My Wallet was hacked and my NFT Stolen, and hard lessons were learned.

Proud of my recent NFT acquisition and my inaugural foray into “Web3” I’ve taken to regularly looking at my NFT, Every Icon #412, and regularly looking at the collection for context. I don’t follow art markets, but tracking NFT’s on an NFT exchange platform like Open Seas makes it easy, particularly now that I have vested interest.

Discovery

Upon looking at the collection I saw an NFT I thought resembled mine. Initially confused and assuming it was a close facsimile I went to look at my collection, and sure enough mine was missing. I could see in the transaction history my wallet transferred the NFT to a strange account, as well as some crypto currency. My heart sank. 

I panicked a bit. I checked my other financial accounts and changed as many passwords as I could. When I lose material possessions I have an instinct to bite the bullet, and buy them back immediately. I withheld knowing that it would be wiser to investigate and seek help first.

After reaching out to OpenSea to report the theft I tweeted with a hash tag in a futile attempt to try to inspire someone to help.

Brush with Hackers

I actually did get a few replies to my tweets, some people expressing sympathy and a few recommending hackers that could help. I knew there was a risk, and speaking with a hacker would only worsen my predicament, but at that point I felt it couldn’t get any worse. I reached out to two accounts I was directed to, one on Instagram and another on Twitter. They both replied. As expected one requested payment before helping. An obvious a red flag I knew to cut off communication - I did with both “volunteers.” 

This is what one said when I inquired as to what method he’d use.

hackers message

I didn’t fully understand what he said he was going to do, but I looked up the application he mentioned and discovered it was Russian software used to mask a users identity.

Support

One big value of NFTs is that there is no central authority, but that means there’s no one to really police it. I have little faith the platform can do anything about it because from what I can tell it’s akin to complaining to EBay about a stolen bicycle. The most I imagine them doing is removing the item from their platform, and blocking the user. 

I told my brother-in-law who has more experience than I with Web3. He gave me some perspective and told me about similar experiences he’s heard of. 

The artist that created the work saw my tweet, and I was pleased when he replied. He expressed sympathy and asked me about my experience. 

What Happened

Most of what I what I read online says that it was likely a fishing attack. I’m fairly cautious with where I input my password. I don’t click on links in emails I don’t recognize, and if I notice anything suspicious on a financial site I trust. I check URLs before filling out forms. Although more common, I think this is unlikely. 

There are some 3 bad habits I am guilty of which I believe could be the culprit, and for the most part they are the result of sloth and carelessness. 

1 - I use simple passwords. I don’t have a good excuse for this. I’ve just been in the habit since high school of using basic passwords so I could remember them. I stick with words which can be brute forced by a program (continuously test likely combinations until one works), but I add some caps, special characters, and numbers to keep them different. 

2 - I keep my passwords on my computer. A while back I knew better and wrote my passwords in a physical book. I was worried I’d lose my book, and while at work I deal with a lot of platforms and venders. Manually typing each password in I found to be extraordinarily time consuming.

The program I use allows for encryption. I find it unlikely someone would’ve been able to connect with my personal computer, understand the software I use, and understand the method in which that software encrypts. 

3 - I don’t log out of websites; I just close windows. That leaves website accounts open to nefarious software that remains on your computer. Little bits of markup and scripts like cookies can be placed in a browser, and then run when target websites are detected.

The latter, not logging out, is what I believe to be the most likely scenario. Although I generally stick to mainstream websites, Facebook, Vineyard Gazette, Amazon, etc., I don’t play attention to what’s placed on my computer. Mainstream sites have good security, but their sheer size and attention make them a primary target. 

Conclusion

If I could generalize and sum up my experience I would say it was embarrassing. As a web professional I should know better. I’ve never had an incident so I had a false sense of security. 

It’s also very hard because I had emotionally invested myself in the work. I took pride in it. 

I’ve since made a few changes to my online habits. I now use a different more secure web browser, and I’ve discontinued my bad practices. For all of my financial accounts, banks, crypto, etc., I use randomly generated strings that include caps, numbers, and special characters. I keep financial passwords written down and in a secure spot in my apartment. I log out of websites when I’m done using them. I created an alarm on my computer to remind myself to change passwords, and clear out cookies and browser history. 

 

As of a week since the incident I have not yet received a response from OpenSea. The nefarious account that now has my art work is still functioning. It now even has more work, likely also stolen.