Twitter User Says He Was Hacked By A Malicious NFT, But Some Say This Was A Compromised Seed Phrase
Crypto and NFT Twitter were set ablaze today as one user claimed their account was hacked by an unsolicited airdropped NFT.
NFT collector AJ, known as babbler_dabbler on Twitter, tweeted out a thread explaining that his account was compromised and that several pieces were sold and the Eth was transferred out of his account.
“Lost @hirst_official’s The Currency, @SHL0MS shards, @artblocks_io Factory pieces, @tinyblocksart Quadrum, @ApeDao_Remix pieces,” he tweeted. “Probably the only mistake I did was moving the trash NFT’s being sent to my account. FML”
The idea of malicious NFTs being sent to users accounts and then then the user getting hacked is not new. Many in the community have been discussing this lately as more and more users are receiving unsolicited NFTs. The Bored Ape Gazette reached out to Gideon and Edd at Opensea via Twitter but did not receive a response by the time of this articles publication.
While we did not hear back from Opensea, the Bored Ape Gazette spoke with Bored Ape Yacht Club member, 0xWave about this most recent hack.
0xWave explained that in AJ’s case, this hack appears to be a compromised seed phrase and not the work of a malicious NFT. “You need to approve per-NFT contract,” 0xWave explained. “The way to tell it was a seed compromise was by looking at the transactions that accepted bids they were issued from the original wallet meaning seed compromise. if it were a contract that had been granted access, you'd see the malicious actor initiate the txn.”
0xWave is not alone in his opinion that Aj’s account was a seed phrase compromise. Crypto Twitter influencer Foobar tweeted the same thing. “Here is the tx sending WETH from the victim's wallet to the hacker's wallet. Note that the EOA initiating it is the victim. No smart contract black magic, just somebody who probably entered a seed phrase into a phishing site,” he tweeted.
This story shows just how important having a hardware wallet is. In the past, the Bored Ape Gazette spoke to BAYC member, RMD_41, who explained that a hardware wallet prevents unapproved transactions. “By connecting your hardware wallet to your Metamask you will be required to approve transactions without approval there is no transaction,” he said.
As for the idea of a malicious NFT draining your account, 0xWave said it all comes down to what approvals the user gives. “Hiding does nothing on-chain, perfectly safe, he said. “And no, arbitrary NFTs can't just drain accounts You'd have to give the malicious contract an approval for what it intends to steal/sell.”
OxWave went on to explain just how important knowing who or what you’re approving is to crypto security even with a hardware wallet. “Yes you do need approvals, but malicious approvals are still a risk, he said. “Like let's say I approved a malicious contract to spend my apes. The owner of that contract could then execute the subsequent transactions to steal them. But I'd have had to grant that contract allowance. So yeah if you're on a HW (hardware) wallet and careful about issuing approvals, no problem.”
The bored Ape Gazette will continue to look into the recent rise in spam NFTs and will continue to engage with known community members on tips and recommendations on how to keep your NFTs safe.