Kevin Rose, the co-founder of non-fungible token (NFT) collection Moonbirds, was the victim of a phishing scam that stole over $1.1 million of his personal NFTs.
The NFT creator and co-founder of PROOF shared the news with his 1.6 million Twitter followers on January 25 asking them to avoid buying NFT Squiggles until they manage to get them. report as stolen.
Just got hacked, stay tuned for more details – please avoid buying doodles until we get them reported (I just lost 25) + a few more NFTs (an autoglyph) …
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
“Thank you for all the kind words and support. Full debriefing to come,” he went on to say. share in a separate tweet about two hours later.
It is understood that Rose’s NFTs were drained after she signed a malicious signature that transferred a significant portion of her NFT assets to the exploiter.
GM – what a day!
Today I was hooked. Tomorrow, we’ll be covering all the details live, as a caveat, on Twitter spaces. Here’s how it happened, technically: https://t.co/DgBKF8qVBK
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
an independent analysis from Arkham discovered that the miner had mined at least one autoglyph (345 ETH), 25 art blocks – also known as Chromie Squiggle – (332.5 ETH) and nine OnChainMonkey items (7.2 ETH ).
In total, at least 684.7 ETH ($1.1 million) has been mined.
How Kevin Rose was exploited
While several on-chain independent analyzes have been shared, the vice president of PROOF – the company behind Moonbirds – Arran Schlosberg explained to his 9,500 Twitter followers that Rose “was phished to sign a malicious signature” which allowed the ‘exploiter to transfer over a large number of tokens:
1/ This was classic social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to the creation of signatures accepted by OpenSea’s market contract.
— Arran (@divergencearran) January 25, 2023
Crypto analyst “foobar” elaborated on the “technical side of the hack” in more detail in a separate post on Jan. 25, explaining that Rose approved an OpenSea market contract to move all of his NFTs whenever Rose signed trades. .
He added that Rose was still “a malicious signature away” from an exploit:
be very careful when signing anything, even off-chain signatures. kevin rose just removed around $2 million worth of NFTs from his vault after signing a malicious seaport package. fortunately, a few items were held back, such as the punk zombie (1000 ETH) which cannot be traded on OS pic.twitter.com/GXHR3NQHLf
– foobar (@0xfoobar) January 25, 2023
The crypto analyst said that Rose should have “segregated” her NFT assets in a separate wallet instead:
“Moving assets from your vault to a separate ‘sell’ wallet before listing them on NFT Markets will prevent this.”
Another analyst from the chain, “Quit”, told his 71,400 Twitter followers that a malicious signature was activated by the Seaport market contract – the platform that powers OpenSea:
Kevin Rose just lost over $2 million in assets by signing an off-chain signature that created a listing for all of his OpenSea-approved assets in one go.
Although the Seaport is a powerful tool, it can also be dangerous if you don’t know how it works.
A bit of context 1/
– quit (@0xQuit) January 25, 2023
Quit explained that the exploiters were able to set up a phishing site capable of viewing NFT assets held in Rose’s wallet.
The operator then put in place an order for all of Rose’s assets that are approved on OpenSea and then transferred to the operator.
Rose then validated the malicious transaction, noted Quit.
Related: Bluechip NFT Moonbirds Project Signs With Hollywood Talent Agents UTA
Meanwhile, foobar noted that most of the stolen assets were well above the price floor, meaning the amount stolen could be as high as $2 million.
Quit insisted that OpenSea users “must steer clear” of any other website that prompts users to sign something that looks suspicious.
NFTs in motion
On-chain analyst ‘ZachXBT’ has shared a map of the transactions with his 350,300 Twitter followers, which shows that the exploiter sent the assets to FixedFloat – a cryptocurrency exchange on the layer’s ‘Lightning Network’ 2 of Bitcoin.
The exploiter then transferred the funds into Bitcoin (BTC) and before depositing the BTC into a Bitcoin mixer:
Three hours ago, Kevin was phished for over $1.4 million from NFTs. Earlier today, the same scammer stole 75 ETH from another victim.
Mapping this, we can see a clear pattern of sending the stolen funds to FixedFloat and exchanging them for BTC before depositing them into a bitcoin mixer. pic.twitter.com/ZlywPYydwx
— ZachXBT (@zachxbt) January 25, 2023
Crypto Twitter member “Degentraland” told his 67,000 Twitter followers that it was the “sadest thing” they had seen in the cryptocurrency space to date, adding that if anyone one can come back from such a devastating feat, “it’s him”:
The saddest thing I’ve seen in crypto so far.@kevinrose empty wallet.
If anyone can get over it, it’s him. pic.twitter.com/HZysg34qji
— Degentraland (@Degentraland) January 25, 2023
Meanwhile, Bankless founder Ryan Sean Adams was furious at how easily Rose could be exploited. In January 25 Tweeter, Adams urged front-end engineers to get back to their game and improve user experience (UX) to prevent such scams from happening.