At the time of this announcement, Galxe.com has fully recovered with enhanced security. As of Oct 7th 00:00 AM PDT, we estimated that around 1,120 users were affected and around $270,000 USD was stolen. The Galxe.com domain was attacked on October 6th, 6 AM PDT and re-routed our users to a phishing site. Galxe team immediately took action and resolved the incident within a few hours. Only users who signed transactions after 6:02 AM and before 11:23 AM PDT were affected. All other users, including the ones previously signed up and authorized transactions through connected wallets, remain safe.
Cause of Incident
On October 6th, 2023, an unknown individual impersonated an authorized member of Galxe and contacted Dynadot support, our domain service provider, asking to reset login credentials.
The impersonator provided Dynadot with falsified documentation to bypass their security process and gained unauthorized access to the domain account, which they used to redirect users to a fake website and sign transactions that misappropriated their funds.
Timeline and Reactions
After being alerted to the change of DNS by the attacker, Galxe team immediately took several steps. We informed our community and partners of the breach through X, Discord, and Telegram. We also provided the community with real-time updates.
2023/10/06 04:00 PDT: The hacker(s) conducted a social engineering attack against Dynadot, which is the DNS registrar of our domain Galxe.com. By using falsified documentation of the account owner, they successfully bypassed Dynadot’s security process and were granted temporary access to Galxe.com’s Dynadot account. The suspicious activity was traced to IP address 141.98.252.160.
2023/10/06 06:02 PDT: The hacker(s) modified the NS records of Galxe.com, re-routing website visitors to a deceitful phishing site. This malicious DNS change gradually began redirecting our users to this fraudulent site, as DNS records propagated, where a pop up on the phishing site asked our users to approve a transaction which would drain their wallets.
2023/10/06 06:45 PDT: First hack occurred — https://etherscan.io/tx/0xa3fdd20ad84f87a536b359bc5b0364c2b8978f77001577f99f8f36266b1db72e.
2023/10/06 07:20 PDT: Our security team identified the issue and commenced a comprehensive investigation.
2023/10/06 07:38 PDT: Having fully discerned the scope and nature of the attack, we started to initiate communication with Dynadot to reclaim our account.
2023/10/06 07:40 PDT: Discord and X announcements sent out to our community and statuses were shared with our partners to better protect affected users.
2023/10/06 07:45 PDT: Our engineering team took down the API gateway to Galxe’s backend to prevent any possible unauthorized access, and all access tokens were revoked.
2023/10/06 08:00 PDT: Further updates and communications were given throughout all channels.
2023/10/06 08:45 PDT: Our wallet partners, such as Metamask and Coinbase Wallet, took actions to prevent users from further being affected by temporarily marking Galxe.com as a phishing site.
2023/10/06 09:00 PDT: Dynadot cleared the DNS record for Galxe.com
2023/10/06 09:23 PDT: We successfully recovered the account and restored the Name Service records of Galxe.com. A recovery update was also given on Discord and X. Even though we regained control over the domain, due to DNS propagation delays, some users could still get routed to the deceptive site. To safeguard our community, we decided to keep Galxe.com offline and continuously advise everyone to remain vigilant and exercise caution for the time being.
2023/10/06 18:30 PDT: Galxe.com went back online.
Impact and Recovery Plan
The incident only affected our domain and front-end application. All Galxe smart contracts, as well as Galxe’s technical systems, remain safe and protected. All user information remains secure and untouched.
The only users affected are those who visited Galxe.com and signed transactions to malicious contracts during the time of the incident 2023/10/06 06:02 AM PDT to around 2023/10/06 11:23 AM PDT (potentially earlier or later, due to the different DNS propagation delay of different regions).
We are still actively tracking the total number of users affected and the amount of funds stolen. As of Oct 7th 00:00 AM PDT, we estimated around 1,120 users and around 270,000 USD worth of funds were affected. We are working with law enforcement, third-party experts, partners, and consultants to recover the affected funds and hopefully identify the attacker(s).
We are also working on a fund recovery plan for those who have been affected. We will share more details as soon as we obtain a full list of affected users and funds.
Security Measures for Affected Users
Potentially affected users are advised to do the following:
- Check this Security Guide if you’re still viewing the phishing site when accessing Galxe.com
- Use revoke.cash to cancel any unrecognized authorizations. Be cautious of the following contract addresses that have been flagged in connection with the attack:
- 0x0000eaab14253e1421aef4F48eE539F2653C0000
- 0x00008c6Dc619b0ea53dd8d02B58Bb726aFc40000
- If you suspect you might have signed a malicious message, even though you haven’t been attacked, you should consider this account compromised and move all funds to a new account.
- Contact the Galxe support team via help.galxe.com live chat or Discord if you need further assistance.
- Turn on notifications for our X account to get the latest and official updates.
Point of Contacts
For Community: Reach out to our team via Discord and help.galxe.com if you believe you are affected or have other questions.
For Partners: Reach out to our Business Development team at business@galxe.com or contact your relationship manager via Telegram.
For Media Inquiries: Please contact qimei@serotonin.co or ana@serotonin.co
One of the reasons we would like to share all those is to help the community to be more risk sensitive and cautious, knowing the conducts and tricks hackers and impersonators might behave. We would like to express our appreciation to our trusted partners during this difficult time, especially the ones who offer help, step in to assist and stand by our side in time.
