Kevin Rose, co-founder of non-fungible token (NFT) collection Moonbirds, has fallen victim to a phishing scam that has resulted in the theft of over $1.1 million worth of personal NFTs.
The NFT creator and co-founder of PROOF shared the news with his 1.6 million Twitter followers on January 25.asking them to avoid buying any Squiggles NFTs until their team managed to mark them as stolen.
I was just hacked, stay tuned for details – please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph) …
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
I just got hacked, stay tuned for details. Please refrain from buying any Squiggles until we get them marked (I just lost 25) + some other NFTs (an autoglyph)…
“Thank you for all the kind and supportive words. Full report coming soon”, shared in another tweet about two hours later.
It is understood that Rose’s NFTs were drained after he endorsed a malicious firm that transferred a significant proportion of his NFT assets to the exploiter.
GM – what a day!
Today I was phished. Tomorrow we’ll cover all the details live, as a cautionary tail, on twitter spaces. Here is how it went down, technically: https://t.co/DgBKF8qVBK— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
GM, what a day! Today I have been a victim of phishing. Tomorrow we will cover all the details live, such as a cautionary queue, on twitter spaces. Here’s how it went down, technically: https://t.co/DgBKF8qVBK
A analysis Arkham independent discovered that the exploiter stole at least one Autoglyph, which has a minimum price of 345 ETH; 25 Art Blocks -also known as Chromie Squiggles- worth at least a total of 332.5 ETH; and nine OnChainMonkey items, worth at least 7.2 Ether.
Total, mined at least 684.7 ETH (USD 1.1 million).
How Kevin Rose was taken advantage of
Although several independent on-chain analyzes have been shared, Arran Schlosberg, vice president of PROOF – the company behind Moonbirds – explained to his 9,500 Twitter followers that Rose “was phished into signing a malicious signature” that allowed the exploiter to transfer a large number of tokens.:
1/ This was a classic piece of social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea’s marketplace contract.
— Arran (@divergencearran) January 25, 2023
1/ This was a classic piece of social engineering, fooling KRO into a false sense of security. The technical aspect of the attack was limited to the creation of signatures accepted by the OpenSea marketplace contract.
The cryptanalyst “foobar” elaborated on the “technical aspect of the hack” in another post on Jan. 25, explaining that Rose approved a marketplace contract from OpenSea to move all of her NFTs every time Rose signed transactions..
He added that Rose was always “one malicious signature” away from an exploit:
Be super careful when signing anything, even off-chain signatures. kevin rose just had ~$2 million worth of NFTs drained from his vault from signing one malicious seaport bundle. thankfully a couple things held back, like the punk zombie (1000 ETH) which can’t be traded on OS pic.twitter.com/GXHR3NQHLf
— foobar (@0xfoobar) January 25, 2023
Be very careful when signing anything, even offchain signatures. Kevin Rose just had ~2 million NFTs drained from his vault for signing a malicious seaport package. Thankfully a couple of things held back, like the zombie punk (1000 ETH) being untradeable on OS pic.twitter.com/GXHR3NQHLf
The cryptanalyst said that Rose should instead have been “muting” her NFT assets in a separate wallet:
“Moving assets from your vault to a separate “sell” wallet before listing them on NFT markets will prevent this.”
Another on-chain analyst, “Quit” told his 71,400 Twitter followers that the malicious firm was enabled by the Seaport Market contractthe platform that drives OpenSea:
Kevin Rose was just lost $2m+ in assets by signing an off-chain signature that created a listing for all of his OpenSea approved assets in one go.
While seaport is a powerful tool, it can also be dangerous if you’re not aware of how it works.
A bit of context 1/
—quit (@0xQuit) January 25, 2023
Kevin Rose had just lost over $2 million in assets by signing an off-chain firm that created a listing of all his OpenSea-approved assets in one go. Although the seaport is a powerful tool, it can also be dangerous if you are not aware of how it works. A bit of context 1/
Quit explained that the exploiters were able to set up a phishing site that was able to view the NFT assets held in Rose’s wallet.
The attacker then created an order to transfer to himself all of Rose’s approved OpenSea assets..
Rose then validated the malicious transaction, Quit noted..
In the meantime, foobar noted that most of the stolen assets were well above their minimum price, meaning the amount stolen could be as high as $2 million..
Quit urged OpenSea users to “run away” from any other website that encourages users to sign something that looks suspicious.
NFTs on the move
The on-chain analyst ZachXBT shared a transaction map with his 350,300 Twitter followers showing the exploiter sent the assets to FixedFloat, a Bitcoin Lightning Network Layer 2 cryptocurrency exchange..
Then, the exploiter switched the funds to bitcoin (BTC) and deposited the BTC into a bitcoin mixer:
Three hours ago Kevin was phished for $1.4m+ worth of NFTs. Earlier today the same scammer stole 75 ETH from another victim.
Mapping this out we can see a clear trend of sending the stolen funds to FixedFloat and swapping for BTC before depositing to a bitcoin mixer. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
— ZachXBT (@zachxbt) January 25, 2023
Three hours ago, Kevin was robbed of over $1.4 million in NFTs. Just today, the same scammer stole 75 ETH from another victim. Mapping this out we can see a clear trend of sending the stolen funds to FixedFloat and exchanging them for BTC before depositing them into a bitcoin mixer. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
The member of the Twitter crypto community Degentraland told his 67,000 followers that it was the “saddest thing” he’s seen in the cryptocurrency space to date, adding that if anyone can come back from such a devastating feat, “it’s him.”:
Saddest thing I’ve seen in crypto to date.@kevinrose wallet drained.
If anyone can come back from this, it’s him. pic.twitter.com/HZysg34qji
—Degentraland (@Degentraland) January 25, 2023
Saddest thing I’ve seen in cryptocurrency to date.@kevinrose wallet drained.
If anyone can recover from this, it’s him. pic.twitter.com/HZysg34qji
For his part, the founder of Bankless, Ryan Sean Adams, was enraged at how easily Rose could be exploited. In a Tweet on January 25, Adams urged front-end engineers to improve their user experience (UX) to prevent these scams from taking place..
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.