. We also recommend you to enable 2-factor authentication and use a complex password for better security.
If you have provided your private key, please note that the private key is likely compromised. We highly recommend taking the necessary mitigative action quickly. This includes (but not limited to) transferring the balances to a new address.
If you have provided the mnemonic phrase, we strongly recommend you consider all addresses associated with the mnemonic phrase as compromised and take necessary mitigative actions such as transferring your balances to a new address - unrelated to that of the compromised mnemonic phrase.
If you are in any airdrop group with regards to Zilliqa, we suggest you leave the group. Please do not provide any information requested by the group. Do note that there is Zilliqa does not have any airdrops.
Lastly, we recommend basic but effective practices that are key not only in this situation, but at any point in time. Please keep your password, private key, and mnemonic phrases STRICTLY CONFIDENTIAL AT ALL TIMES.
For transactions and interactions requiring sensitive information, please take a few additional moments to verify the source and authenticity of the requests to the best of your knowledge. Please utilise all technology-based security measures to protect yourself from becoming a victim to this, or any scam down the line. Our report should provide a good starting point to learn about the measures you can take.
We will share updates on this incident as and when we have accurate details. In the meantime, we urge you to be vigilant of all communications that you receive from Zilliqa. In case you have encountered any security issues, please inform us at