Table of Contents
The creator of the Moonbirds NFT collection, Kevin Rose, has lost around $1 million in NFTs after falling victim to a wallet exploit.
Rose lost a number of NFTs, including 25 Chronie Squiggles and an Autoglyph NFT. The hack was confirmed by Rose himself on his Twitter account.
A Million Dollar Loss
Kevin Rose, the co-founder of the Moonbirds NFT collection, has fallen victim to a phishing scam, losing over $1.1 million worth of NFTs from his personal collection. Rose confirmed the hack on his Twitter handle, and a glance at the transaction history for Rose’s wallet on OpenSea reveals the extent of the hack. Rose lost several NFTs, such as OnChainMonkeys, Squiggles, and Cool Cats. Rose stated on Twitter,
“I was just hacked; stay tuned for details - please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph).”
However, Rose was able to save his most valuable NFTs by keeping them in a separate vault. These NFTs include a Zombie CryptoPunk (CryptoPunk #5066), of which there are only 87 other NFTs. Users speculated that the wallet in question was compromised because Rose signed a malicious seaport bundle. A seaport bundle allows users to trade multiple assets for other items of the same value. Rose, on his part, urged users to avoid purchasing Squiggle NFTs while his team worked on getting them flagged as stolen.
Details Of The Hack
Details about how the hack took place soon emerged. It was revealed that the hack most likely took place after he approved a malicious signature, enabling the attacker to transfer a significant number of Rose’s NFTs out of the wallet. An analysis of the hack revealed that the attacker managed to siphon off at least one Autoglyph, which has a floor price of 345 ETH, Chromie Squiggles, which were worth around 332.5 ETH, and nine OnChainMonkey items, worth around 7.2 ETH.
The vice president of PROOF, the entity behind the Moonbirds collection, Arran Schlosberg, elaborated on the hack on Twitter, revealing that Rose was the victim of a phishing exploit that tricked him into signing a malicious signature and allowed the attacker to steal the NFTs in question.
“Earlier this evening, @kevinrose was phished into signing a malicious signature that allowed the hacker to transfer a large number of high-value tokens. Here is a breakdown of what happened, our immediate response, and our ongoing efforts. This was a classic piece of social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea’s marketplace contract.”
Crypto analyst foobar explained that Rose had approved an OpenSea marketplace contract to move all of his NFTs whenever he signed transactions, stating that Rose was always one malicious signature away from disaster. The analyst added that Rose should have siloed his assets in a separate wallet.
“Moving assets from your vault to a separate ‘selling’ wallet before listing on NFT marketplaces will prevent this.”
The malicious signature was enabled by the seaport marketplace contract, which, while a powerful tool, is also dangerous if users are not aware of how it works.
Stolen Assets On The Move
Foobar also revealed that the stolen assets were valued well above their floor price, which means that the loss could be considerably greater. On-chain crypto analyst ZachXBT tracked the stolen assets, revealing that the exploiter sent the assets to FixedFloat, an exchange on the Bitcoin Lightning Network. The funds were then swapped into BTC and deposited into a Bitcoin mixer.
“Three hours ago, Kevin was phished for $1.4m+ worth of NFTs. Earlier today, the same scammer stole 75 ETH from another victim. Mapping this out, we can see a clear trend of sending the stolen funds to FixedFloat and swapping for BTC before depositing to a bitcoin mixer.”
Bankless Founder Ryan Sean Adams pointed out the ease with which Rose was exploited and urged front-end engineers to improve user experience.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.