As NFT trading volume climbs to record-breaking numbers, so do reports of scams. The latest attack occurred just a few days ago, and the drama unfolded on Twitter. In the end, the bandit got off with almost a million dollars worth of digital assets, including 16 stolen CryptoPunks and a large amount of ETH.
As of yesterday, the scammer already unloaded five of the CryptoPunks and transferred another. There are still ten in the hacker’s wallet. Below we will discuss how the scam happened. Then, we’ll look at what the victim could have done differently. Finally, we’ll explain how the NFT community can stay safe from similar phishing attacks.
How the CryptoPunks were stolen
It all started when a user (unknown identity) created a duplicate CryptoPunks bot and made a giveaway post on the Discord server. The post was promoting the 4th anniversary of CryptoPunks. It also offered the chance to win exclusive avatars.
Unfortunately, the campaign was nothing more than a scheme to lure people in and swipe the contents of their digital wallets, newbie or not. The first victim was Stazie, the co-founder of Hedgie, a play-to-earn game.
“Saw this bot in Discord and clicked the link. The site looked like CryptoPunks and had a popup that looked like Metamask,” Tweeted Stazie, the victim of the attack. And later, when he clicked on the link to participate, it redirected him to larvalabs .to instead of the official site. This was the first action that led to the stolen CryptoPunks. Commence the first problem.
When he arrived at the fraudulent site, there appeared to be a pop-up regarding details about MetaMask, a popular crypto wallet. The pop-up then notified that “security was compromised” and prompted him to “enter the seed phrase to restore the wallet connection to the site,” Stazie explained in a series of posts.
The problem is the information contained in the pop-up was a scam designed to retrieve a user’s seed phrase. So, when Stazie shared his seed phrase, he accidentally gave the hacker complete access to his assets.
Shortly after sharing his seed phrase, MetaMask (the actual one) displayed a phishing detection warning. At this point, it was too late. The hacker was able to hijack all 16 CryptoPunks from his wallet and a large amount of Ether.
How to protect yourself
“I can only ascribe it to being burnt out, tired and frustrated (personal issues),” Stazie admitted in his Twitter thread. From a technical standpoint, he made a few mistakes, although they were understandable.
First: ALWAYS check specific details of a domain name before you click it. Especially if the purpose is promotional, if Stazie had noticed that he was visiting a .to site rather than .com, he could easily have sensed something wasn’t right.
Second: NEVER EVER EVER share your Seed Phrase under any circumstance!! It’s no different than giving somebody your password. Scammers will say anything to get this information from you. If anybody is trying to ask you for this information, report it immediately.
The suspected thief stated several reasons for his attack in the scammer awareness thread in Larva Lab’s Discord.
During the conversation, the suspect used the nicknames Santa and General Reese. They bragged that they “take money from the rich” and stated that “others own crypto platforms and take from their community issa fucked up world.” He went on to reveal “he was a good guy” and justified his actions claiming his con was “better than stealing from the poor, which half our nation does.”
General Reese even elaborated on how he pulled off the heist. He explained that he switched to a new wallet anytime it was reported. Right now, most of the wallets are sitting with the stolen assets still in them. The problem is, there is no way to retrieve what’s in them.
For more information go to the Larva Lab’s Discord and read for yourself.