{"id":34369,"date":"2021-01-05T18:21:17","date_gmt":"2021-01-05T16:21:17","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=34369"},"modified":"2025-08-28T20:10:22","modified_gmt":"2025-08-28T17:10:22","slug":"hackers-steal-from-guarda-wallet-users-after-taking-control-of-its-domain","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hackers-steal-from-guarda-wallet-users-after-taking-control-of-its-domain\/","title":{"rendered":"Hackers steal from Guarda Wallet users after taking control of its domain"},"content":{"rendered":"<p>On December 30, 2020, the multi-currency non-custodial wallet Guarda suffered an attack involving DNS-record tampering. The project team blames GoDaddy, the hosting provider.<\/p>\n<p><!--more--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">The official statement regarding the security incident on December 30, 2020, <a href=\"https:\/\/t.co\/wGFJ6YeD0Z\">https:\/\/t.co\/wGFJ6YeD0Z<\/a><\/p>\n<p>\u2014 Guarda (@GuardaWallet) <a href=\"https:\/\/twitter.com\/GuardaWallet\/status\/1345195801585319938?ref_src=twsrc%5Etfw\">January 2, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Guarda representatives, GoDaddy staff handed over control of the account and the domains [guarda.co and guarda.com] to the attackers, allowing them to redirect users to a fake wallet backup download page.<\/p>\n<p>Guarda asked GoDaddy to suspend the domains until access was restored, but this did not happen. The project\u2019s engineers attempted to slow the phishing site. According to them, during 90% of the time the domains were under attackers\u2019 control, the phishing form was unavailable.<\/p>\n<p>Guarda is cooperating with the Estonian police. The project is considering filing a class-action lawsuit against GoDaddy and cites an investigation by cybersecurity expert Brian Krebs from November 21. It says GoDaddy staff fell victim to several phishing attacks \u2014 attackers obtained their admin credentials to access other sites.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Exclusive: Fraudsters changed the email and DNS records for a number of cryptocurrency trading platforms this week, after successfully social engineering employees at GoDaddy, the world\u2019s largest domain name registrar. <a href=\"https:\/\/t.co\/LYCdowb71Q\">https:\/\/t.co\/LYCdowb71Q<\/a> <a href=\"https:\/\/t.co\/vlbSPsxPwI\">pic.twitter.com\/vlbSPsxPwI<\/a><\/p>\n<p>\u2014 briankrebs (@briankrebs) <a href=\"https:\/\/twitter.com\/briankrebs\/status\/1330214272111173634?ref_src=twsrc%5Etfw\">November 21, 2020<\/a><\/p>\n<\/blockquote>\n<p>Around 100 people filed tickets with support, according to a Guarda publication from January 4. Some of them were dissatisfied that they did not receive an email notification about the attack, which, in their view, would minimise the damage.<\/p>\n<p>The attackers moved the stolen assets into Ethereum and swapped them for Bitcoin via the decentralized exchange Uniswap. Some funds, the project team says, were reportedly traced on centralized exchanges.<\/p>\n<p>ForkLog managed to identify some addresses to which the attackers transferred funds.<\/p>\n<ul>\n<li><a href=\"https:\/\/www.blockchain.com\/btc\/address\/bc1qr8zh082aduw29ea7wj0y96wzzt74368wy7zjfy\" target=\"_blank\" rel=\"noopener noreferrer\">Bitcoin<\/a> (over 26 BTC);<\/li>\n<li><a href=\"https:\/\/etherscan.io\/address\/0x754686e8a18e48af7ba0acedd26a174d2ec95acb\" target=\"_blank\" rel=\"noopener noreferrer\">Ethereum<\/a> (over 200 ETH);<\/li>\n<li><a href=\"https:\/\/etherscan.io\/address\/0x71Be2CF5003756fc53e177EeACF872cd79b8203b\" target=\"_blank\" rel=\"noopener noreferrer\">USDT ERC-20<\/a> (over 200 ETH).<\/li>\n<\/ul>\n<p>The service has already presented a plan to compensate for the losses:<\/p>\n<ul>\n<li>If a user lost up to $2,000, they will be refunded the full amount in Bitcoin or the stolen cryptocurrency. An alternative option contemplates a payment of $4,000 in Guarda tokens with a three-year vesting;<\/li>\n<li>If a user lost between $2,000 and $10,000, they will be refunded 50% in Bitcoin or offered double the amount in tokens with a three-year vesting;<\/li>\n<li>If a user lost more than $10,000, they will be refunded 20% in Bitcoin or offered an equivalent of the lost amount plus 50% in tokens with a three-year vesting.<\/li>\n<\/ul>\n<p>The tokens will be issued by March 2021; redemptions will be funded from a dedicated fund.<\/p>\n<p>Earlier, we reported on the major hacks of 2020 in the cryptocurrency industry.<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"2dGDFq1qes\">\n<p><a href=\"https:\/\/forklog.com\/en\/news\/the-major-hacks-of-2020-defi-exchanges-and-defi-again\">The major hacks of 2020: DeFi, exchanges and DeFi again<\/a><\/p>\n<\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"\u00ab\u0413\u043b\u0430\u0432\u043d\u044b\u0435 \u0432\u0437\u043b\u043e\u043c\u044b 2020 \u0433\u043e\u0434\u0430: DeFi, \u0431\u0438\u0440\u0436\u0438 \u0438 \u0441\u043d\u043e\u0432\u0430 DeFi\u00bb \u2014 ForkLog\" src=\"https:\/\/forklog.com\/exclusive\/glavnye-vzlomy-2020-goda-defi-birzhi-i-snova-defi\/embed#?secret=Hd7Z6EBbuC#?secret=2dGDFq1qes\" data-secret=\"2dGDFq1qes\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\"https:\/\/t.me\/forklogfeed\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog Feed<\/a> \u2014 the full stream of news, <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog<\/a> \u2014 the most important news and polls.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On December 30, 2020, the multi-currency non-custodial wallet Guarda suffered an attack involving DNS-record tampering. The project team blames GoDaddy for the incident.<\/p>\n","protected":false},"author":1,"featured_media":34370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154],"class_list":["post-34369","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes"],"aioseo_notices":[],"amp_enabled":true,"views":"60","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/34369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=34369"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/34369\/revisions"}],"predecessor-version":[{"id":34371,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/34369\/revisions\/34371"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/34370"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=34369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=34369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=34369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}