This is Paul, CEO of Guarda.
Today, I wanted to personally inform you of a recent security incident and the data breach that affected Guarda Wallet.
On the 30th of December 2020, we have become a victim of an attack inside a domain hosting provider “GoDaddy” which manages our core domain names. Supposedly, it has to do with this security breach at “GoDaddy”: GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services
We believe that they have incorrectly transferred control of the account and domain to a scammer. This gave them the ability to change DNS records. This person was able to redirect our domains to a fake login form.
How exactly did that happen?
At 11:55 AM UTM+3, the two-factor authentication has been disabled on our main “GoDaddy’. According to the GoDaddy logs, there was no login prior to that. Following that the email address, the phone number were changed as well as the access PIN. On a screenshot below you can see how I, Paul Sokolov, last logged into our account on December 2, then on the 30th of December, you can see the 2FA being removed without login (password input) event, right after all the credentials to the account were changed.
Right after hijacking our account, the DNS records for domains guarda.co and guarda.com were changed, the new records pointed to a phishing website that only had a backup upload form on it, designed exactly like our homepage.
How did we handle it?
Almost immediately we have notified everybody in our official channels on Twitter, Facebook, Telegram to avoid using our apps until further notice.
In a matter of 30 minutes, we have sent all the necessary documents to “GoDaddy” in order to restore access to the account. I was on the phone with their support center begging them to park the domains at least for the time they were processing our inquiry. Unfortunately, no assistance or solution came from the “GoDaddy” team.
Guarda team has filed a statement to the Estonian Cyber Police Unit and Financial Police Unit to start the investigation and help us with action.
While awaiting a follow up from “GoDaddy” we have also tried to block access to the domain via “Cloudflare” – this turned to be pointless as the scammer has connected the domains to its own account on “Cloudflare”.
Thanks to our engineers we were able to slow down and temporarily disable the phishing web page to prevent most of the possible thefts. Almost 90% of the time the domain was under the control of the hijacker their phishing website returned an error.
Around 9 PM UTM+3, we were able to restore access to our “GoDaddy” account and immediately changed the DNS records back. After making sure that it is safe to use, we have notified everyone on social media.
What personal information may have been accessed?
None of our internal resources were compromised, only the domains and subdomains of guarda.co and guarda.com.
We believe the scammer was able to obtain the address and private keys of the users who had nevertheless uploaded their backup on desktop, web, or chrome extension. The mobile app users however only experienced transaction delays due to some of its resources being stored on the subdomains, making our APIs not available.
- The investigation has started
- We are closely communicating with Estonian Police in order to track this person
- We are gathering the list of all who may have suffered, their addresses, and the amount of lost funds
- We are preparing an appeal to “GoDaddy” on the ongoing investigation
- Directly contacted all the major exchanges so that the addresses to which the fraudster withdrew the funds were added to the blacklist
- Filed documents and addresses to blockchain monitoring companies to get the fraudsters addresses to blocklists
What should be done?
If you think that your funds have been stolen:
- Reach out to our support team by submitting a ticket at our support center
- In your ticket you need to provide all the amounts and the addresses, and/or transaction hash
- Explicitly state that you agree to report the incident to the police – this will help a lot. If you have already submitted the form please write in your ticket about the consent
- On Jan 4 we’ll provide a template according to which you need to fill in the information for the police
- Subscribe to our social media (Twitter, Telegram), we will regularly update information on the status of your applications
As a precautionary measure and consistent with ordinary good practices, we recommend creating a new wallet for every coin you use and transfer funds to it, and re-save backup with a new strong password.
For further information and assistance in connection with this incident please contact firstname.lastname@example.org
Is there a way to get stolen funds back?
As of right now, we collect all the information about those who got affected by this attack in order to estimate all the lost funds.
As soon as we receive all the information we’ll get back to everybody with further steps.
If you are willing to join the class action lawsuit, you need to mention this to our support team when you submit the ticket and provide all the necessary data.
We have always been proud of our security system and indeed our own resources stayed intact. That is why we are extremely sad that the attack fell on, as we previously assumed, a reliable partner. Taking into account what has already happened with other crypto projects earlier is the reason for us to stop using this service. However, we need to raise the security bar even higher to prevent the possibility of such an event in the future.
We are deeply sorry for the possible loss of confidence that you may have experienced for us. We promise to become even better, stronger, and more secure than ever.
We promise to give more news on January 11th, by that time we will have got a lot more information on this incident.
Thank you for your continued support of Guarda and even though we all are in sad circumstances we hope that the next year will put everything in its place, where it belongs. Our team wishes you a Happy New Year.