Email Supply Chain Security and Locked Tokens

In a recent blog we mentioned that 129,551,449.35 MOBI were distributed in error to a few addresses and are currently frozen. So why were MOBI distributed in error?

Our token distribution process involved having users create a Stellar wallet on the Mobius website. We emailed users a link to a wallet creation page. The wallet was created securely in the browser without the secret key ever being sent to our server — only the public key was sent to our server. What happened was somehow these emails were intercepted similar to how Reddit password reset emails were once intercepted. The wallet creation page showed the number of tokens to be delivered so the hacker scanned the pages, identified big ones, and created the wallet before the real user did. Luckily we quickly detected the issue and were able to freeze the tokens that were distributed in error.

Need for Crypto Native and Secure Messaging System

Email today remains extremely insecure and susceptible to attacks and is still the default and primary communication method for many services including crypto projects. The web3 / crypto ecosystem is in need of a user-friendly, crypto native and secure messaging system that projects can use to communicate with users and this is something we are researching along with a decentralized blockchain optimized for trading of any synthetic asset.