A DNS hijack has led to hackers withdrawing $400,000 worth of Stellar Lumen (XLM) coins from wallets hosted by Blackwallet.co without users’ permission.

As multiple sources report, on Saturday, Jan. 13, attackers took control of BlackWallet’s hosting server, changing settings to allow code to run which automatically sent customer balances over 20XLM to an address under the hackers’ control.

Almost 670,000 tokens are currently missing as a result of the attack, likely explaining XLM’s almost 23 percent dive over the past 48 hours.

On social media, desperate efforts to contain the threat before the service was taken offline saw BlackWallet’s developer caution users to move their funds elsewhere if they had entered their wallet information since Saturday.

The developer, known as u/orbit84 on Reddit, wrote:

“I am sincerely sorry about this and hope that we will get the funds back. I am in talks with my hosting provider to get as much information about the hacker and will see what can be done with it. If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer…”

A Reddit user u/nuclearping has apparently managed to identify the hosting provider which services BlackWallet as 1&1.

If that is the case, the event would be the second such incident involving 1&1. In August last year, hackers persuaded a customer service representative at the company to cede control of Classic Ether Wallet’s domain from its original owner.

The result was mass losses of funds and sensitive user information being stolen, sources reported at the time.

The BlackWallet developer meanwhile added an edit to his original Reddit post asking community members not to “spread rumors” about the German hosting provider.