After Multiple Apes Were Stolen, MetaMask Makes Changes To Its' Mobile QR Code Sync.
After two Bored Ape Yacht Club members had their apes stolen via an elaborate con, Metamask and Opensea have taken action.
“We've spoken with the MetaMask team and they will be temporarily disabling the mobile QR code sync feature to defend against the phishing attacks that have become more prevalent in recent weeks,” Opensea’s Head Of Product, Nate Chastain tweeted Wednesday afternoon.
Metamask made this change after BAYC members Jeff Nicholas and Sohrob Farudi both fell victim to social engineering scams, where the conmen posed as support staff and gained access to their wallet’s QR codes.
“Yes, I was scammed,” Nicholas tweeted. “I took the bait. I blindly did some of the things we all say not to do over and over again, and part of me is really ashamed of that. But at this same time, this wasn’t as clear as it might seem from the outside.”
Nicholas went on to explain that he had been having issues with Opensea regarding royalty payouts on his Opensea collection. After submitting help tickets with Opensea, Nicholas took to Opensea’s Discord looking for help with the issue. Nicholas then came in contact with a user pretending to be with Opensea support.
“One thing leads to another & they want me to “Resync” my MetaMask wallet,” Nicholas explained. “It’s an issue w the wallet they say. So I somehow blindly ignore the warning in “Settings” & load up the QR code. Moments later, it says “Synced” & they say great! We’re all good.(They've now scanned it).”
Nicholas was using a Ledger hard Wallet, so the conmen then had to dupe him into signing off on each transaction to transfer the NFTs out of his wallet.
“It isn’t all good,” Nicholas tweeted. “It doesn’t work. Payouts still “Pending.” An issue w MetaMask, need to connect another wallet to it. Doesn’t make sense & it all gets very confusing but this is support & we’ve been doing this so long now & I’m tired af so I just grab my ledger & use that. Same thing, QR code, Synced, still doesn’t work. Of course. So, oh! That’s why it doesn’t work, it’s a ledger and I have to sign for the changes by pressing the two buttons and hadn’t done that, so sign for the changes with the two buttons In fact you don’t have to do this, but I wasn’t clear on every little nuance of what does/doesn’t require a signature, it’s haphazard across Web3). All this time I’m screen sharing, so it’s sleight of hand and obfuscation.”
After that, the conmen transferred Nicholas apes and other NFTS out of his wallet and into theirs.
“It’s not sitting right,” Nicholas tweeted. “and I flip over to my vault profile to see all but one Ape are gone. Then it’s gone. Then they’re laughing ‘ohh, your little monkey pictures go away?? Oh nooo? HAHAHAHA.’”
And just like that, it was over and hundreds of thousands of dollars of apes and NFTS were gone.
“This is incredibly embarrassing on some levels, Nicholas tweeted. “On others, incredibly traumatizing. Yes, I opened up the QR code and sign the ledger. But I was being severely manipulated and didn’t realize what was happening until it was too late. I was scammed, phished, robbed. Some assholes are going to say ‘that’s what you get.’ And maybe they’re right. But let’s be clear, a scam is a scam, theft is theft, I had no intention of transferring or selling those assets. So now I am trying to find ways to get my property back.”
After Nicholas’ tweets, the Bored Ape Gazette spoke with BAYC Discord Admin OxWave about ways apes and NFT holders can keep their assets safe.
“Don't trust discord DMs basically ever,” OxWave said. “Unless you initiate it from a confirmed server role. Like I'm an admin in bayc discord. People can DM me. but my profile pic has also been used by scammers. So people have to check. ”
Another thing to remember is that if someone is claiming to be with Opensea support and they ask you to share your screen, they’re likely trying to scam you.
“I have never resolved a support ticket over a screen-share or asked to screen-share in order to resolve an issue,” Chastain told the Bored Ape Gazette. “Most of the time the information that is most critical for the resolution of the bug is the information on chain, so we can usually resolve the user's issue with the help of transaction IDs and any text from error messages they've received on OpenSea.”
After today’s changes to Metamask, conmen will likely work to find a new way to deceive users and take their assets. The Bored Ape Gazette will continue to cover these stories and bring you more information on how to keep your apes and NFTS safe.