When financial advisor, Paul de Klerk created a Gala Games account early last month, all he had in mind was to play their hit P2E game, Town Star. By the end of the month, he had even purchased around $122,000 worth of NFTs for the game. Unfortunately, when he logged into his MetaMask wallet on Sunday, January 23, it was completely wiped out. This prompted him to check his Gala Games account. To his dismay, someone had hacked his Gala Games account and transferred all his ETH, LooksRare, Gala and Town tokens, as well as NFTs to their own wallet.
The value of the stolen NFTs, based on the market value at the time, amounted to $200,940, Paul told NFTevening.
“It was definitely my Gala account that was hacked, because the hacker made the transfers from within Gala,” he explained. “They even minted my “treasure chest” earnings to the blockchain which can only be done within Gala.”*
*The quotes have been condensed and edited for clarity
Lack of support from Gala Games
At the time, Paul did what everyone else would do in his situation—he reached out to Gala Games for support. Unfortunately, the company offered little to no help, Paul alleged. Gala Games’ email response to Paul advised him to set up a new Gala wallet and detailed the steps for the same. They also suggested setting up two-factor authentication (2FA)—something Paul attempted to do way before his account was hacked. But, even after multiple attempts, the 2FA setup failed to accept his Gala account password. The company offered no help in fixing this issue either, he claims.
“What I find most disappointing is the lack of empathy or response from Gala,” Paul said. “It’s unbelievable to me that they think I would open another Gala account when they showed zero concern about this hack.”
Alarmingly, Paul is not the only victim of the Gala Games hack. Neither is he the only one who is disheartened due to the lack of support and acknowledgement from the company. In fact, a group of victims have come together to create a support group on Discord for those whose Gala Games accounts have been hacked.
“Despite best efforts to reach out, support [from Gala Games] has been less than forthcoming,” the Discord server notes in its about channel. “That’s why we need a support group, not just to help each other feel better after our losses but also to push Gala into action.”
The group currently has over 50 members.
As many as 179 unique wallets hacked
As a first step, the group compiled a ‘Gala Hacks and Security Report’, detailing all Gala Games hacks to date. Based on the report (examined by NFTevening), 179 unique wallets have been hacked as of January 27. The number of GALA tokens stolen? 5,246,982. (The losses do not take into account ETH, TownCoins, and NFTs). At the time of writing, GALA was trading at $0.20.
Essentially, the group members tracked hacker wallet addresses based on the reports of the victims of the hack posted on the official Gala Discord server. The first reported hack dates as far back to September 19, 2021. They then cross-verified the addresses with reports by multiple victims. This way, they have identified as many as six hacker wallets.
Some of these have hacked over 50 unique wallets, stealing around 188,591 GALA tokens. The report also notes the number of unique wallets hacked by each hacker wallet, the corresponding transaction hashes, and the total GALA stolen.
Accounts hacked despite enabling 2FA
One among the victims is txawjteeb, who lost 136,930.25 GALA in the hack. “I had 2FA on as well and I had my VPN turned on but was hacked Twice,” the report quoted them as saying. Another victim, aaron96789, lost 671,852.9 GALA.
Some users have also lost NFTs worth thousands of dollars. One user, who requested anonymity, lost several NFTs worth around $20,000 each. They are a regular player of Town Star and have earned both GALA coins and Town tokens as rewards. In addition, they owned several NFTs of Mirandus, another blockchain game from Gala Games. Days back, a hacker stole their NFTs as well as rewards.
“I had a transfer code for transfer coins and I had 2FA enabled, but it turned out that my 2FA got disabled without my knowledge,” they told NFTevening. “So the hacker can move my rewards from the treasure chest to the ETH chain and then transfer them.”
‘We are silenced, banned, and labelled as FUD’
Naturally, the victims raised support tickets on Gala Games. The response from Gala Games was quite similar to what Paul received—help get a new wallet and link it to the account. Several users have also alleged that they are yet to hear back from the firm.
“When I or others try to follow up on our tickets in Discord, we are silenced, banned, and labelled as FUD while trying to seek help,” a Gala Games user, who goes by the name ‘Da Boss’, told NFTevening. Da Boss had just created their Gala Games account in early December when their account was hacked. They consider themselves “extremely lucky” that at the time there was only 85 GALA in their account.
“They are aware their players are being hacked and downplay the events as the users’ fault,” Da Boss added. “After pushing the issue, I was informed there have been no breaches on their behalf…”
How has Gala Games responded?
Gala Games is yet to publicly acknowledge any hacks on their website. While many users reported their accounts getting hacked on the official Gala Games Discord server, the staff initially maintained that the website was not hacked. Their email responses also narrated the same story—that the breaches likely happened because users clicked on malicious links, did not set up 2FA, or because they installed fake applications.
Here’s one such response a user received from the company:
“The most common way people compromise their wallet is when they import the seed phrase/private key to a web3 provider, and interact with a malicious site, or fake application. Recently we had a few users who downloaded a fake Town Star app for example. Ultimately only you know what you did, we can only offer the tools for good security practices.”
But, allegedly, none of the victims clicked on any suspicious links sent via DMs or fell prey to phishing attacks. Besides, several users got hacked despite enabling 2FA.
Interestingly, last month, Gala Games’ Mirandus VOX avatar mint had faced allegations of a hack. Basically, someone was able to effortlessly redeem Vox avatars and were “too successful” with “random mint pulls”. While Gala Games put out an official statement, they denied any hacks and claimed that the issue was due to “some fundamental weakness” with Ethereum. However, as per the Gala Hacks Report, at least two people reported their accounts getting hacked either during or shortly after the Vox mint.
In a turn of events, on January 19, VeraAwesome, a moderator in the official Gala Discord, stated that “a player with over a million dollars worth of NFTs was hacked” (screenshot below). Nonetheless, the company is yet to make any official statements.
Security issues with the website?
The Gala Hacks Report has also identified several security issues with the Gala Games account that may have resulted in the hacks. For one, enabling 2FA is not a mandatory requirement. Secondly, there is no IP-based login confirmation. In other words, the website neither alerts the user nor temporarily blocks the account when a new IP location tries to access the account, the report alleged. Similarly, there is no security measure to alert users in the event of any unauthorized changes to account details like email, phone number, or 2FA. In addition, Gala Games allows users to download private keys from the Gala website.
“This effectively makes the private keys less secure since a user’s login credentials are all it takes to gain complete and permanent access to a user’s wallet,” the report added. “Furthermore, if these private keys are stored on Gala’s database, it opens up the possibility for more security vulnerabilities.”
The distressed victims have several questions to ask Gala Games. First of all, does the company have any plans to collect the data from the victims and investigate how the hacks are taking place? Secondly, with at least one report stating that the hackers may still be playing games on the platform, can the company either pressure them into returning the funds or freeze their accounts?
“I don’t understand why Gala wouldn’t, as a gesture of goodwill, gift us new NFTs that have been stolen from us?” Paul asked. “It would cost them nothing to do so and there are other projects who have done this.”
NFTeveing has reached out to Gala Games for comments. At the time of going to press, we have not received any responses. We will update this story with their response, if any.