After personal tokens (aka social or community tokens) had gotten hit this weekend, a non-fungible token (NFT) hack emerged as well.
A number of personal tokens saw a sudden plunge this past Sunday, following a reported security breach at social money startup Roll, which issues social tokens on the Ethereum (ETH) network – with allegedly nearly ETH 3,000 (USD 5.4m) lost.
WHALE, RARE, Friends With Benefits (FWB), Kerman Kohli (KERMAN), and Alex Masmej (ALEX) are just some of the affected tokens – and all of these had plunged between 48% and 100%.
Per Roll’s report, a security incident occurred on March 14, at around 7:30 UTC, Roll’s hot wallet was hacked, with the attacker completely emptying it and selling all the tokens on Uniswap for ETH. “As of this writing, it seems like a compromise of the private keys of our hot wallet and not a bug in the Roll smart contracts or any token contracts,” they said.
They provided the attacker contract and the attacker contract creator address, with a balance of nearly USD 2m in ETH. It also shows ETH 1,900 transferred to privacy tool Tornado Cash.
The creator of WHALE, one of the affected social tokens, said that “this represented 2.17% of total supply and it has been fully diluted into the market.” The founder also said that the incident will not have “a material effect” on WHALE’s plans, near- or long-term, and that all tokens meant for community distribution have been secured in cold wallets.
To the hacker the creator said: “You did not steal from large corporations, you stole from hardworking individuals,” but also noting that the team noticed “a large number of long term holding new wallets.”
Igor Igamberdiev, an analyst at The Block, said that the victims actually approved the transfers, and that this ” indicates a possible private key compromise or inside job.”
The community, meanwhile, seems to be taking the incident well:
The recent social token hacks are demonstrating that the values of a community extend much further than the $ value of its token.
— 𝘫𝘢𝘤𝘰𝘣 𓇴 (@js_horne) March 15, 2021
But the weekend wasn’t over yet. There was a report of an NFT hack as well. Third City Advisory founder Michael J. Miraflor claimed on Twitter that his NFTs were stolen from the Gemini-owned trading platform Nifty Gateway, transferred them to another account, sold some on a Discord channel, and purchased more than USD 10,000 worth of NFTs from a drop with the stored credit information. Credit card charges, Miraflor said, have been “since recovered.”
Per his March 14 Twitter thread, the marketplace alerted him that ‘he’ sold something, but upon checking to confirm the transaction, Miraflor saw his entire collection had been emptied. He also received multiple fraud alerts from his credit card, after which he proceeded to let them know of the fraudulent charges, cancel his credit card, delete its information from the marketplace, and change the password.
But Miraflor also claims to know who the attackers were. “Since all transactions including Transfers are recorded, I know the exact 2 accounts my stolen NFTs were sent to, as well as who fraudulently purchased from today’s drop,” he said. But he added that it seems he can’t get the NFTs back anyways, stating that hackers and secondary market purchasers win here.
Another person also reported their account being hacked:
Someone hacked my @niftygateway account tonight and used my credit card attached to the account to buy like $20k worth of art… cool
— Keyboard Monkey (@KeyboardMonkey3) March 15, 2021
Nifty Gateway co-founder Griffin Cock Foster replied to Miraflor’s tweet, saying that “it looks like a hacker got this user’s password or gained access to their account another way,” adding to “Make sure you have Authy 2FA [two-factor authentication] on.” Some commenters argued that enabling this type of authentication would have prevented the theft.
Later, Nifty Gateway said they “have seen no indication of compromise of” their platform and that they are communicating “with a small number of users who appear to have been impacted by an account takeover.”
“Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials,” they said, encouraging their users to enable 2FA and never reuse passwords.