Scam Likely: Web3 Cyber Security
News has broken that March 22nd, 2022, was a big day for Web3 scam artists. Over four million dollars of crypto assets were seized by illicit means over the course of one day. You would think that would mean a major network was breached altogether, but you’d be wrong: it only took 3 mistaken clicks.
The question is, what happened?
Case 1) Animating Your Apes
A prominent holder in the BAYC community, @BlackAppleArt, gave wallet permissions to a website claiming to offer free animations to their static Apes. Worth an estimated $900,000 at the time of writing, our sympathies go out to the victim of the malicious website.
After linking their wallet to the website, their entire portfolio was compromised. What they thought was a simple access permission granted to their Apes to have them animated turned out to be a full blown breach, allowing the hackers to transfer the NFTs to a different wallet. After listing below floor price to make a quick sale, the funds were then distributed through Tornado, a tool that renders Ethereum untraceable.
In cases like these, we would encourage you all to never connect your wallet to a questionable, anonymous website. Unless the link is affiliated or endorsed officially by the collection itself, it’s best to avoid these services. Similar to Discord direct messages (which we suggest you turn off for your own safety and peace of mind) these links are made with one purpose in mind: to drain your wallet and transfer your digital assets.
Case 2) Founder of DeFiance
Arthur Cheong, a founding member of DeFiance Capital — a crypto-asset fund which focuses on investment opportunities in decentralized finance — has fallen victim to an elaborate phishing email. With a total value estimated at $1.7 million dollars, Cheong’s loss is staggering.
The email in question is specifically known as a spear-phishing attempt. What this means is that the scammer sent a targeted and educated email, posing as a company in DeFiance Capital’s portfolio. The intent here is to instill trust in the target by appearing to come from a legitimate source.
Upon opening the email attachment, the hacker was able to steal Cheong’s seed phrase for his hot wallet, which granted full access to whatever was stored on it. In total, five CloneX, 17 Azuki, two Tsubasa, two Hedgies, and 33 Second Self NFTs were transferred out of his wallet and listed on various platforms.
Most concerning of all here is that a 5 year crypto veteran with extensive knowledge, security protocols, and funding was still able to be taken advantage of. With this in mind, we urge all of our readers to never assume this couldn’t happen to them. Anyone can be targeted and victimized. If you are at all interested in crypto, Web3, NFTs, or DeFi, please stay vigilant and protect yourself with a hard wallet.
Considering the level of research the hackers dedicated to this scam, always do your due diligence and double check any email or message coming your way. Furthermore, although this may seem a little over the top, having a computer specifically dedicated to exclusively NFT collecting and crypto trading can help mitigate your risk of being compromised. If you have a portfolio of even a few thousand dollars, it is well worth the investment to buy an affordable laptop with good virus detection software and introducing a cold wallet to your security measures.
In an ominous tweet to the scammers, believed to be the infamous Lazarus Group, Cheong has one thing to say, “you [messed] with the wrong person.” For the sake of his own investments and the safety of Web3 at large, we sincerely hope he is right and encourage anyone with information to come forward. We are sympathetic to Cheong’s situation, and we hope for swift justice.
Case 3) The Entire Mekaverse
What was meant to be a day of celebration, the big reveal for their latest collection, turned into a nightmare for the whole Mekaverse community. Unlike the previous scams mentioned, this one operates in broad daylight on a much larger scale: entire servers. With over 150 thousand members in their Discord, the security breach compromised potentially thousands of wallets.
The circumstances of these attacks are simple, but sadly, difficult for individual community members to avoid. What usually happens is a moderator is tricked into screen sharing their Discord dash, granting hackers access. Once done, the scam artists will revoke permissions for anyone but themselves, and then send out a malicious minting link. They will often advertise it as a secret, spur of the moment mint that offers an extension of the original collection. Once FOMO sets in, people attempt to connect their wallet to mint, and see their entire wallets drained.
Posing as a team member (who is no longer employed there) named Julien, the scammers bombarded the server with pings for a limited run of 100 golden Mekabots. People like Adam Litvack who tried to snag a goldie ended up paying a hefty price, losing highly valued NFTs like his Gutter Pigeon.
While it is difficult to evaluate the scale of the theft due to the wallet no longer being available on OpenSeas, it was briefly available to view on the day of the attack. There were hundreds, if not thousands, of NFTs stolen and sold. A familiar name was proudly written in their bio as well, claiming to be part of the very same group that scammed Arthur Cheong: the Lazarus Group.
Mekaverse was not exactly quick to react, considering the scam took place at the worst possible time: while the founders were asleep due to time zone differences. Two days after the security breach, the team held a short and unimpressive Twitter Spaces. From what was stated, they are reading through all direct messages by those impacted, offering whitelists to them for future collections, and delaying the Mekabot reveal.
As stated before, this is difficult to avoid on the consumer’s end, and should be addressed by the project leaders themselves by practicing better cyber security. With this being said, there are still a few things you can do to protect yourself. First and foremost, any established project is highly unlikely to drop a limited edition run without any heads up, and this should be recognized as the first red flag, especially if it’s being spammed across the server. Secondly, if no moderators are available and their permissions have been revoked, you should hesitate to mint. Finally, one should always mint from a disposable hot wallet on Metamask, with nothing in it except for the Ethereum to mint. This should go without saying, but if you are holding valuable digital assets, they should be stored on a cold wallet offline without any permissions to any site.
Our heart goes out to the victims of the Mekaverse hack, and we hope they can recover from the loss as quickly as possible. We hope that the team can somehow make this right.
For anyone reading, scams are adapting. They are becoming more complex, intricate, directed, and growing in scale. Coindesk, a reputable website providing information relating to Web3 and the crypto space at large, has written an article on how to protect yourself.
Stay safe. Stay Hidden.
