Animoca Brands says it will pay US$1.1 million in Ethereum to cover the cost of a scam involving the hack of its Sydney-based subsidiary’s social media channel.

The November 19 hack targeted the chat server of Phantom Galaxies, an upcoming game being developed by Blowfish Studios, the indie North Sydney gaming company that Animoca acquired for up to $35 million in July.

Some 94,000 people belong to Discord server, and early last Friday the hacker or hackers were able to use a “malware bot” to compromise the two-factor authentication for its admin account.

Once in control of the account, the hackers banned all staff accounts, as well as the accounts of advisors and community moderators.

Around 3am AEDT, the hackers began posting fraudulent announcements about a surprise “stealth mint” of its game NFTs. The announcements directed people to a fake website with a phony minting process. Users were charged 0.1 Ethereum (around US$430), but nothing was minted – the funds were just transferred to the hacker’s wallet.

For anyone paying attention, there were some clues this wasn’t on the up-and-up.

In the past, Phantom Galaxy had issued server-wide notices that there’d never be any unannounced “stealth” or “surprise” drops or mints.

There’s also been similar scams perpetrated on the Axie Infinity and Creature Toadz NFT Disord channels. A

In addition, the website had an .org domain, rather than the official dot-com one.

But within half an hour, nearly 1,000 users had sent the hackers Ethereum, blockchain data shows. Most sent just 0.1 Eth, but some paid 0.5, 1 or even 1.5 Eth for multiple NFTs.

‘Please do not mint’

Senior management of Animoca, based in Hong Kong, became aware of the scam around 3.40am AEDT (12.40am Hong Kong time), but were unable to rouse anyone in Sydney given the extremely late hour.

They were able to post a warning in the Telegram channels at 3.45am AEDT and Animoca chairman Yat Siu tweeted about it at 3.58am.

Animoca was able to contact Discord, the San Francisco company behind the chat software, which took emergency steps to restrict access to the server at 4.30am.

Still, people kept sending in funds for another half an hour, the blockchain data indicates.

In total the hackers collected 265 Ethereum (US$1.1 million) in 1,574 transactions in a little under three hours, according to Etherscan. Nearly all of that has been transferred to Tornado Cash, an Ethereum privacy solution useful for money laundering.

Apology issued

Animoca and Blowfish issued a lengthy statement last night about the hack, pledging compensation.

“The exact nature and mechanism of the compensation will be determined after discussions with the Phantom Galaxies community, but it will involve transfers to users to cover the amounts stolen by the hackers, or the delivery of equivalent value. More information will be provided in the game’s official channels.”

The two companies also apologised and said they were taking steps to further increase security and prevent such incidents in the future.

“This includes holding in-depth reviews with our security experts, external consultants, and Discord security personnel,” the statement said. “Animoca Brands is also instituting a group-wide assessment of security measures.”

The statement also advised users of steps they could take to avoid scams and said people should be very cautious of stealth drop/mint events.

“Never trust announcements that play on the fear of missing out (FOMO). It is better to miss out than to get scammed.”

About Phantom Galaxies

Phantom Galaxies is a “mecha” game that’ll be released next year on consoles and PC. Here’s an early look at gameplay that was released last month.