Phantom Galaxies Discord Malware Attack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Phantom Galaxies, by Animoca Brands, is a sci-fi NFT game where users mint tokens. The official discord for the project was taken over by attackers who compromised a single device of one of the project leads which held both factors in a 2FA. This allowed the attackers to post links to a malicious website which they claimed allowed the minting of new NFTs. Thousands of NFTs were minted using the site, which in reality just stole the user's funds. Animoca Brands has agree to fully compensate all affected user losses.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]
About Phantom Galaxies
"PHANTOM GALAXIES combines open-world space sim with fast-paced mech shooter and a captivating story."
"Once enemies, the factions of Neoterra now share a dangerous alien foe, the Sha’Kari. The Sha’Kari Zealots are the priest cast of the Sha’Har race, intent on destroying mankind for desecrating their ancestral planets. Choose the transforming Mecha Starfighter that suits your play style - Lancer, Buster, Assault, and Breacher classes and take the fight to the Sha’Kari!"
"Phantom Galaxies is a fast-paced third-person experience that looks and plays just like the traditional 3D action RPGs (ARPG) already familiar to millions of gamers, with the important difference that it will allow players to exercise governance and to have true ownership and control of their in-game assets (such as mechs, equipment, avatars, and game currency) thanks to the use of fungible and non-fungible tokens (NFTs)."
"In the early hours of 19 November 2021, unknown hackers gained access to the official Discord account of Phantom Galaxies and took over the game’s Discord server. Investigation later revealed that the hack was enabled by a malware bot that compromised the two-factor authentication for the Admin account of the Discord server of Phantom Galaxies. Once in control of the Discord server, the hackers banned all staff accounts as well as all accounts of advisors and community moderators."
"At approximately 3 a.m. (AEDT)," "The hackers then began to post fraudulent announcements, claiming that the game was launching an immediate surprise NFT minting event — a stealth mint. The hackers directed users to a fraudulent website that purported to be a Phantom Galaxies NFT minting platform. The fake minting platform charged users a 0.1 ETH “minting fee” that did not actually mint anything and simply transferred the funds to the scammers’ Ethereum wallet address."
"In total, the offenders stole about 265 ETH (approximately US$1.1 million) from Discord users via 1,571 fake minting transactions over the course of about three hours."
"At approximately 3:40 a.m. (AEDT), some members of the senior management of Animoca Brands, Blowfish’s parent company located in Hong Kong, became aware of the scam on the Discord server and of the fraudulent website.
"The local time in Hong Kong was 12:40 a.m., three hours behind Sydney, Australia, where Blowfish is based. By this point, the hackers had already taken control of the Discord server and restricted access to everyone else."
"Animoca Brands attempted to reach the management of Blowfish to obtain information about the situation and coordinate a response, but these attempts were unsuccessful owing to the extremely late hour in Australia."
"Animoca Brands notified available Telegram group moderators, who posted alerts about the scam across the company’s various Telegram groups starting at around 3:45 a.m. (AEDT)."
"At 3:58 a.m. (AEDT) Animoca Brands’ executive chairman and co-founder Yat Siu tweeted an alert from his Twitter account, tagging the official Phantom Galaxies twitter account."
"That message was then retweeted by the official Animoca Brands account shortly after it was posted."
"At the same time, Animoca Brands contacted Discord to report the problem. Starting at around 4:30 a.m. (AEDT), Discord took emergency steps to restrict access to the Phantom Galaxies Discord server and remove the fraudulent posts."
"Animoca Brands wishes to provide an update about the hack of the Phantom Galaxies Discord server that occurred in the early hours of 19 November 2021, and to reassure the victims of the hackers’ scam that the company will cover their losses (265 ETH, worth about US$1.1 million), with details to be announced shortly."
"Animoca Brands and Blowfish will cover the losses of all victims of this scam, being 265 ETH, or approximately US$1.1 million. The exact nature and mechanism of the compensation will be determined after discussions with the Phantom Galaxies community, but it will involve transfers to users to cover the amounts stolen by the hackers, or the delivery of equivalent value. More information will be provided in the game’s official channels."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| November 19th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $1,100,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
The lesson here is about the weakness of two-factor authentication where all factors are the same device, and about regularly using an account with more privileges than necessary. When all factors are the same device, it's just a matter of breaching that device to perpetrate an attack. Using a full-permissioned account when not necessary increases the breach window, while having a separate account for everyday use would greatly limit what an adversary could do if they ever got in.
Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach.
In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://blog.insurace.io/security-incidents-in-november-e4bcb39dd7f9 (Feb 1, 2022)
- ↑ Animoca Brands update on hacking of Discord server of Phantom Galaxies, will cover users’ losses (Feb 8, 2022)
- ↑ Phantom Galaxies (Feb 8, 2022)
- ↑ Phantom Galaxies - Cinematic Reveal Trailer - YouTube (Feb 8, 2022)
- ↑ https://phantomgalaxies.com/BFS%20Phantom%20Galaxies%20Litepaper%20v1.0.pdf (Feb 8, 2022)
- ↑ https://etherscan.io/address/0x5b54e19f06f8FB4B28eE2c6958E55F4580F64ae1 (Feb 8, 2022)
- ↑ @ysiu Twitter (Feb 8, 2022)
- ↑ @ysiu Twitter (Feb 8, 2022)
- ↑ Animoca Brands to Cover Loses After Phantom Galaxies' Discord Hack | NFT Cable (Jul 15, 2022)
- ↑ @animocabrands Twitter (Jul 15, 2022)
- ↑ Animoca Brands to Cover Losses From ‘Phantom Galaxies’ Discord Hack (Jul 15, 2022)
- ↑ Animoca Brands to Cover Loses After Phantom Galaxies' Discord Hack (Jul 15, 2022)
- ↑ Animoca To Refund Users 265 ETH Stolen In Phantoms’ Discord Hack (Jul 15, 2022)
- ↑ Animoca to repay users 265 ETH stolen in fake NFT drop Discord hack (Jul 15, 2022)
- ↑ Animoca Brands to Compensate Victims of the Phantom Galaxies Discord Hack (Jul 15, 2022)
- ↑ @animocabrands Twitter (Jul 15, 2022)
- ↑ https://dappradar.com/blog/phantom-galaxies-discord-scam-victims-can-now-claim-compensation (Jul 15, 2022)
- ↑ The Crypto Discord Hack Trend Continues: Who or What Is to Blame? - Token Gamer (Jul 15, 2022)