Kevin Rose, co-founder of the Moonbirds non-fungible token (NFT) collection, was the victim of a phishing scam that resulted in the theft of over $1.1 million worth of his personal NFTs.
On January 25, the NFT creator and co-founder of PROOF shared the news with his 1.6 million Twitter followers, asking them not to buy NFT Squiggles until his team managed to flag them as stolen.
I just got hacked, stay tuned for details – please don’t buy squiggles until we tag them (just lost 25) + a few other NFTs (autoglyph)…
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
“Thank you for all the kind words of support. There will be a full report soon – then he general in a separate tweet about two hours later.
It is understood that Rose’s NFTs were depleted after he approved a malicious signature that transferred a large portion of his NFT holdings to the attacker.
Hm – what a day!
Today I was fished. Tomorrow we will share all the details live, as a warning, in the twitter space. Here’s how it was technically: https://t.co/DgBKF8qVBK
— KΞVIN R◎SE (,) (@kevinrose) January 25, 2023
Independent analysis from Arkham discovered that the exploiter had extracted at least one autoglyph, the minimum price of which is 345 ETH; 25 art blocks, also known as Chromie Squiggles, for a total value of at least 332.5 ETH; and nine OnChainMonkey items worth at least 7.2 Ether.
In total, at least 684.7 ETH ($1.1 million) was extracted.
How Kevin Rose was exploited
Although several independent analyzes of the network have been published, Arran Schlosberg, vice president of PROOF — the company behind Moonbirds — explained to his 9,500 Twitter followers that Rose “was a phishing method of signing a malicious signature” that allowed the exploiter to transmit a large number of tokens:
1/ It was a classic piece of social engineering that made KRO falsely feel safe. The technical aspect of the hack was limited to the creation of signatures accepted in the contract with the OpenSea market.
— Arran (@divergencearran) January 25, 2023
Cryptocurrency analyst “foobar” elaborated on the “technical aspect of the hack” in a separate post on Jan. 25, explaining that Rose has approved a contract with the OpenSea marketplace to move all of his NFTs whenever Rose signs transactions.
He added that Rose was always “one malicious signature” away from the exploit:
be very careful when signing anything, even signing offline. Kevin Rose just had about $2 million worth of NFTs leaked from his vault due to signing one malicious seaport package. thankfully, a couple of things are held back, like the punk zombie (1000 ETH) that can’t be traded for OS. pic.twitter.com/GXHR3NQHLf
— Foobar (@0xfoobar) January 25, 2023
The crypto analyst said that Rose should have instead “placed” his NFT holdings in a separate wallet:
“Moving assets from your vault to a separate ‘sell’ wallet before listing on NFT marketplaces will prevent this.”
Another network analyst, “Kvit”, told his 71,400 Twitter followers that the malicious signature was activated by a contract with the Seaport Marketplace, the platform that runs OpenSea:
Kevin Rose just lost over $2 million in assets by signing an offline signature that created a listing for all of his approved OpenSea assets in one go.
While a seaport is a powerful tool, it can also be dangerous if you don’t know how it works.
Some context 1/
— Quit (@0xQuit) January 25, 2023
Kwit explained that the attackers managed to set up a phishing site that could view the NFT assets stored in Rose’s wallet.
The exploiter then issued an order to transfer to itself all of Rose’s assets approved by OpenSea.
Rose then confirmed the malicious transaction, Quit notes.
Connected: Bluechip NFT Moonbirds Project Signs With Hollywood Talent Agents UTA
Meanwhile, foobar noted that most of the stolen assets were well above the floor price, meaning the amount stolen could be as high as $2 million.
The exit urged OpenSea users to “run away” from any other website that prompts users to sign something that looks suspicious.
NFTs on the move
Network analyst ZachXBT shared a transaction map with his 350,300 Twitter followers showing that the exploiter sent assets to FixedFloat, a cryptocurrency exchange on Bitcoin’s Layer 2 Lightning Network.
The exploiter then exchanged the funds for bitcoin (BTC) and put the BTC into the bitcoin mixer:
Three hours ago, Kevin was scammed into getting over $1.4 million worth of NFTs. Earlier today, the same scammer stole 75 ETH from another victim.
Putting this together, we can see a clear trend of sending stolen funds to FixedFloat and exchanging for BTC before entering the bitcoin mixer. https://t.co/2yrFpfYttT pic.twitter.com/ZlywPYydwx
— ZachXBT (@zachxbt) January 25, 2023
Crypto Twitter member Degentraland told his 67,000 Twitter followers that it was “the saddest thing” they’ve seen in the cryptocurrency space to date, adding that if anyone can come back from such a devastating feat, it’s “he »:
The saddest thing I’ve seen in cryptocurrency to date.@kevinrose wallet is empty.
If anyone can come back from this, it’s him. pic.twitter.com/HZysg34qji
— Degentraland (@Degentraland) January 25, 2023
Meanwhile, Bankless founder Ryan Sean Adams was furious at how easily Rose had been exploited. The 25th of January tweet, Adams urged front-end engineers to get into the game and improve the user experience (UX) to prevent such scams.