- Moonbirds creator Kevin Rose revealed yesterday how he had lost over $1 million in a phishing attack
- A combination of social engineering and technical savvy was behind the theft
- The scam is similar in nature to one that happened last month with a Bored Ape Yacht Club collection
Moonbirds creator Kevin Rose revealed yesterday how he had lost over $1 million in a phishing attack, which utilized the Seaport function on Opensea to mass-sell 35 stolen NFTs. A large number were protected from the theft, but the attack reinforces the fact that even seasoned professionals can come a cropper with just one slip. Rose’s loss comes on the back of losses from other high profile members of the NFT world, including RTFKT COO Nikhil Gopalani and is a reminder that functions such as Seaport have a downside.
Powerful Tools Need Care
Seaport launched last year and was implemented into Opensea in May as a way of “safely and efficiently buying and selling NFTs.” Seaport allows buyers and sellers to group NFTs together in a collection and conduct the transaction in one go rather than requiring one transaction for each.
While acting as a money-saving tool, it’s also a great way for hackers to sell stolen NFTs en masse, as Rose found out. The Moonbirds creator tweeted yesterday to report his loss, referring to a post from someone else as to how it was carried out:
GM 🌅 – what a day!
Today I was phished. Tomorrow we’ll cover all the details live, as a cautionary tail, on twitter spaces. Here is how it went down, technically: https://t.co/DgBKF8qVBK— KΞVIN R◎SE (🪹,🦉) (@kevinrose) January 25, 2023
“Classic Piece of Social Engineering”
The hack was described as a “classic piece of social engineering” which tricked Rose into a “false sense of security” over the safety of his assets. Rose had agreed on Opensea that his assets could be sold in one block through Seaport, which required the signing a single off-chain signature to create a listing for all of his OpenSea approved assets in one go.
The scammers set up a website which scanned Rose’s wallets and created a fake sell order, which he was tricked into signing, which would have involved just a click of a mouse on the wrong site. This sent all the gathered NFTs to the scammer’s wallet, after which they were sold.
The situation is similar in nature to the attack last December which saw 14 Bored Ape Yacht Club NFTs stolen. In this incident too, the scam website displayed a Seaport signature, which the scammers convinced the holder to sign through social engineering and clever disguise. However, the signature actually created a private bundle listing of all of the victim’s BAYCs to the scammer for 0.00000001 ETH.
Rose’s theft is a reminder that even those with masses of experience in the space can get caught out. Just three weeks ago, Nikhil Gopalani, the Chief Operating Officer (COO) of the Nike-acquired RTFKT, lost over $173,000 worth of NFTs in a phishing attack.