Kevin Rose, the co-founder of the Moonbirds Non Fungible Token Collection, fell victim to a phishing scam that resulted in the theft of over $1.1 million of his personal nondirect financing transactions.
The creator of the NFT and co-founder of the evidence shared the story with its 1.6 million Twitter followers on Jan. 25 telling them not to buy graffiti until they can get it labeled stolen.
I was just hacked, stay tuned for details - please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph) ...
— K?VIN R?SE (,) (@kevinrose) January 25, 2023
“I appreciate your kind words of support. Full debrief coming,” he then shared in a separate tweet about two hours later.
For greater certainty, Rose's LNP was depleted as a result of a malicious signature that transferred a significant portion of its LNP assets to the operator.
GM – what an exciting day!
Today I got a phishing scam. Tomorrow, we will cover all the details live, such as a warning queue, in the Twitter spaces. Here is how it went down, technically: https://t.co/DgBKF8qVBK
— K?VIN R?SE (,) (@kevinrose) January 25, 2023
An independent analysis from ARKHAM found that the exploiter extracted at least one Autoglyph (345 ETH), 25 Art Blocks — also known as Chromie Squiggle — (332.5 ETH) and nine OnChainMonkey items (7.2 ETH).
A total of 684.7 EPF ($1.1M) have been extracted.
What happened to Kevin Rose.
While several independent on-chain analyses have been shared, Vice President of PROOF — the company behind Moonbirds — Arran Schlosberg explained to his 9,500 Twitter followers that Rose “was phished into signing a malicious signature” which allowed the exploiter to transfer over a large number of tokens:
1/ it was a classic of social engineering, trapping kro in a false feeling of safety. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea's marketplace contract.
— Arran (@divergencearran) January 25, 2023
Crypto analyst "foobar" in more detail on the "technical aspect of the hack" in a distinct post on Jan. 25, explain that Rose has approved an OPENSEA market agreement to move all of its ETFs each time Rose has signed deals.
He added that Rose was always “one malicious signature” away from an exploit:
be super careful when signing anything, even offchain signatures. Kevin Rose has just had approximately $2 million in NFT drained from his safe by signing a malicious port package. thankfully a couple things held back, like the punk zombie (1000 ETH) which can't be traded on OS pic.twitter.com/GXHR3NQHLf
— foobar (@0xfoobar) January 25, 2023
The crypto analyst stated that Rose should have "siloed" her NFT assets into a separate portfolio:
"Moving assets from your safe to a separate "sale" portfolio before registering on NFT marketplaces will avoid that."
Another on-chain analyst, “Quit” told his 71,400 Twitter followers further explained that malicious signature was enabled by the Seaport marketplace contract — the platform which powers OpenSea:
Kevin Rose was just lost $2m+ in assets by signing an off-chain signature that created a listing for all of his OpenSea approved assets in one go.
Although the sea port is a powerful tool, it can also be dangerous if you are not familiar with its operation.
A bit of context 1/
— quit (@0xQuit) January 25, 2023
Quit explained that the exploiters were able to set up a phishing site that was able to view the NFT assets held in Rose’s wallet.
The exploiter then set up an order for all of Rose’s assets that are approved on OpenSea to then be transferred to the exploiter.
Rose then posted the malicious transaction, noted leaving.
Related: Bluechip NFT project Moonbirds signs with Hollywood talent agents UTA
Meanwhile, foobar noted that most of the stolen assets were well above the floor price, which means that the amount stolen could be as high as $2 million.
Quit urged that opensea users "need to flee" from any other web site that invites users to sign something that seems suspicious.
NFTs on the move
On-chain analyst “ZachXBT” shared a transaction map to his 350,300 Twitter followers, which shows that the exploiter sent the assets to FixedFloat — a cryptocurrency exchange on the Bitcoin layer-2 “Lightning Network.”
The operator then transferred the funds into Bitcoin and then deposited the BTC in a Bitcoin blender:
Three hours ago, Kevin got set up for $1.4 million in TNT. Earlier today, the same con artist robbed another victim of 75 eth.
Cartography of this, we can see a clear trend of sending stolen funds to fix dfloat and trading for BTC before depositing to a Bitcoin blender. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
— ZachXBT (@zachxbt) January 25, 2023
Crypto member of Twitter's "Degentraland" says they 67,000. Twitter followers said this was the "saddest thing" they saw in the cryptocurrency space so far, adding that if anyone can come back from such a devastating feat, "it's him":
The saddest thing I've ever witnessed in crypto.@kevinrose wallet drained.
He's the one who can come back. pic.twitter.com/HZysg34qji
— Degentraland (@Degentraland) January 25, 2023
During this time, the founder of Bankless, Ryan Sean Adams, was furious at the ease with which Rose could be exploited. In the Jan. 25 tweet, Adams urged front-end engineers to pick up their game and improve user experience (UX) to prevent such scams from taking place.