High-Profile Collector Hacks: How to Keep Your NFTs Safe

2023 has barely started, and already, several high-profile hacks have hit the wallets of NFT Twitter hegemons. CryptoNovo, NFT God and most recently, Kevin Rose were scammed out of major funds and non-fungies. Additionally, Azuki’s Twitter was compromised on the 27th. What do all these events have in common? Malicious links.

As Mr. Rose’s misfortune was the inspiration for the cover art of Redlion’s Gazette #124, let’s examine his hack to start this lesson in cybersecurity. Kevin’s case involved OpenSea’s seaport contract. Most NFT users have accepted the seaport contract in order to buy, sell, offer and trade on OpenSea. What many don’t know is that a malicious 3rd-party site can exploit the seaport approval to drain your crypto wallet!

An excellent thread about the seaport exploit (and Kevin Rose’s losses) was written by the Stelo NFT safety app. The tl/dr with seaport is this: NEVER sign seaport approvals if you’re on a site that isn’t openSea. Rose navigated to a scam site and signed a scammy seaport approval.

More broadly, to keep your NFTs safe, only click on links after carefully parsing the url and knowing you are visiting a safe site. In the case of NFT God’s hack, he clicked on a sponsored link from a Google search. Instead of a link to the service he was trying to find, NFT God clicked on a scam. This downloaded malware on to his computer. Any hot wallet is doomed at this point. The malware simply bulk transfers all your assets to a thief.

One way to protect yourself from losing everything with a single misclick is using a cold wallet–aka a hardware wallet (like a Ledger or Trezor). Unfortunately for NFT God, on top of clicking a scam link, he also made a critical error when setting up his Ledger hardware wallet. 

Do NOT do this: there is the option of entering your hardware wallet’s seed phrase into your hot wallet. In other words, you can let Metamask open up your Ledger… this is spectacularly dangerous! It is tough to even understand why this option is made available by ledger and Metamask. Sure, it is convenient, but it undoes all the intended security that the hardware wallet is meant to provide. By entering his cold wallet seed phrase into Metamask, NFT God made his personal “vault”–the place where he kept his NFT grails AND a large portion of net worth–accessible to anyone on the internet. To his credit NFT God is extremely forthright about his mistakes. If you want to learn everything about avoiding his mistakes, read this thread by korpi.

Lastly, we come to CryptoNovo’s hack, how to avoid losses with your hot wallet, and how the NFT community is reacting to all these surprising thefts. While less detailed about his experience, Novo also blamed a malicious link for the theft of his iconic CryptoPunk. To the average NFT enthusiast, it becomes logical to think, “If these leaders of the NFT space can get hacked, what’s protecting me?” Well, as noted above, you SHOULD keep the majority of your assets in a cold wallet. You should NOT click on random links. And as a last bit of advice regarding hot wallets, be very careful with your signatures. 

The aforementioned Stelo has a browser extension that claims to warn users before signing a malicious smart contract. Metamask also has a bright red warning label when it detects suspicious code. This thread by IOE explains Metamask signing safety super well.  

After the hacks, members of each influencer’s community gave generously to try and make their influencer whole again. Interestingly, none of this charity was requested by either Novo, NFT God, or Kevin Rose. Nevertheless, someone sniped NFT God’s ape for him. An entire #GoFUndNovo campaign (that we covered extensively) brought together many artists who auctioned off works for Novo; they raised the needed ~80th to buy Novo’s PFP back. Most recently, Kevin Rose was gifted some art that was inspired by his boosted Squiggles. 

As always with Twitter, there were many haters amongst the helpers. NFT God clapped back in his signature classy style by thanking the haters for bringing out the “love, support and positivity of the web 3 community even more.” Despite, the travails of his theft forcing Novo to seek emergency professional help, derision kept flying his way. Even the pedantic “don’t call this scam a hack” argument was brought up innumerable times. Punk9059 chose to address this in a message reminding people to be charitable with their thoughts and actions. Yes, technically, if you commit zero human error, you cannot be “hacked” out of your web3 assets. However, we are all human and there seems to be an interminable sewer of scammers spamming scammy links. Be careful out there–be compassionate too.