$1 100 000 USD





"PHANTOM GALAXIES combines open-world space sim with fast-paced mech shooter and a captivating story."


"Once enemies, the factions of Neoterra now share a dangerous alien foe, the Sha’Kari. The Sha’Kari Zealots are the priest cast of the Sha’Har race, intent on destroying mankind for desecrating their ancestral planets. Choose the transforming Mecha Starfighter that suits your play style - Lancer, Buster, Assault, and Breacher classes and take the fight to the Sha’Kari!"


"Phantom Galaxies is a fast-paced third-person experience that looks and plays just like the traditional 3D action RPGs (ARPG) already familiar to millions of gamers, with the important difference that it will allow players to exercise governance and to have true ownership and control of their in-game assets (such as mechs, equipment, avatars, and game currency) thanks to the use of fungible and non-fungible tokens (NFTs)."


"In the early hours of 19 November 2021, unknown hackers gained access to the official Discord account of Phantom Galaxies and took over the game’s Discord server. Investigation later revealed that the hack was enabled by a malware bot that compromised the two-factor authentication for the Admin account of the Discord server of Phantom Galaxies. Once in control of the Discord server, the hackers banned all staff accounts as well as all accounts of advisors and community moderators."


"At approximately 3 a.m. (AEDT)," "The hackers then began to post fraudulent announcements, claiming that the game was launching an immediate surprise NFT minting event — a stealth mint. The hackers directed users to a fraudulent website that purported to be a Phantom Galaxies NFT minting platform. The fake minting platform charged users a 0.1 ETH “minting fee” that did not actually mint anything and simply transferred the funds to the scammers’ Ethereum wallet address."


"In total, the offenders stole about 265 ETH (approximately US$1.1 million) from Discord users via 1,571 fake minting transactions over the course of about three hours."


"At approximately 3:40 a.m. (AEDT), some members of the senior management of Animoca Brands, Blowfish’s parent company located in Hong Kong, became aware of the scam on the Discord server and of the fraudulent website.


"The local time in Hong Kong was 12:40 a.m., three hours behind Sydney, Australia, where Blowfish is based. By this point, the hackers had already taken control of the Discord server and restricted access to everyone else."


"Animoca Brands attempted to reach the management of Blowfish to obtain information about the situation and coordinate a response, but these attempts were unsuccessful owing to the extremely late hour in Australia."


"Animoca Brands notified available Telegram group moderators, who posted alerts about the scam across the company’s various Telegram groups starting at around 3:45 a.m. (AEDT)."


"At 3:58 a.m. (AEDT) Animoca Brands’ executive chairman and co-founder Yat Siu tweeted an alert from his Twitter account, tagging the official Phantom Galaxies twitter account."


"That message was then retweeted by the official Animoca Brands account shortly after it was posted."


"At the same time, Animoca Brands contacted Discord to report the problem. Starting at around 4:30 a.m. (AEDT), Discord took emergency steps to restrict access to the Phantom Galaxies Discord server and remove the fraudulent posts."


"Animoca Brands wishes to provide an update about the hack of the Phantom Galaxies Discord server that occurred in the early hours of 19 November 2021, and to reassure the victims of the hackers’ scam that the company will cover their losses (265 ETH, worth about US$1.1 million), with details to be announced shortly."


"Animoca Brands and Blowfish will cover the losses of all victims of this scam, being 265 ETH, or approximately US$1.1 million. The exact nature and mechanism of the compensation will be determined after discussions with the Phantom Galaxies community, but it will involve transfers to users to cover the amounts stolen by the hackers, or the delivery of equivalent value. More information will be provided in the game’s official channels."

The Phantom Galaxies, by Animoca Brands, is a sci-fi NFT game where users mint tokens. The official discord for the project was taken over by attackers who compromised a single device of one of the project leads which held both factors in a 2FA. This allowed the attackers to post links to a malicious website which they claimed allowed the minting of new NFTs. Thousands of NFTs were minted using the site, which in reality just stole the user's funds. Animoca Brands has agree to fully compensate all affected user losses.


The lesson here is about the weakness of two-factor authentication where all factors are the same device, and about regularly using an account with more privileges than necessary. When all factors are the same device, it's just a matter of breaching that device to perpetrate an attack. Using a full-permissioned account when not necessary increases the breach window, while having a separate account for everyday use would greatly limit what an adversary could do if they ever got in.


Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach.


In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.