At the time of this announcement, Galxe.com has fully recovered with enhanced security. As of Oct 7th 00:00 AM PDT, we estimated that around 1,120 users were affected and around $270,000 USD was stolen.
The Galxe.com domain was attacked on October 6th, 6 AM PDT and re-routed our users to a phishing site. Galxe team immediately took action and resolved the incident within a few hours.
Only users who signed transactions after 6:02 AM and before 11:23 AM PDT were affected.
All other users, including the ones previously signed up and authorized transactions through connected wallets, remain safe.
ℹ️ Note: If you are worried, you can check if your address is affected via revoke cash.
To check your address on revoke.cash, click here.
Cause of Breach
On October 6th, 2023, an unknown individual impersonated an authorized member of Galxe and contacted Dynadot support, our domain service provider, asking to reset login credentials.
The impersonator provided Dynadot with falsified documentation to bypass their security process and gained unauthorized access to the domain account, which they used to redirect users to a fake website and sign transactions that misappropriated their funds.
Event Timeline & Responses
After being alerted to the change of DNS by the attacker, Galxe team immediately took several steps. We informed our community and partners of the breach through X, Discord, and Telegram.
We also provided the community with real-time updates.
Here is a timeline of the events for the record:
2023/10/06 04:00 PDT: The hacker(s) conducted a social engineering attack against Dynadot, which is the DNS registrar of our domain Galxe.com. By using falsified documentation of the account owner, they successfully bypassed Dynadot's security process and were granted temporary access to Galxe.com’s Dynadot account. The suspicious activity was traced to IP address 141.98.252.160.
2023/10/06 06:02 PDT: The hacker(s) modified the NS records of Galxe.com, re-routing website visitors to a deceitful phishing site. This malicious DNS change gradually began redirecting our users to this fraudulent site, as DNS records propagated, where a pop up on the phishing site asked our users to approve a transaction which would drain their wallets.
2023/10/06 06:45 PDT: First hack occurred - https://etherscan.io/tx/0xa3fdd20ad84f87a536b359bc5b0364c2b8978f77001577f99f8f36266b1db72e.
2023/10/06 07:20 PDT: Our security team identified the issue and commenced a comprehensive investigation.
2023/10/06 07:38 PDT: Having fully discerned the scope and nature of the attack, we started to initiate communication with Dynadot to reclaim our account.
2023/10/06 07:40 PDT: Discord and X announcements sent out to our community and statuses were shared with our partners to better protect affected users.
2023/10/06 07:45 PDT: Our engineering team took down the API gateway to Galxe’s backend to prevent any possible unauthorized access, and all access tokens were revoked.
2023/10/06 08:00 PDT: Further updates and communications were given throughout all channels.
2023/10/06 08:45 PDT: Our wallet partners, such as Metamask and Coinbase Wallet, took actions to prevent users from further being affected by temporarily marking Galxe.com as a phishing site.
2023/10/06 09:00 PDT: Dynadot cleared the DNS record for Galxe.com
2023/10/06 09:23 PDT: We successfully recovered the account and restored the Name Service records of Galxe.com. A recovery update was also given on Discord and X. Even though we regained control over the domain, due to DNS propagation delays, some users could still get routed to the deceptive site. To safeguard our community, we decided to keep Galxe.com offline and continuously advise everyone to remain vigilant and exercise caution for the time being.
2023/10/06 18:30 PDT: Galxe.com is back online.
Impact & Recovery Plan
The incident only affected our domain and front-end application. All Galxe smart contracts, as well as Galxe's technical systems, remain safe and protected. All user information remains secure and untouched.
The only users affected are those who visited Galxe.com and signed transactions to malicious contracts during the time of the incident 2023/10/06 06:02 AM PDT to around 2023/10/06 11:23 AM PDT (potentially earlier or later, due to the different DNS propagation delay of different regions).
We are still actively tracking the total number of users affected and the amount of funds stolen. As of Oct 7th 00:00 AM PDT, we estimated around 1,120 users and around 270,000 USD worth of funds were affected. We are working with law enforcement, third-party experts, partners, and consultants to recover the affected funds and hopefully identify the attacker(s).
We are also working on a fund recovery plan for those who have been affected. We will share more details as soon as we obtain a full list of affected users and funds.
⚠️ Wait: BEFORE you Interact with Galxe, we recommend enforcing strict DNS over HTTPS.
You can reference this guide: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/
Security Measures for Affected Users
Potentially affected users are advised to do the following:
Use revoke.cash to cancel any unrecognized authorizations. Be cautious of the following contract addresses that have been flagged in connection with the attack:
0x0000eaab14253e1421aef4F48eE539F2653C0000
0x00008c6Dc619b0ea53dd8d02B58Bb726aFc40000
Use this page by revoke.cash to verify if your address was affected
If you suspect you might have signed a malicious message, even though you haven’t been attacked, you should consider this account compromised and move all funds to a new account.
Contact the Galxe support team via galxe.com/support, live chat or Discord if you need further assistance.
We have taken control back of the Galxe domain, but some users might still be affected due to DNS propagation. DNS propagation is the time it takes to update DNS records across all servers on the internet and it varies individually. It takes a certain amount of time before your DNS records refresh which is why you might still see the phishing site when accessing galxe.com.
ℹ️ Tip: Revoke.cash prepared a page on their website for you to check if you are affected:
Enter your address in the field to check if you are affected
To navigate to revoke cash, click here.
What You Can Do
1. Identify the phishing website:
If you click on the navigation buttons on the Galxe website header menu, a pop up will ask you to sign a transaction or the navigation buttons will simply not respond.
If you see a window asking you to approve your assets like the one below, DO NOT APPROVE ANY TRANSACTION!
This is what phishing UI looked like:
This is what the real Galxe website looks like:
2. Configure DNS Over HTTPs (DoH) and Clear DNS Cache:
Before you access the Galxe website, please complete the following:
Primary Solution: Configure DoH on your browser: https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/
Adjust DNS Settings: Switch to Google DNS by following this guide (Mobile & Desktop): https://developers.google.com/speed/public-dns/docs/using
Remove Corrupted Data: Clear your DNS cache by following this guide: https://docs.cpanel.net/knowledge-base/dns/how-to-clear-your-dns-cache/
⚠️ Wait: It's very important that you clear your DNS Cache and we recommend clearing your local storage.
How to Contact Us
For Community: Reach out to our team via Discord and galxe.com/support if you believe you are affected or have other questions.
For Partners: Reach out to our Business Development team at [email protected] or contact your relationship manager via Telegram.
For Media Inquiries: Please contact [email protected] or [email protected]
One of the reasons we would like to share all those is to help the community to be more risk sensitive and cautious, knowing the conducts and tricks hackers and impersonators might behave.
We would like to express our appreciation to our trusted partners during this difficult time, especially the ones who offer help, step in to assist and stand by our side in time. 💙