The Web3 credential platform Galxe fell victim to a sophisticated DNS hijacking attack on October 6, 2023, resulting in the theft of more than $150,000 worth of user assets. The breach, executed through the domain registrar Dynadot, redirected unsuspecting users to a malicious version of the Galxe website equipped with the Angel Drainer wallet-draining toolkit.
At the time of the attack, Bitcoin traded at approximately $27,946 while Ethereum sat at $1,645, meaning the total losses — while devastating for those affected — represented a fraction of the broader market’s daily volume. Yet the incident served as yet another stark reminder that decentralized platforms remain vulnerable to centralized points of failure at the infrastructure layer.
The Exploit Mechanics
The attackers gained control of Galxe’s Domain Name System (DNS) records through their Dynadot account, the domain registrar managing the protocol’s web presence. Once inside, they modified the DNS configuration to point the legitimate Galxe URL toward a fraudulent mirror site. This cloned interface was indistinguishable from the genuine platform to the average user.
The malicious site embedded Angel Drainer, a well-known crypto wallet drainer tool that has been linked to multiple high-profile thefts throughout 2023. When users connected their wallets and signed what appeared to be routine transactions — such as claiming credentials or participating in campaigns — the drainer executed unauthorized token transfers, draining assets directly from connected wallets.
One user reported losses exceeding $100,000, while multiple other victims reported smaller but still significant thefts. The wallet linked to the exploit funneled stolen assets through a series of intermediary addresses, a common laundering technique designed to complicate tracing efforts.
Affected Systems
The breach specifically targeted Galxe’s front-end website rather than the protocol’s underlying smart contracts. This distinction matters: the blockchain infrastructure itself remained intact, and no vulnerabilities existed in Galxe’s on-chain code. Instead, the attack exploited the centralized DNS layer — a persistent weak point for Web3 applications that rely on traditional internet infrastructure.
Galxe, which provides credential issuance, campaign management, and community-building tools for Web3 projects across DeFi, NFTs, and other sectors, immediately took its website offline upon detecting the breach. The platform’s native token, GAL, dropped over 2% to $1.1587 following the disclosure, compounding an existing 14-day decline of 13.5%.
The Mitigation Strategy
Galxe responded swiftly, issuing urgent warnings across its official communication channels, including X (formerly Twitter). The protocol advised all users to take three immediate precautions: do not connect wallets to the platform, do not sign any transactions, and disconnect any previously connected wallets until the situation was resolved.
The team worked with Dynadot to restore proper DNS configurations and conducted a thorough audit of their domain registrar security settings. They also implemented additional safeguards, including enhanced two-factor authentication requirements and regular DNS monitoring to detect unauthorized changes in real time.
Lessons Learned
The Galxe incident underscores several critical security principles for the Web3 ecosystem. First, DNS hijacking remains one of the most effective attack vectors against decentralized platforms because it bypasses smart contract security entirely. Second, domain registrar accounts represent high-value targets that demand security measures on par with those protecting cryptocurrency wallets themselves.
For users, the attack highlights the importance of verifying URLs before connecting wallets, using hardware wallets for significant holdings, and maintaining separate wallet addresses for different platforms to limit exposure in the event of a breach.
User Action Required
Anyone who interacted with the Galxe platform on or around October 6, 2023, should immediately check their wallet transaction history for unauthorized transfers. Affected users should revoke any token approvals granted to the compromised site using tools like Revoke.cash or Etherscan’s token approval checker. Moving remaining assets to a fresh wallet address is strongly recommended as a precautionary measure.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
$150K drained and the attack vector was a registrar password. not a smart contract bug, not a zero day. just a stolen Dynadot login. we really need to stop treating infrastructure security as optional
centralized DNS is the achilles heel of every “decentralized” app. until projects move to ENS or decentralized hosting this will keep happening
ens wont fix this because users still type galxe dot com. the attack is at the DNS layer not the hosting layer. DNSSEC adoption is the actual fix but good luck getting registrars to enable it by default
Spot on, chain_sentry. These DNS hijacks are getting sophisticated, and most people don’t realize that even ‘secure’ sites can be compromised at the registrar level. It’s not just about auditing code anymore; the whole web2 stack we use to access crypto is a massive liability.
Angel Drainer has been showing up in attacks on multiple protocols now. the toolkit keeps getting updated too, this is not a one-person operation
angel drainer is basically a SaaS platform for wallet draining at this point. multiple updates, subscription model, customer support for thieves
DNS hijacks are honestly the scariest part of DeFi right now because you can’t even trust the official URL. $150k gone in a flash just because of a domain exploit is a brutal reminder to always use a burner wallet for these types of interactions.
Seeing Angel Drainer involved again is zero surprise, those guys are basically the final boss of frontend exploits at this point. Galxe really dropped the ball on their domain security, and it’s wild that such a big protocol didn’t have better monitoring for DNS changes.