Kevin Rose, co-founder of the nonfungible token (NFT) collection Moonbirds, has fallen victim to a phishing scam leading to more than $1.1 million worth of personal NFTs being stolen.
The NFT creator and co-founder of PROOF shared the news with his 1.6 million Twitter followers on January 25 urging them not to buy NFT Squiggles until they can be stolen.
I just got hacked, stay tuned for details – don’t buy squiggles until marked (just lost 25) + some more NFTs (autoglyphs)…
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
“Thank you for all the kind, supportive words. Full debrief to come,” he continued together in a separate tweet about two hours later.
It is understood that NFT Rose was removed after entering a malicious signature that transferred a significant proportion of the NFT’s assets to exploitation.
GM – what a day!
Today I was phished. Tomorrow we will cover all the details directly, as a cautionary tail, in the twitter space. Here’s how it goes down, technically: https://t.co/DgBKF8qVBK— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
The independent analysis from Arkham found that the exploiter took at least one Autoglyph (345 ETH), 25 Art Blocks – also known as Chromie Squiggle – (332.5 ETH) and nine OnChainMonkey items (7.2 ETH).
In total, at least 684.7 ETH ($1.1 million) were mined.
How Kevin Rose was exploited
While some independent on-chain analysis has been shown, the Vice President of PROOF – the company behind Moonbirds – Arran Schlosberg explained to his 9,500 Twitter followers that Rose “was phished to sign a bad signature” that allowed exploiters to transfer large amounts. from tokens:
1/ This is a classic social technique, tricking the KRO into a false sense of security. The technical aspects of the hack are limited to creating signatures accepted by OpenSea market contracts.
— Arran (@divergencearran) January 25, 2023
Crypto analyst “foobar” further elaborated on the “technical aspects of the hack” in a separate post on January 25, explaining that Rose approved the OpenSea market contract to move all NFTs when Rose entered into transactions.
He added that Rose was always “one sign of malice” away from exploitation:
be very careful when signing anything, even offchain signatures. kevin rose only had ~$2 million worth of NFTs drained from the safe from entering one bundle of malicious seaports. Luckily there are some things on hold, like punk zombies (1000 ETH) that can’t be sold on the OS. pic.twitter.com/GXHR3NQHLf
— foobar (@0xfoobar) January 25, 2023
Crypto analysts say that Rose should “store” NFT assets in a separate wallet:
“Moving assets from the safe to the wallet” selling “separately before listing on the NFT market will prevent this.”
Another on-chain analyst, “Quit” told his 71,400 Twitter followers further explaining that the malicious signature was activated by the Seaport market contract – the platform that powers OpenSea:
Kevin Rose just lost $2m+ in assets by signing an off-chain token that lists all OpenSea approved assets at once.
While seaports are powerful tools, they can be dangerous if you don’t know how they work.
A little context 1/
– quit (@0xQuit) January 25, 2023
Quit explains that exploiters can create phishing sites where they can view NFT assets held in Rose’s wallet.
The exploiter then places an order for all approved Rose assets on OpenSea to be transferred to the exploiter.
Rose then validates the malicious transaction, noting Quit.
related: Bluechip project NFT Moonbirds signed with Hollywood talent agency UTA
Meanwhile, foobar notes that many of the stolen assets are higher than the floor price, which means the amount stolen could be as high as $2 million.
Quit urges OpenSea users to “run away” from other websites that lead users to something that looks suspicious.
NFTs on the move
On-chain analyst “ZachXBT” showed the transaction map to his 350,300 Twitter followers, which showed that the exploit sent the asset to FixedFloat – a cryptocurrency exchange on the Bitcoin-2 layer “Lightning Network.”
The exploit then transfers the funds to Bitcoin (BTC) and before depositing the BTC into the Bitcoin mixer:
Three hours ago Kevin phished for $1.4m+ worth of NFTs. Earlier today the same scammer stole 75 ETH from another victim.
Mapping this, we can see a clear trend of sending stolen funds to FixedFloat and exchanging BTC before depositing it into the bitcoin mixer. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
— ZachXBT (@zachxbt) January 25, 2023
Crypto Twitter member “Degentraland” told his 67,000 Twitter followers that this is the “saddest thing” he’s seen in the cryptocurrency space so far, and that if anyone can come back from this devastating exploit, “it’s him”:
The saddest thing I’ve seen in crypto so far.@kevinrose weak wallet.
If anyone can come back from this, it’s him. pic.twitter.com/HZysg34qji
— Degentraland (@Degentraland) January 25, 2023
Meanwhile, Bankless founder Ryan Sean Adams is furious that Rose is being exploited. On January 25th tweet, Adams urged front-end engineers to take games and improve the user experience (UX) to prevent such scams.