Hack Sunday: NFT Theft Follows a Personal Token Attack

Sead Fadilpašić
Last updated: | 4 min read

After personal tokens (aka social or community tokens) had gotten hit this weekend, a non-fungible token (NFT) hack emerged as well.

Source: Adobe/Oulaphone

A number of personal tokens saw a sudden plunge this past Sunday, following a reported security breach at social money startup Roll, which issues social tokens on the Ethereum (ETH) network – with allegedly nearly ETH 3,000 (USD 5.4m) lost.

WHALE, RARE, Friends With Benefits (FWB), Kerman Kohli (KERMAN), and Alex Masmej (ALEX) are just some of the affected tokens – and all of these had plunged between 48% and 100%.

Per Roll’s report, a security incident occurred on March 14, at around 7:30 UTC, Roll’s hot wallet was hacked, with the attacker completely emptying it and selling all the tokens on Uniswap for ETH. “As of this writing, it seems like a compromise of the private keys of our hot wallet and not a bug in the Roll smart contracts or any token contracts,” they said.

As the investigation continues, with an audit and a forensic analysis announced, Roll said that they have temporarily disabled withdraw from the Roll wallet of all social money until the hot wallet has been migrated. They also announced a USD 500,000 fund “to help the creators and their communities affected by this.”

They provided the attacker contract and the attacker contract creator address, with a balance of nearly USD 2m in ETH. It also shows ETH 1,900 transferred to privacy tool Tornado Cash.

The creator of WHALE, one of the affected social tokens, said that “this represented 2.17% of total supply and it has been fully diluted into the market.” The founder also said that the incident will not have “a material effect” on WHALE’s plans, near- or long-term, and that all tokens meant for community distribution have been secured in cold wallets.

To the hacker the creator said: “You did not steal from large corporations, you stole from hardworking individuals,” but also noting that the team noticed “a large number of long term holding new wallets.”

Igor Igamberdiev, an analyst at The Block, said that the victims actually approved the transfers, and that this ” indicates a possible private key compromise or inside job.”

The community, meanwhile, seems to be taking the incident well:

But the weekend wasn’t over yet. There was a report of an NFT hack as well. Third City Advisory founder Michael J. Miraflor claimed on Twitter that his NFTs were stolen from the Gemini-owned trading platform Nifty Gateway, transferred them to another account, sold some on a Discord channel, and purchased more than USD 10,000 worth of NFTs from a drop with the stored credit information. Credit card charges, Miraflor said, have been “since recovered.”

Per his March 14 Twitter thread, the marketplace alerted him that ‘he’ sold something, but upon checking to confirm the transaction, Miraflor saw his entire collection had been emptied. He also received multiple fraud alerts from his credit card, after which he proceeded to let them know of the fraudulent charges, cancel his credit card, delete its information from the marketplace, and change the password.

But Miraflor also claims to know who the attackers were. “Since all transactions including Transfers are recorded, I know the exact 2 accounts my stolen NFTs were sent to, as well as who fraudulently purchased from today’s drop,” he said. But he added that it seems he can’t get the NFTs back anyways, stating that hackers and secondary market purchasers win here.

Another person also reported their account being hacked:

Nifty Gateway co-founder Griffin Cock Foster replied to Miraflor’s tweet, saying that “it looks like a hacker got this user’s password or gained access to their account another way,” adding to “Make sure you have Authy 2FA [two-factor authentication] on.” Some commenters argued that enabling this type of authentication would have prevented the theft.

Later, Nifty Gateway said they “have seen no indication of compromise of” their platform and that they are communicating “with a small number of users who appear to have been impacted by an account takeover.”

“Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials,” they said, encouraging their users to enable 2FA and never reuse passwords.

___
Learn more:
Crypto Security in 2021: More Threats Against DeFi and Individual Users
Justin Sun: Christie’s Tech Glitch Stopped Me Paying USD 70M for Beeple NFT
Second-Hand NFT Market for NBA Top Shot Packs Appears on eBay
Consider These Legal Questions Before Spending Millions on NFTs
NFT Overtakes Litecoin, Bitcoin Cash, and XRP on Google
Grimes and Paris Hilton Go Full NFT – But Some Warn of Trouble Ahead
Check These 4 Make-Your-Own-NFT Platforms
Non-Fungible 2021: Prepare Your NFTs For DeFi, Staking, and Sharing

(Updated at 14:22 UTC: Michael J. Miraflor clarified that credit card charges have been “since recovered.” Updated at 17:46 UTC with comments from Nifty Gateway.)