Social media hacks are on the increase in the NFT community, so does the victims of NFT hacks, and it’s rare for more than a day or two to go by without a big project or creator’s account being hacked.
The consequences can be big for collectors: Users who fall for the scams shared by hacked accounts have lost millions of dollars in NFTs and other tokens because they connected their wallets to what they thought was a real NFT mint or airdrop.
What can be done when this happens, and what are NFT creators responsible for when their accounts are hacked and used to scam people? In some cases, the people who made the NFT project gave the affected users money, usually in the form of Ethereum equal to the market value of the collectibles.
But more and more creators are against giving money back to people who lose money by falling for social media scams. Some people think that this kind of make-good effort rewards careless users who don’t take precautions. This goes against the core ideas of the crypto industry, which are self-custody, accountability, and doing enough research.
As social media hacks become more common, here’s how the debate over refunds is changing and what some well-known NFT builders have to say about it.
Getting more attacks means more victims of NFT hacks
Just in the last few weeks, scam links have been posted on the social media accounts of several well-known NFT projects, creators, and collectors. People can have their NFTs and other tokens were stolen if they click on these links, connect a wallet, and agree to the transaction that comes up.
One recent example of this kind of attack is when the Twitter account for the Ethereum NFT project Nouns was hacked on June 27. All told, attackers stole about 42 ETH ($64,000) worth of NFTs from 25 users who clicked on the link they shared.
Zeneca, a trader and collector of NFTs using a pseudonym, also had his Twitter account hacked this week, though it’s unclear how much damage was done to users. Along with those of well-known collectors Franklin and Keyboard Monkey, artist DeeKay’s Twitter account was also recently hacked.
Harry Denley, a security analyst for MetaMask, says that the account of artist Mike “Beeple” Winkelmann was hacked at the end of May. About $438,000 worth of tokens and NFTs were stolen from users, which is a lot of money. Beeple didn’t say anything about how they were going to help affected users.
Jenkins the Valet was a Tally Labs project based on a Bored Ape Yacht Club NFT. In June, the account was hacked and taken over. The people who made the exploit said that users lost Bored Apes, Mutant Apes, and other valuable NFTs. They also said that users would be repaid based on each project’s floor price (or cheapest available NFT).
In April, the Bored Ape Yacht Club’s Instagram account was hacked with a fake mint link. This is one of the most well-known cases of a major NFT project hacking social media so far. Yuga Labs said that the stolen NFTs were worth about $2.8 million and that it was trying to get in touch with the users who had them.
In the past few months, there have been other examples, such as when a project’s Discord server was hacked and raise on victims of NFT hacks, and attackers used it to share links to fake NFT mints or airdrops. In June, for example, the Bored Ape Yacht Club’s own Discord was hacked, and users’ NFTs worth about 200 ETH ($359,000 at the time) were stolen.
The Solana NFT gaming marketplace Fractal was attacked in December, and the company said it would give victims of NFT hacks $150,000 worth of SOL as compensation. In November, the Discord for the NFT game Phantom Galaxies was hacked. In that case, the publisher Animoca Brands said it would give users back ETH worth $1.1 million.
The website for Premint, which is a platform for signing up for NFT drops, was hacked with bad JavaScript code just last weekend. Users lost hundreds of NFTs when they clicked on the scam link, so Premint gave them more than $500,000 worth of ETH based on the floor price of those NFTs. It also bought back and gave back two of the most valuable stolen NFTs.
“Not a promise.”
In some of the above cases on victims of NFT hacks, even creators who paid users said they weren’t sure if they should do so in the long run or that they wouldn’t do it again.
In a postmortem report, pseudonymous Nouns co-creator 4156 pointed out security flaws, such as the lack of two-factor authentication or a plan for dealing with attacks. He said that the payment was “a one-time act of goodwill” and that it was “not a guarantee” that the Nouns treasury would pay users back in other similar situations.
“While it’s a bummer to say that people shouldn’t be paid back for being scammed through your account, these users are doing zero-due-diligence activities to make quick money, and they’re the ones signing messages that authorize [withdrawals] from their wallets,” 4156 wrote in a follow-up thread last week.
In the case of Premint, the project’s founder Brenden Mulligan said that victims of NFT hacks would be paid back because the attack happened on the website and not on a social media site. He also said that OpenSea compensated users in January for a bug in its marketplace’s user interface that caused owners to sell NFTs for less than the market price.
“In our case, someone changed a file on Premint and was able to open a user interface on our website. That’s on us. We shouldn’t have let that happen, so we’re trying to make up for it,” Mulligan told Decrypt. “It can still be argued that people should have been more careful, but I think that compensation is something to think about in these cases.”
But Mulligan doesn’t like the idea of compensating users who lose NFTs because they clicked on a link on a social media site. He thinks it wasn’t Zeneca’s or DeeKay’s fault that they were attacked through their Twitter accounts. He tweeted, “in most cases, victims shouldn’t be paid.” It needs to be the responsibility of each person.”
Mulligan told Decrypt, “People need to be careful about their own safety.” “Ninety-nine percent of scams work because people aren’t paying attention and don’t think before they act.”
Last week, NFT artist DeeKay tweeted that he had “started a process to try to compensate” people who had been hurt by the scam link that was sent out from his hacked account. He also said that he didn’t like the idea.
“If I’m being honest, I’m not sure if reimbursement is the way to go since some people are pretending to be hurt and looking for chances,” he wrote. “This also encourages hackers to keep doing their thing since I’m the one cleaning up the mess.”
“Part of me says that paying back shouldn’t be the usual way to act, and another part says that I should still find a way to make up for it and find a balance,” DeeKay said. “There is no right response.”
“There should be no expectations.”
Zeneca’s answer to the fact that his Twitter account had been hacked was more firm. In a thread of tweets and a blog post called “Evolving Precedents” that talked about what happened after the hack, Zeneca said that he had two-factor authentication set up on Twitter and was still trying to figure out how the hack happened but that he did not plan to pay back users who were hacked.
“At some point, the projects decided that the best thing to do was to take full responsibility and fully pay back the people who lost money,” he wrote. “I can understand and relate to this answer.”
But then he wrote that projects that kept doing that weren’t “sustainable” and that it wasn’t “practical” to sort through all the alleged victims. “The buck and responsibility lie with each individual participant in this space,” he said, adding that many people are used to “safety nets” in society, like getting help from centralized banks and financial services when scams happen.
“With all of this in mind, I am making a hard, but I think fair and firm, decision not to compensate those who lost assets because of yesterday’s attack in a significant way,” he wrote. “I really, really, really feel bad for everyone affected. When I talk to and hear the stories of those who have been hurt, it makes me feel very sad and hurt.
OpenSea says that Zeneca will give affected users a free NFT access pass to their private ZenAcademy Discord server. This pass is worth about 0.38 ETH ($580) right now. He will also keep a list of the victims in case they need help or benefits in the future, but he said “the expectation should be zero” that they will get anything else.
Most, but not all, of the responses to Zeneca’s thread from other NFTs creators and collectors have been positive, and crypto die-hards have praised the idea of personal responsibility. It makes self-custody and “do your own research” (DYOR) the norm in a space where there are a lot of new users who might not fully understand the tech or see red flags.
It’s still early for NFT markets on a large scale. Scams can be less of a problem for NFT traders if they know how to avoid them and how to use technology and user interfaces to do so. Both Mulligan and Zeneca said that attacks should have less of an effect by improving infrastructure and taking other steps.
Mulligan told Decrypt that the most popular wallets need to have a much better user interface to make it nearly impossible for someone to connect to a wallet drainer. “This is a problem that can be solved, but it’s crazy that it’s so easy to empty someone’s wallet, and there aren’t more warnings to keep people safe.”
This gap could be closed with education, tweaks to technology, and better security, but in the meantime, “FOMO” (fear of missing out) and speculative frenzy are turning some NFT collectors into victims. And creators seem to be less and less willing to pay for it.
