2023 has barely started, and already, several high-profile hacks have hit the wallets of NFT Twitter hegemons. CryptoNovo, NFT God and most recently, Kevin Rose were scammed out of major funds and non-fungies. Additionally, Azuki’s Twitter was compromised on the 27th. What do all these events have in common? Malicious links.
GM 🌅 – what a day!— KΞVIN R◎SE (,🦉) (@kevinrose) January 25, 2023
Today I was phished. Tomorrow we'll cover all the details live, as a cautionary tail, on twitter spaces. Here is how it went down, technically: https://t.co/DgBKF8qVBK
As Mr. Rose’s misfortune was the inspiration for the cover art of Redlion’s Gazette #124, let’s examine his hack to start this lesson in cybersecurity. Kevin’s case involved OpenSea’s seaport contract. Most NFT users have accepted the seaport contract in order to buy, sell, offer and trade on OpenSea. What many don’t know is that a malicious 3rd-party site can exploit the seaport approval to drain your crypto wallet!
An excellent thread about the seaport exploit (and Kevin Rose’s losses) was written by the Stelo NFT safety app. The tl/dr with seaport is this: NEVER sign seaport approvals if you’re on a site that isn’t openSea. Rose navigated to a scam site and signed a scammy seaport approval.
Not buying a new cold wallet immediately was a deadly mistake. But even with a cold wallet, my entire digital world would still be destroyed.— NFT God (@NFT_GOD) January 15, 2023
Digital security isn't just buying a cold wallet. It's also being careful with EVERYTHING you do on the internet. Everything.
More broadly, to keep your NFTs safe, only click on links after carefully parsing the url and knowing you are visiting a safe site. In the case of NFT God’s hack, he clicked on a sponsored link from a Google search. Instead of a link to the service he was trying to find, NFT God clicked on a scam. This downloaded malware on to his computer. Any hot wallet is doomed at this point. The malware simply bulk transfers all your assets to a thief.
One way to protect yourself from losing everything with a single misclick is using a cold wallet–aka a hardware wallet (like a Ledger or Trezor). Unfortunately for NFT God, on top of clicking a scam link, he also made a critical error when setting up his Ledger hardware wallet.
Mistake 1: Not using a hardware wallet correctly— korpi (@korpi87) January 15, 2023
If you type your Ledger seed phrase into a software wallet, you are effectively transforming your cold wallet into a hot wallet.
Never type in your Ledger seed phrase anywhere!
Connect your Ledger with the software wallet. https://t.co/Ouxpbrc4od pic.twitter.com/5RMJ3yKwiY
Do NOT do this: there is the option of entering your hardware wallet’s seed phrase into your hot wallet. In other words, you can let Metamask open up your Ledger… this is spectacularly dangerous! It is tough to even understand why this option is made available by ledger and Metamask. Sure, it is convenient, but it undoes all the intended security that the hardware wallet is meant to provide. By entering his cold wallet seed phrase into Metamask, NFT God made his personal “vault”–the place where he kept his NFT grails AND a large portion of net worth–accessible to anyone on the internet. To his credit NFT God is extremely forthright about his mistakes. If you want to learn everything about avoiding his mistakes, read this thread by korpi.
Lastly, we come to CryptoNovo’s hack, how to avoid losses with your hot wallet, and how the NFT community is reacting to all these surprising thefts. While less detailed about his experience, Novo also blamed a malicious link for the theft of his iconic CryptoPunk. To the average NFT enthusiast, it becomes logical to think, “If these leaders of the NFT space can get hacked, what’s protecting me?” Well, as noted above, you SHOULD keep the majority of your assets in a cold wallet. You should NOT click on random links. And as a last bit of advice regarding hot wallets, be very careful with your signatures.
The aforementioned Stelo has a browser extension that claims to warn users before signing a malicious smart contract. Metamask also has a bright red warning label when it detects suspicious code. This thread by IOE explains Metamask signing safety super well.
After the hacks, members of each influencer’s community gave generously to try and make their influencer whole again. Interestingly, none of this charity was requested by either Novo, NFT God, or Kevin Rose. Nevertheless, someone sniped NFT God’s ape for him. An entire #GoFUndNovo campaign (that we covered extensively) brought together many artists who auctioned off works for Novo; they raised the needed ~80th to buy Novo’s PFP back. Most recently, Kevin Rose was gifted some art that was inspired by his boosted Squiggles.
Art Theft— 0xdgb (@0xdgb) January 26, 2023
Recently I’ve been working on a few pieces for @DerekEdws, this being one of them. But after the hack yesterday, between us, we decided to gift it to @KevinRose. I also insisted Kevin decide which Squiggle we used.
Kevin, its an honour to be part of your collection 🫂 pic.twitter.com/hyWSHAPyHc
As always with Twitter, there were many haters amongst the helpers. NFT God clapped back in his signature classy style by thanking the haters for bringing out the “love, support and positivity of the web 3 community even more.” Despite, the travails of his theft forcing Novo to seek emergency professional help, derision kept flying his way. Even the pedantic “don’t call this scam a hack” argument was brought up innumerable times. Punk9059 chose to address this in a message reminding people to be charitable with their thoughts and actions. Yes, technically, if you commit zero human error, you cannot be “hacked” out of your web3 assets. However, we are all human and there seems to be an interminable sewer of scammers spamming scammy links. Be careful out there–be compassionate too.
We've had multiple savvy people lose life-savings over the past month, a few admit to being worried about their mental health, none ask others for funds...— NFTstatistics.eth (@punk9059) January 26, 2023
and my timeline only cares about defending the word "hack" from situations where there was any form of victim participation