tw-rl

gm On Saturday, hackers stole $375,000 worth of NFTs and crypto tokens from 2 of my Ethereum wallets How are you today? A thread with more information 👇

BEFORE I START I know how stupid I was. $375K worth of stupid. I put private keys and seed phrases in txt files on my mac's filesystem. That is a bad idea. I didn't use a hardware wallet for high value assets. I know. I know. I KNOW

You can make fun of me if you like. I sort of expect some people to rip on me. It will probably still hurt.

WHAT HAPPENED Hackers found @MetaMask and @TrustWallet ETH private keys on my Mac or iPhone and used them to login to @opensea and sell off everything they could for WETH, then they transferred all the WETH and other tokens to address: 0x35d1be4225f8681a9f394a31403f029d1194fec8

The @metamask NFTs were sold on opensea for $294,000. The @trustwallet coins $WOO $GET $FTM and $OUSD worth $81,000 were sent to the same wallet. You can see the relevant transactions from 9/18/2021 on @etherscan https://etherscan.io/tokentxns?a=0x2Ec848474c85456965A0174F65b95fB5c706AD53 https://etherscan.io/tokentxns?a=0xf7932941b3f98b4d55e0db9dea546f7747a262fc

(I may have made some math errors, feel free to correct me.)

Hackers got my @BoredApeYC @artblocks_io (@ArtOnBlockchain squiggle) @larvalabs meebit @GutterCatGang (cat, rat, species 3 and 4 passes) @punkscomic @MetaHero_ @Pudgy_Penguins @cryptovenetians @coolcatsnft @worldofwomennft @fvckrender @creatureNFT @PopWonderNFT @WickedCraniums

You can see them all at https://opensea.io/ArrDub?identifier=ArrDub&tab=activity Wow compiling this particular list did NOT feel good AT ALL

By the way, when was the @pixelvault_ snapshot for the 'full set'. I wonder if I qualified in time before the hack, and will they send my future airdrops to the hacked account. Hm.

HOW DID THIS HAPPEN I don't know how I got hacked. I thought it was malware, but I ran @Malwarebytes scans on both my Macs and it came up with nothing. I doubt it was a @brave or @firefox problem, unless they were used to inject malware that my scan did not catch.

And I doubt it was just @opensea, since my @trustwallet account was also compromised. I'm a pretty careful guy. I ace my company's phishing challenges emails. I don't follow random links. I don't download software from unknown sources and just hope they are OK.

Heck, I have written several login systems for various websites. I'm wired up to worry.

My gut feeling is the hack was caused by one of 3 things: 1. I was hit by one of those new iOS zero-day attacks where you don't have to even click a link. Just receiving a malicious text roots your device.

This attack has been in the news lately because state actors use it to target devices of interest, and succeed. Once they have root, attackers can extract keys from @TrustWallet and @rainbowdotme. Game over.

2. A connected app to my @Dropbox account abused its rights to scan all my files in all folders until it found ETH public/private keys. Or a rogue current or former employee at Dropbox abused their privileges to do the same.

3. Something else

I definitely had private keys in .txt files in my Dropbox folder. That was dumb. I definitely didn't use a hardware wallet like a trezor, or the ledger which sits in my drawer unused because I find the user interface annoying. I practiced terrible OpSec and paid dearly for it.

THE "GOOD" NEWS I didn't pay nearly $375,000 for these NFTs and tokens. They have appreciated a HUGE amount during this bull run for NFT and crypto. None of the assets cost me more than $10k.

I can afford to lose the money. This is the one thing I have always done right--never risk more than you are willing to lose when you invest in crypto or NFTs.

A big surprise: centralized exchanges really saved my butt on this. I have a good amount of ETH and BTC on centralized exchanges and none of it was stolen. Also, I passed 2,000 followers on twitter in the immediate aftermath. Yay?

THE BAD NEWS The bad guys own my filesystem, and I have decades of important documents there. Some old ssh keys that probably still work, financial documents, etc. This is going to take me months to get under control.

Most likely this is just a smash and grab where they snatch the super liquid stuff and run off. But maybe not.

WHAT NOW I contacted the authorities by filing a complaint with IC3 https://www.ic3.gov/ I bought a @Trezor and will use it for any future NFTs, I will call an accountant to see if I can get any relief on taxes this year. Please reach out to me if you know how this works.

I will lose my mind if I'm taxed on capital gains for the stolen NFTs/coins. LOL

HOW CAN YOU HELP The first thing you should do is go to trezor dot io and buy yourself a trezor and use it for your high-value NFTs. If you do this one thing, please share with me below, or send me a DM or email me baccredited at http://fastmail.com .

It will make me feel better and make me think sharing all this painful stuff was the right move.

A mind boggling number of people have reached out via twitter DMs, likes, or replies to offer their help. The NFT community is incredible. I'm gonna have to do another thread about the specific generous offers they made because it will blow your mind.

If you offered, I promise to get back to you with a request or at least a thank you at some point.

If you've been hacked and lost NFTs, please send me a twitter private message or email to baccredited at http://fastmail.com . I will keep your identity private. I just want to connect.

The wounds are still pretty fresh on this, so I'm a bit lost. I would love to turn this into a positive thing for others somehow. I'm thinking about setting up a DAO or similar to help other people who have lost NFTs through hacking.

Especially folks who are financially devastated by the hack (again, I'm not). I haven't fleshed out these ideas yet, and would need lots of help.

It would be tough, but not impossible, to do this in a way that is secure and legal, and continues without me being involved somewhere down the line. If you have any thoughts on this please share them below, or send a DM or email.