WARNING: Phishing emails are being sent to our users. Read more here

Dear GateHub customers,

A few days ago we learned that a criminal hacker had accessed several dozen native XRP Ledger wallets and stolen crypto assets from our customers. Through a well-orchestrated attack, the perpetrator gained access to a database holding valid access tokens of our customers. We detected an increased volume of API calls (using these valid access tokens) coming from a small number of IP addresses.

Upon detecting this intrusion, we immediately disabled all customer access tokens and stopped the suspicious API calls. We believe this action prevented further losses.  We have identified 103 XRP Ledger wallets suffering losses in the attack.

Our users are our highest priority.  We are doing the best we can to learn how this intrusion happened, apprehend the perpetrator and help you protect assets that you have stored on the XRP Ledger.

Altogether we detected 18,473 accounts that were potentially affected as a result of suspicious API calls.  From these 18,473 accounts, 5,045 XRP Ledger wallets contained active balances.  We promptly notified all GateHub customers who might have been affected through multiple channels, including emails, telephone messages, and calls.  We have done our best to inform all of you about what we have learned and advise you to on how to protect assets that you hold on the XRP ledger.

But we need your help.  Our XRP Ledger Wallets are protected with secret keys kept in an encrypted state.  GateHub does not have access to users’ native RCL wallets and we do not know your encrypted passwords.  We cannot move or withdraw assets on your behalf.  Only you can do this. Customers who previously received an individual warning e-mail from GateHub and thereafter did not move their funds to their hosted wallets are still at risk of having funds stolen by this thief.  

We urge all customers individually notified by email to move their XRP into a GateHub hosted wallet immediately.

The funds were sent to several exchanges, including Freewallet.org, Changelly, Changenow, Kucoin, Huobi, Exmo, Hitbtc, Binance, Alfacashier and others.  We have already contacted each recipient exchange with the aim to freeze and retrieve all customer assets. We urge all affected customers to directly contact these known destination providers and ask these accounts to be frozen, if possible, and to file theft reports with their local law enforcement.

Please be assured that we are continuing to vigorously investigate this incident with the assistance of our internal response team, law enforcement agencies, third-party professional security and forensics teams, and other investigative authorities.

We cannot share additional forensic details at the moment, due to the ongoing criminal investigation. We are hopeful we can nail the perpetrator.

In addition, we are taking steps to safeguard all XRP Ledger wallets (not just the small number potentially affected by the access token exploit).  In the upcoming days, we will re-generate customer encryption keys and disable existing XRP Ledger wallet secret keys for all Ledger wallets. New secret keys will be created and encrypted, which will prevent access by the perpetrator to any XRP Ledger wallets.  This process will be fully automated and we will engage our customers on a rolling basis. Other than signing into your account, no additional action will be required. When this update is available, each customer will be notified via email with instructions to sign into their account, and automatically to re-generate security keys.

As always, we also suggest our users change your login passwords periodically, use strong passwords that are not already used on other websites, have 2FA enabled, and avoid being duped by phishing emails and suspicious websites.

We would like to again apologize to our valued customers who have been directly affected by this attack, and more broadly, to the XRP community for this inconvenience.  We also wish to thank the many individuals who have been of great help in resolving this matter.

The investigation continues, and we will not rest until we get to the bottom of it.