Kevin Rose, the co-founder of the nonfungible token (NFT) collection Moonbirds, has fallen victim to a phishing scam leading to more than $1.1 million worth of his personal NFTs stolen.
The NFT creator and PROOF co-founder shared the news with his 1.6 million Twitter followers on Jan. 25, asking them to avoid buying any Squiggles NFTs until his team managed to get them flagged as stolen.
I was just hacked, stay tuned for details - please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph) ...— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
“Thank you for all the kind, supportive words. Full debrief coming,” he then shared in a separate tweet about two hours later.
It is understood that Rose’s NFTs were drained after he approveda malicious signature that transferred a significant proportion of his NFT assets to the exploiter.
GM – what a day!— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
Today I was phished. Tomorrow we'll cover all the details live, as a cautionary tail, on twitter spaces. Here is how it went down, technically: https://t.co/DgBKF8qVBK
An independent analysis from Arkham found that the exploiter extracted at least one Autoglyph, which has a floor price of 345 ETH; 25 Art Blocks — also known as Chromie Squiggles — worth at least a total of 332.5 ETH; and nine OnChainMonkey items, worth at least 7.2 Ether.
In total, at least 684.7 ETH ($1.1 million) was extracted.
How Kevin Rose got exploited
While several independent on-chain analyses have been shared, Arran Schlosberg, the vice president of PROOF — the company behind Moonbirds — explained to his 9,500 Twitter followers that Rose “was phished into signing a malicious signature” that allowed the exploiter to transfer over a large number of tokens:
1/ This was a classic piece of social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea's marketplace contract.— Arran (@divergencearran) January 25, 2023
Crypto analyst “foobar” further elaborated on the “technical aspect of the hack” in a separate post on Jan. 25, explaining that Rose approved a OpenSea marketplace contract to move all of his NFTs whenever Rose signed transactions.
He added that Rose was always “one malicious signature” away from an exploit:
be super careful when signing anything, even offchain signatures. kevin rose just had ~$2 million worth of NFTs drained from his vault from signing one malicious seaport bundle. thankfully a couple things held back, like the punk zombie (1000 ETH) which can't be traded on OS pic.twitter.com/GXHR3NQHLf— foobar (@0xfoobar) January 25, 2023
The crypto analyst said Rose should have instead been “siloing” his NFT assets in a separate wallet:
“Moving assets from your vault to a separate ‘selling’ wallet before listing on NFT marketplaces will prevent this.”
Another on-chain analyst, “Quit,” told his 71,400 Twitter followers that the malicious signature was enabled by the Seaport marketplace contract — the platform which powers OpenSea:
Kevin Rose was just lost $2m+ in assets by signing an off-chain signature that created a listing for all of his OpenSea approved assets in one go.— quit (@0xQuit) January 25, 2023
While seaport is a powerful tool, it can also be dangerous if you're not aware of how it works.
A bit of context 1/
Quit explained that the exploiters were able to set up a phishing site that was able to view the NFT assets held in Rose’s wallet.
The exploiter then set up an order to transfer to themself all of Rose’s assets that are approved on OpenSea.
Rose then validated the malicious transaction, noted Quit.
Meanwhile, foobar noted that most of the stolen assets were well above the floor price, which means that the amount stolen could be as high as $2 million.
Quit urged that OpenSea users “need to run away” from any other website that prompts users to sign something that looks suspicious.
NFTs on the move
On-chain analyst ZachXBT shared a transaction map to his 350,300 Twitter followers showing that the exploiter sent the assets to FixedFloat — a cryptocurrency exchange on the Bitcoin layer 2 Lightning Network.
The exploiter then swapped the funds into Bitcoin (BTC) and deposited the BTC into a Bitcoin mixer:
Three hours ago Kevin was phished for $1.4m+ worth of NFTs. Earlier today the same scammer stole 75 ETH from another victim.— ZachXBT (@zachxbt) January 25, 2023
Mapping this out we can see a clear trend of sending the stolen funds to FixedFloat and swapping for BTC before depositing to a bitcoin mixer. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
Crypto Twitter member Degentraland told their 67,000 Twitter followers that it was the “saddest thing” they have seen in cryptocurrency space to date, adding that if anyone can come back from such a devastating exploit, “it’s him”:
Meanwhile, Bankless founder Ryan Sean Adams was enraged with the ease at which Rose was able to be exploited. In a Jan. 25 tweet, Adams urged front-end engineers to pick up their game and improve user experience (UX) to prevent such scams from taking place.