Bessie Liu

The Domain Name System (DNS) of NFT infrastructure company Galxe has been compromised, with the attacker’s address currently holding $75,000 in digital assets.&nbsp;



In a <a href="https://twitter.com/zachxbt/status/1710308430991286513">post</a> on X, Galxe noted that its website was down and the team is currently working on a resolution. The company also urged users not to connect their wallet addresses to Galxe in the meantime.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Dear Galxe Community, We recognize the impact that recent events have had upon our users and are quickly working to take remedial action. The Galxe security team continues to take an aggressive approach to protect your data, funds and digital assets. Steps You Should Take: ❗️Do…&mdash; Galxe (@Galxe) <a href="https://twitter.com/Galxe/status/1710338105939521880?ref_src=twsrc%5Etfw">October 6, 2023</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



A separate <a href="https://twitter.com/polkastarter/status/1710327209569796461">post</a> by Polkastarter, a Web3 fundraising platform, advised users to revoke permissions that had been given to Galxe.&nbsp;



“We suggest removing all other spending permissions as well to improve the safety of your funds,” the company said on <a href="https://twitter.com/polkastarter/status/1710327209569796461">X</a>.



According to the pseudonymous on-chain investigator <a href="https://twitter.com/zachxbt/status/1710308430991286513">ZachXBT,</a> the Galxe attacker could be the same entity as the attacker who drained approximately <a href="https://blockworks.co/news/balancer-website-hijack-puts-users-at-risk">$238,000</a> from DeFi liquidity protocol Balancer last month.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Stolen funds are being directed to here 0x4103baBcFA68E97b4a29fa0b3C94D66afCF6163d It seems to likely be the same scammer who did the Balance frontend attack recently. <a href="https://t.co/SovOGGn8GE">pic.twitter.com/SovOGGn8GE</a>&mdash; ZachXBT (@zachxbt) <a href="https://twitter.com/zachxbt/status/1710308430991286513?ref_src=twsrc%5Etfw">October 6, 2023</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



Stolen funds have been directed to an <a href="https://etherscan.io/address/0x4103babcfa68e97b4a29fa0b3c94d66afcf6163d#tokentxns">Ethereum address</a>, which, at the time of writing, holds almost $75,000. The attack appears to be ongoing, with the last token transfer taking place at 12:30 pm ET.



The hacker appears to be using the same smart contract to execute his hacks across the different networks, X user <a href="https://twitter.com/FIP_Crypto">FIP Crypto</a> wrote.&nbsp;



FIP Crypto also recommended that users should revoke the smart contract on the 10 different chains that Galxe is deployed on, including Ethereum, Optimism, Arbitrum, BNB Chain, Base, Polygon, Avalanche, Fantom, Celo and Cronos.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Data breach

Galxe front-end compromised in possible ongoing attack

Shalini Nagarajan

Blockchain data analytics platform Nansen recently suffered a security incident that exposed some users&#8217; email addresses and passwords.



The breach appears to have originated from a third-party vendor whose system was compromised, allowing an attacker to obtain admin rights to an account used for granting customer access to Nansen.



Nansen CEO Alex Svanevik stated that the company became aware of the attack on Sept. 20. Initial investigations indicate that about 6.8% of its users are affected by the breach.



“These users had their email addresses exposed, a smaller portion also had password hashes exposed, and a last, smallest group also had their blockchain address exposed,” Svanevik <a href="https://twitter.com/nansen_ai/status/1705137387838574904">said</a> in an X post on Friday.



“We have informed our users via email if and how they’ve been affected,” he added.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">🚨 Important update from us at Nansen. Please take a moment to read this. <a href="https://t.co/syKE0sNnC6">pic.twitter.com/syKE0sNnC6</a>&mdash; Nansen 🧭 (@nansen_ai) <a href="https://twitter.com/nansen_ai/status/1705137387838574904?ref_src=twsrc%5Etfw">September 22, 2023</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



A Nansen spokesperson declined to disclose the name of the vendor, but said it has asked them to communicate on the incident publicly in case others are affected.



Nansen contacted affected users via emails sent from its official support@nansen.ai email address on Sept. 21 between 5 pm and 9 pm UTC, instructing them to reset their passwords.



The team also informed users that while their passwords are not stored in plaintext, malicious attackers could still attempt to gain access to accounts using the compromised password and email address.



Data breaches have become increasingly frequent in the industry of late.



NFT platform OpenSea <a href="https://blockworks.co/news/opensea-warns-of-phishing-attacks-due-to-data-breach">told users about a data breach</a> in June last year when staff discovered that email addresses had been shared with an external party.



Last month, ConsenSys <a href="https://blockworks.co/news/metamask-security-breach-consensys-says">disclosed</a> that about 7,000 MetaMask users had their private information, including email addresses, compromised between Aug. 2021 and Feb. 2023.



Also in August, embattled crypto companies BlockFi and FTX also <a href="https://blockworks.co/news/block-ftx-data-breach-kroll">reported being indirectly impacted</a> by a cybersecurity breach related to third-party claims administration platform Kroll.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Nansen alerts users to security breach involving vendor

Sebastian Sinclair

Embattled crypto firms BlockFi and FTX said they have both been indirectly affected by a cybersecurity breach involving third-party claims administration platform Kroll.&nbsp;



BlockFi issued a statement on Wednesday attempting to assuage concerns that its internal systems and funds had not been affected by the breach that had occurred Tuesday. Kroll has reportedly confirmed unauthorized access to certain client data stored on its system.



Kroll is currently serving as the claims agent in the bankruptcy cases of both companies, facilitating the submission and administration of <a href="https://restructuring.ra.kroll.com/blockfi/">debtor claims</a> through <a href="https://restructuring.ra.kroll.com/FTX/EPOC-Index">online portals</a>.&nbsp;



&#8220;To be clear, BlockFi&#8217;s internal systems and client funds were not impacted,&#8221; BlockFi said in its <a href="https://twitter.com/BlockFi/status/1694844414294704547?s=20">statement</a>. “We understand this is frustrating. In the spirit of transparency, we wanted to make our clients aware of this incident before bad actors could utilize this information to clients&#8217; detriment.”



Defunct crypto exchange FTX announced a similar incident, which it said had occurred on Kroll’s platform and that its own system and account passwords had also not been affected.



In a <a href="https://twitter.com/FTX_Official/status/1694899217326608611?s=20">post</a> on X, formerly Twitter, FTX said non-sensitive customer data of claimants had been compromised. Kroll has since taken measures to contain and remediate the incident, per the statement.



“Kroll is notifying affected individuals directly with measures that customers can take to protect themselves,” FTX said.



<a href="https://blockworks.co/tag/ftx">FTX</a> collapsed late last year following allegations it had misappropriated customer funds through sister trading firm Alameda Research. BlockFi simultaneously fell victim to a liquidity crunch following its exposure to FTX through loans made to Alameda as well as funds trapped on FTX.



BlockFi is attempting to <a href="https://blockworks.co/news/blockfi-ftx-3ac-claims-creditor-funds">foil efforts</a> by FTX, as well as former Singapore-based hedge fund firm Three Arrows Capital, over claims to billions of dollars they say are owed to them by the former crypto lender.



Both companies advised clients Thursday to remain vigilant for attempted fraud, phishing attempts and scam emails impersonating parties connected to the security breaches.



<a href="https://blockworks.co/tag/blockfi">BlockFi</a> also warned of an expected uptick in spam phone calls and phishing attempts against other bankrupt crypto firms in the weeks and months ahead.



FTX and BlockFi said they were monitoring the situation. Blockworks attempted to contact Kroll but has so far received no response.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

BlockFi

BlockFi, FTX downplay data breach involving claims administration platform Kroll

<div id="highlights-block_62e3bbeab713f" class="highlights">
 <ul>
 <li>The same data breach that affected OpenSea has affected Celsius</li>
 <li>Customer.io removed its employee responsible for email leaks</li>
 </ul>
 
</div>



Celsius users — look out for phishing attacks.&nbsp;



The cryptocurrency lender has warned customers that a data breach led to their emails being leaked.



Late Thursday, Celsius emailed users informing them that an employee at its email delivery vendor Customer.io accessed a list of client addresses and sent them to an unauthorized party.



The embattled firm said it didn’t consider the incident to pose “high risks,” and had been informed that no other Celsius-related data was compromised beyond identified email addresses.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Announcement from Celsius: “We are writing to let you know that we were recently informed by our vendor<a href="https://t.co/452EROQtbc">https://t.co/452EROQtbc</a> that one of their employees accessed a list of Celsius client email addresses held on their platform and transferred those to a third-party.”&mdash; Celsians (@CelsiansNetwork) <a href="https://twitter.com/CelsiansNetwork/status/1552737193407533057?ref_src=twsrc%5Etfw">July 28, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



About a month ago, collectibles platform <a href="https://cms.blockworks.co/opensea-warns-of-phishing-attacks-due-to-data-breach/" target="_blank" rel="noreferrer noopener">OpenSea warned users</a> that their email addresses were compromised in a similar leak. Customer.io was responsible for that incident too, since one of its employees abused their access. The vendor <a href="https://customer.io/blog/update-to-compromised-email-addresses-incident/" target="_blank" rel="noreferrer noopener">said</a> that the employee responsible had been terminated, had all access removed and was reported to law enforcement.



Celsius, aware that Customer.io was one of its vendors, said it proceeded to remove data held with the firm after the OpenSea episode. At the time, the vendor found no Celsius data involved in the breach.&nbsp;



But on July 8, Celsius was notified that it too had been affected by the same offender. In a <a href="https://customer.io/blog/update-to-compromised-email-addresses-incident/" target="_blank" rel="noreferrer noopener">statement</a>, Customer.io confirmed five clients apart from OpenSea were impacted by the email leaks. “We do not expect to learn any additional information since this incident resulted from the actions of a single employee, who had legitimate access to these email addresses as part of the employee’s job,” it added.



Celsius customers took to Twitter to express frustration over a stream of trouble they’ve had to face with the lender.&nbsp;



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Celsius is a total disaster. Leaking a list of customer emails is a nice cherry on top of the bankruptcy sundae. <a href="https://t.co/J9lqUSdhIA">pic.twitter.com/J9lqUSdhIA</a>&mdash; Asher (#361) (@Asher68W) <a href="https://twitter.com/Asher68W/status/1552746070899171328?ref_src=twsrc%5Etfw">July 28, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



The firm is dealing with restructuring its assets after <a href="https://cms.blockworks.co/celsius-to-file-for-bankruptcy-imminently-report/" target="_blank" rel="noreferrer noopener">filing for bankruptcy</a> on July 13. A court document shows Celsius has $5.5 billion in liabilities and $4.3 billion in assets, leaving it with a <a href="https://cms.blockworks.co/celsius-faces-heat-for-1-2b-balance-sheet-hole-customers-owed-4-7b/" target="_blank" rel="noreferrer noopener">$1.2 billion hole</a> on its balance sheet.



And while Celsius has been quick to downplay the risk to its users, similar data breaches have shown that affected users have actually lost funds due to phishing attacks.&nbsp;



When hardware wallet manufacturer Ledger suffered a <a href="https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach" target="_blank" rel="noreferrer noopener">data leak</a> of its marketing database in July 2020, its users were targeted with devious scams designed to steal their cryptocurrencies.



Shopify, the e-commerce giant that Ledger used to sell its wallets, <a href="https://cointelegraph.com/news/shopify-facing-another-lawsuit-from-crypto-holders-over-ledger-data-breach" target="_blank" rel="noreferrer noopener">also came under attack</a> from users for “repeatedly and profoundly” failing to protect customer identities. Both firms were sued in April after victims lost some of their crypto assets.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Celsius

Celsius Admits Customer Emails Leaked In Third-Party Data Breach

<div id="highlights-block_62bd517a9613f" class="highlights">
 <ul>
 <li>A Customer.io employee shared email addresses with an unauthorized external party</li>
 <li>OpenSea warned users of fraudsters trying to impersonate the platform by using fake domain names</li>
 </ul>
 
</div>



Collectibles platform OpenSea has alerted customers to a data breach after staff found email addresses were shared with an external party.



Head of Security Cory Hardman said in a <a href="https://opensea.io/blog/safety-security/important-update-on-email-vendor-security-incident/" target="_blank" rel="noreferrer noopener">blog</a> post on Wednesday that an employee of <a href="https://customer.io/">Cust</a><a href="https://customer.io/" target="_blank" rel="noreferrer noopener">o</a><a href="https://customer.io/">mer.io</a>, OpenSea’s email delivery vendor, abused their access by downloading and externally sharing customer data.&nbsp;



“If you have shared your email with OpenSea in the past, you should assume you were impacted,” he wrote. “We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”



The company further warned customers might face phishing attacks&nbsp;— attempts by cybercriminals posing as credible institutions with an aim to obtain sensitive information — by using a domain name similar to the official “opensea.io,” such as “opensea.org” or “opensae.io.”



<a href="https://twitter.com/econoar/status/1542343306704732162?s=20&amp;t=Uf4dK_Yi0L8D7GG73hfZ6Q" target="_blank" rel="noreferrer noopener">Screenshots</a> posted to Twitter show OpenSea notified customers about the data breach via email. Some users <a href="https://twitter.com/Didzis68904323/status/1542363159230652416" target="_blank" rel="noreferrer noopener">demanded</a> compensation.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">OpenSea data breach. <a href="https://t.co/FEtDKsoHje">pic.twitter.com/FEtDKsoHje</a>&mdash; eric.eth (@econoar) <a href="https://twitter.com/econoar/status/1542343306704732162?ref_src=twsrc%5Etfw">June 30, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



Customer.io told Blockworks that the employee in question has been suspended and had access removed, pending an internal investigation. &#8220;We are working closely with OpenSea and are reviewing exactly how these email addresses were compromised,&#8221; a spokesperson for the vendor company said.



A similar incident occurred in March, when hackers <a href="https://cms.blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/" target="_blank" rel="noreferrer noopener">breached</a> third-party marketing vendor HubSpot to target large crypto stakeholders. NYDIG, Pantera Capital, <a href="https://twitter.com/BlockFi/status/1504982848771608586?s=20&amp;t=nEdl35DgSTJHl-INlo8Z_g" target="_blank" rel="noreferrer noopener">BlockFi</a>, Circle and <a href="https://twitter.com/SwanBitcoin/status/1505261139571191813?s=20&amp;t=Cod2RQU8PdmBbXcAxeuF-A" target="_blank" rel="noreferrer noopener">Swan Bitcoin</a> were among the affected companies.



OpenSea found itself in a sea of trouble thanks to another incident prior the data breach. The Department of Justice earlier this month charged its former head of product, Nathaniel Chastain, with <a href="https://cms.blockworks.co/former-opensea-exec-charged-with-nft-insider-trading/" target="_blank" rel="noreferrer noopener">insider trading</a> in connection to non-fungible tokens (NFTs). He was charged with one count of wire fraud and another count of money laundering.



Chastain <a href="https://cms.blockworks.co/openseas-nate-chastain-calls-it-quits-after-insider-trading-allegations/" target="_blank" rel="noreferrer noopener">resigned</a> from his position at OpenSea in September after he was suspected of profiting from inside information and purchasing NFTs before they were posted publicly.



OpenSea remains the leading marketplace by volume by a wide margin, with over six times the sales of the second-largest NFT marketplace over the past 30 days, according to data from <a href="https://dappradar.com/nft/marketplaces" target="_blank" rel="noreferrer noopener">DappRadar</a>.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Cory Hardman

OpenSea Warns of Phishing Attacks Due to Data Breach

Morgan Chittum

<div id="highlights-block_6238b83c95784" class="highlights">
 <ul>
 <li>Around 30 clients were impacted, but the full list has not been released yet from HubSpot, nor is the precise nature of the data known</li>
 <li>Companies known to be affected said customer funds are still safe and secure</li>
 </ul>
 
</div>



In an attempt to target large crypto stakeholders, hackers breached third-party marketing vendor <a href="https://www.hubspot.com/en-us/march-2022-security-incident." target="_blank" rel="noreferrer noopener">HubSpot</a> last week.



NYDIG, Pantera Capital, <a href="https://twitter.com/BlockFi/status/1504982848771608586?s=20&amp;t=nEdl35DgSTJHl-INlo8Z_g" target="_blank" rel="noreferrer noopener">BlockFi</a>, Circle and <a href="https://twitter.com/SwanBitcoin/status/1505261139571191813?s=20&amp;t=Cod2RQU8PdmBbXcAxeuF-A" target="_blank" rel="noreferrer noopener">Swan Bitcoin</a> were among those hit by the data breach, per outreach emails reviewed by Blockworks. Affected companies maintain customer funds are still safe and secure. User information was leaked to hackers, but passwords and other sensitive personal information were not. 



HubSpot — which stores users’ names, email addresses and phone numbers — said that the breach was a “targeted incident focused on customers in the cryptocurrency industry.”



One “bad actor,” according to a spokesperson from HubSpot, had “compromised a HubSpot employee account” to access the information. Around 30 clients were impacted, all of whom have been informed.



“We have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts,” the Massachusetts-based company said in an email to Blockworks. “We take the privacy of our customers and their data incredibly seriously.”



Adam Healy, chief security officer at BlockFi, said that vendors like HubSpot who are “trusted with client information” are “subjected to a number of reviews.”&nbsp;



“However, even in those cases, vendors can make mistakes and as evidenced by Friday&#8217;s events have incidents that impact us and our clients,” Healy said in a statement sent to Blockworks.&nbsp;



Circle, the financial services firm that issued the dollar-linked stablecoin, said in a statement to Blockworks that financial transaction data was not “impacted by the security incident.”&nbsp;



“We have communicated with the affected parties and will follow up with them on any material developments as we continue to monitor and investigate the incident,” a Circle spokesperson told Blockworks.



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">“Sensitive personal information, like Social Security numbers or government-issued identification, were not accessed as this information is not stored on HubSpot.”</blockquote>



Pantera Capital said that its HubSpot account had been <a href="https://twitter.com/PanteraCapital/status/1362140521800622080?s=20&amp;t=vQKoYhpK4bHoFjtc9V2KjQ" target="_blank" rel="noreferrer noopener">compromised last month.</a> The crypto VC firm sent out an email on March 19, assuring clients that their funds were still secure. 



Events like the HubSpot hack are “impossible to avoid” but pale in comparison to “traditional companies,” Greg Gopman, chief marketing and business development officer of Web3 infrastructure company Ankr, told Blockworks.



“There’s a good chance that a traditional company would have lost its customers&#8217; funds in such a broad attack,” Gopman said. “But the blockchain is way more secure, and their treasuries weren’t even touched. Decentralized infrastructure protects data.”



The full extent of the HubSpot hack is still unclear, however, because the company hasn&#8217;t disclosed exactly how much data was leaked. The investigation is ongoing.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Data breach

Newsletter

Blockworks Research