Take Immediate Action
If you have clicked on a dodgy link or suspect that you're getting robbed of your crypto or NFTs, do these right away in the sequence:
Go to revoke.cash to reject any connections to your wallets that you have unwittingly created.
Disconnect your soft wallet from the marketplace NOW!
Disconnect your FIAT bank acct/creditcard info from wallet.
Let others know. Drop a tweet, post it across your socials. Let your community & peeps know. Prevent more heartbreaks.
Go to opensea.io and other marketplaces & wallets to check who currently has your stolen asset(s) and lodge a complaint ASAP.
Opensea.io transactions are visible by all - you can see the trades based on the asset.
By letting the marketplace know, they could apply a freeze to that awful actor and stop any further sale/trade by that account.
You may choose to contact the current owners of the NFTs to buy them back or get into a negotiation with them.
In this past week, top-value NFTs were swiped from soft wallets such as MetaMask and Coinbase. Soft wallets are digital wallets you carry around that contain any blockchain-based assets e.g. Cryptocurrency and NFTs.
The thieves (malicious actors, bad actors or bad hats) took advantage of the announcement of APE coins and acted like they were representing that interest too.
One of those affected by this exploit was Fanzo - he is an expert in cybersecurity having worked in gov. Happens to the best of us. I am a fan of Fanzo and love what he does as a Digital Futurist especially given his background. He admits openly that he was distracted - had his kids over and wanted to get an NFT that was being released for mint.
The lesson here is it can happen to anyone so please be vigilant!
Here's How It Happened
1) Twitter posts tagging folks on a fake $APE coin airdrop started making its rounds. It included an easy little link (which seemed legit) that turned out to be malicious.
Start: User tagged on a tweet (most likely a bot)
-> User clicked the link in the tweet (malicious)
-> Link connects to user's Soft Wallet; authorisation to login
-> Waits for user to transact on a marketplace
-> Steals user's asset while they are busy trading2) Anyone who tapped on that link was allowing the thieves to gain access to their soft wallets. The user vulnerability was between getting tagged on a post to the automatic browser-based connection to the soft wallet.
The scammers likely exploited the browser extension that allows you to automatically connect with your soft wallet. The automatic connection here refers to logging on to your wallet. As good as holding open your physical wallet as they take what they want. Which is why you need to get to revoke.cash first & turn off the access between your wallet and marketplace.
3) The thieves then wait for you to connect to a marketplace such as opensea to complete a transaction (buy/sell NFTs) that officially connects your wallet to it.
4) And as you're busy buying or selling your NFT, the thieves are stealing your NFTs from your soft wallet. They then sell the NFTs below market price to cash out quickly. Real buyers purchase them from the thieves with cash/crypto.
As a BONUS, never EVER airdrop your digital assets to someone who promises to pay you later. That's NOT good business sense. Use opensea or a similar marketplace for trades.
Here's What To Pay Attention To:
I was sent a dodgy link and blindly accepted it. I then went into a full state panic as it tried to connect to my wallet for dubious reasons.
1) If you think something is dodgy, it probably is. Trust yourself. Always.
2) When buying/selling NFTs,
have your wallet open to see the transaction log AND
ensure that your mobile app is prompting you with notifications as you are making the transactions.
Both allow you to see if anything else is happening with your wallet.
3) Don't automatically like or re-tweet posts that you have been tagged on even by someone you know. Always DYOR: do your own research. If you are new in this space (most of us are), check all links first.
4) Assume that anything with a link (email, posts or comments) needs to be verified. Go back to point 3.
5) Always disconnected your wallet from all your devices if you're going to be away from your machine for more than 20minutes.
6) Transfer all assets (both crypto & NFTs) into a hard wallet ASAP. Example of hard wallet Nano S Ledger.
As a BONUS, never EVER airdrop your digital assets to someone who promises to pay you later. That's NOT good business sense. Use opensea or a similar marketplace for trades.
Conclusion
Hacks and Vulnerabilities like this happen every day. Please be diligent, DYOR and talk to others who are in the field and have more experience than you. If this has helped you, share to help others!
#NFTscams #NFTvulnerabilities #howto #opensea #cryptoscams #wallets #phish #scam #alert #vulnerability