Kevin Rose, the CEO and founder of Proof, fell victim to an apparent phishing attack, with his hacked wallet estimated to have held rare NFTs worth millions.
After the theft, Rose worked with OpenSea to ensure the stolen NFTs can’t be sold on its marketplace, but they can still be sold on another platform.
His wallet is said to have lost 40 NFTs on Wednesday, with data on NFT marketplace OpenSea showing the assets were transferred to the attacker’s wallet.
Rose confirmed the hack in a late Thursday tweet, saying he would share details soon as a cautionary heads-up. He may have lost assets upwards of $1.4 million including NFTs from collections like Autoglyph, QQL Pass, Cool Cats, Damien Hirst’s The Currency, Admit One and OnChainMonkey, according to nft now.
In a Twitter thread, Proof’s VP of Engineering Arran Schlosberg broke down what exactly went down. He said Rose was tricked into signing a malicious signature that allowed the hacker to gain access to high-value tokens.
Schlosberg didn’t mention what Rose thought he was signing, but the single misstep appears to have given the hacker his wallet credentials.
“This was a classic piece of social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea’s marketplace contract,” Schlosberg wrote.
He added that Proof’s assets, which mostly need multiple approvals for access, were not impacted.
OpenSea didn’t return Blockworks’ request for comment by press time.
The NFT phishing problem
Blockchain sleuth ZachXBT claimed that the same hacker who took control of Rose’s NFTs stole 75 ETH ($121,000) from another victim on the same day. The hacker then allegedly used crypto exchange FixedFloat to convert the stolen funds to bitcoin, before transferring them to a bitcoin mixing service to conceal the origin of funds.
Another crypto enthusiast who goes by the name ‘foobar’ on Twitter suggested how such a hack could have been prevented. They recommended a technique known as “wallet siloing,” which involves segregating different wallets for different purposes, and keeping valuable NFTs away from any active hot wallets. This would block the assets from being listed on NFT marketplaces without separate selling approval — a loss of convenience, but a defense against the sort of trap Rose fell into.
Use of a browser extension such as Fire, that translates opaque smart contract code into recognizable actions, would also have tipped off Rose that something smelled fishy before it was too late.
This story was updated on Jan. 26, 2023, at 5:25 a.m. ET with additional detail.
Get the day’s top crypto news and insights delivered to your email every evening. Subscribe to Blockworks’ free newsletter now.
Want alpha sent directly to your inbox? Get degen trade ideas, governance updates, token performance, can’t-miss tweets and more from Blockworks Research’s Daily Debrief.
Can’t wait? Get our news the fastest way possible. Join us on Telegram and follow us on Google News.