Proud of my recent NFT acquisition and my inaugural foray into “Web3” I’ve taken to regularly looking at my NFT, Every Icon #412, and regularly looking at the collection for context. I don’t follow art markets, but tracking NFT’s on an NFT exchange platform like Open Seas makes it easy, particularly now that I have vested interest.
Discovery
Upon looking at the collection I saw an NFT I thought resembled mine. Initially confused and assuming it was a close facsimile I went to look at my collection, and sure enough mine was missing. I could see in the transaction history my wallet transferred the NFT to a strange account, as well as some crypto currency. My heart sank.
I panicked a bit. I checked my other financial accounts and changed as many passwords as I could. When I lose material possessions I have an instinct to bite the bullet, and buy them back immediately. I withheld knowing that it would be wiser to investigate and seek help first.
After reaching out to OpenSea to report the theft I tweeted with a hash tag in a futile attempt to try to inspire someone to help.
Brush with Hackers
I actually did get a few replies to my tweets, some people expressing sympathy and a few recommending hackers that could help. I knew there was a risk, and speaking with a hacker would only worsen my predicament, but at that point I felt it couldn’t get any worse. I reached out to two accounts I was directed to, one on Instagram and another on Twitter. They both replied. As expected one requested payment before helping. An obvious a red flag I knew to cut off communication - I did with both “volunteers.”
This is what one said when I inquired as to what method he’d use.
I didn’t fully understand what he said he was going to do, but I looked up the application he mentioned and discovered it was Russian software used to mask a users identity.
Support
One big value of NFTs is that there is no central authority, but that means there’s no one to really police it. I have little faith the platform can do anything about it because from what I can tell it’s akin to complaining to EBay about a stolen bicycle. The most I imagine them doing is removing the item from their platform, and blocking the user.
I told my brother-in-law who has more experience than I with Web3. He gave me some perspective and told me about similar experiences he’s heard of.
The artist that created the work saw my tweet, and I was pleased when he replied. He expressed sympathy and asked me about my experience.
What Happened
Most of what I what I read online says that it was likely a fishing attack. I’m fairly cautious with where I input my password. I don’t click on links in emails I don’t recognize, and if I notice anything suspicious on a financial site I trust. I check URLs before filling out forms. Although more common, I think this is unlikely.
There are some 3 bad habits I am guilty of which I believe could be the culprit, and for the most part they are the result of sloth and carelessness.
1 - I use simple passwords. I don’t have a good excuse for this. I’ve just been in the habit since high school of using basic passwords so I could remember them. I stick with words which can be brute forced by a program (continuously test likely combinations until one works), but I add some caps, special characters, and numbers to keep them different.
2 - I keep my passwords on my computer. A while back I knew better and wrote my passwords in a physical book. I was worried I’d lose my book, and while at work I deal with a lot of platforms and venders. Manually typing each password in I found to be extraordinarily time consuming.
The program I use allows for encryption. I find it unlikely someone would’ve been able to connect with my personal computer, understand the software I use, and understand the method in which that software encrypts.
3 - I don’t log out of websites; I just close windows. That leaves website accounts open to nefarious software that remains on your computer. Little bits of markup and scripts like cookies can be placed in a browser, and then run when target websites are detected.
The latter, not logging out, is what I believe to be the most likely scenario. Although I generally stick to mainstream websites, Facebook, Vineyard Gazette, Amazon, etc., I don’t play attention to what’s placed on my computer. Mainstream sites have good security, but their sheer size and attention make them a primary target.
Conclusion
If I could generalize and sum up my experience I would say it was embarrassing. As a web professional I should know better. I’ve never had an incident so I had a false sense of security.
It’s also very hard because I had emotionally invested myself in the work. I took pride in it.
I’ve since made a few changes to my online habits. I now use a different more secure web browser, and I’ve discontinued my bad practices. For all of my financial accounts, banks, crypto, etc., I use randomly generated strings that include caps, numbers, and special characters. I keep financial passwords written down and in a secure spot in my apartment. I log out of websites when I’m done using them. I created an alarm on my computer to remind myself to change passwords, and clear out cookies and browser history.
As of a week since the incident I have not yet received a response from OpenSea. The nefarious account that now has my art work is still functioning. It now even has more work, likely also stolen.