PSA: Please keep your tez in Galleon desktop wallets safe from attackers

As an eminently popular Tezos wallet, Galleon has always seen its users targeted by malicious parties in multiple ways. However, in the past two months, the scale and intensity of the attacks has escalated significantly. We are particularly troubled by recent reports of Windows users with file wallets spontaneously losing funds, although we have not yet found any related security vulnerabilities. We want the Tezos community to be aware of these issues and protect themselves.

Our headline recommendations to the community are:

1. Only follow download links and seek support through our official website.
2. Always use a hardware wallet like the Ledger Nano, particularly if you are using Windows.
3. Scam sites such as https://wallet.galleon.network/ not listed by Cryptonomic on any official source should be avoided at all cost. Cryptonomic has no web based wallets.
4. Download the latest version of the wallet from the application stores for Windows, Linux and (soon) Mac computers.

The Galleon wallet is based on the open source Tezori codebase. The open source nature of the code lets the community vet its security and efficacy and have confidence in all deployed wallet software. Unfortunately, this also opens up the possibility of malicious parties releasing tweaked copies of the code on several websites and pretending to be legitimate. With some additional social engineering on forums like Telegram, these scammers are able to rob many tez holders of their hard earned money.

We have so far avoided going after specific scammers as we have seen crypto projects in the past play a futile game of whack-a-mole where offending parties can’t even be identified with any certainty. However, the people behind https://wallet.galleon.network/ have been particularly malicious and robbed people across Telegram and even the issues section of our old GitHub repository. We are following up on the available legal options to bring down these scam sites but the process will frustratingly take some time. Until then, we urge all community members to spread the word and protect people around them. We already shut down our Telegram support a while ago and also closed the Issues section of the old GitHub repository, but we urge everyone once again to only seek support through our official website.

We have recently also become aware of reports of Windows users spontaneously losing their funds in Galleon wallets. We thank community member Jovan Smith and others for bringing a couple of more cases to our attention. We saw some similar reports in the past but our investigations did not turn up anything particularly significant. A couple of users were kind enough to share their screens with us and we ran through a gamut of tests including multiple malware scans and network checks but did not notice anything untoward. The previous Galleon codebase was checked by Trail of Bits in 2018 and the newest Galleon code was audited by Apriorit in June this year with another audit by Trail of Bits likely to follow in September. None of the audits identified remotely-exploitable issues.

We strongly recommend an upgrade to the latest version of the wallet for all users, particularly if you use it on Windows. If you are using Galleon 0.9.3b or 0.9.4b, please update to version 1.1.4b via the appropriate app store or through the link on the official site if no store link is yet available.

The importance of using hardware wallets cannot be overstated. Even if you use a malicious site with a hardware wallet, it’s still difficult for scammers to steal your funds. Especially on Windows, which is the operating system most targeted by scammers, it’s imperative that you use a hardware wallet for all crypto assets.

Over the coming weeks we will be taking the following measures to reduce the risk to our users:

1. Aggressive messaging across online forums (underway)
2. Move releases to the new codebase (done)
3. Publish all wallet software through official app stores (mostly done)
4. Improve security messaging in the wallet (underway)
5. Shut down all support forums not linked to our official website or email (done)
6. Undergo another thorough security audit with a focus on Windows deployment

If you think you have been targeted by a malicious party scamming Galleon users or know someone who has, please send us information at support@cryptonomic.tech so we can be aware of such activity. If you’re technically inclined and have specific suggestions on how we can improve security for the community or have identified an issue, please get in touch or submit a pull request on GitHub.

The cryptocurrency space is still budding and is unfortunately targeted by many scammers and con artists. Remember to always be vigilant.