A hacker managed to swipe over $1,700,000 worth of non-fungible tokens (NFTs) from Defiance Capital founder Arthur Cheong.
Early Tuesday morning, someone was able to access an Ethereum wallet belonging to Cheong and seize his NFTs. The NFTs were then dumped on opensea.io and other marketplaces for well below market price. Profits were then converted into Wrapped Ethereum (WETH), Lido DAO token, LooksRare (LOOKS) and DYDX.
Blockchain security firm Peckshield identified Cheong’s wallet as compromised, showing a list of the shady transactions.
#PeckShieldAlert @Arthur_0x ’s hot wallet appears to be compromised. ~59 #NFTs was transferred to https://t.co/MZXIWN4ING , including ~5 #CloneX, ~17 $Azuki @AzukiZen, ~2 @TabinekoKIKI, ~2 @HedgiesOfficial, ~33 @SecondSelfNFT— PeckShieldAlert (@PeckShieldAlert) March 22, 2022
~19 stolen NFTs wiped for ~233 $ETH (~$690k). pic.twitter.com/oqM08ex1Yg
According to Cheong and others helping him with the investigation, the hack was executed via spear phishing. While regular phishing scams are sent en masse with no specific victim in mind, spear phishing focuses on one target and uses social engineering tactics tailored to the person. They often appear as emails from seemingly legitimate origins and can use emotional manipulation to sway the victim into opening them, such as emails about missing person reports or fake “urgent” tax notices.
As the head of a large investment firm, Cheong and others in the industry often receive sales pitches via email in the form of PDFs, Docx, or links to websites that ultimately contain malware. He believes his PC was compromised by opening an attachment from one of these emails, which allowed the hackers to then access hot wallets on his computer.
“Found out the likely root cause for the exploit, it’s a targeted social engineering attack,” Cheong said.
“Received a spear-phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.
They are likely targeting all crypto [people].”
Unfortunately, Cheong says none of his anti-virus software pegged the email or the document as malicious.
While so far it appears to be mere speculation, Cheong says that he has a feeling that the hack stems from Lazarus, a North Korean-based hacking group infamous for pulling off many exploits dating all the way back to 2009. The group has been traced to a collection of various cryptocurrency scams, mostly targeted at South Korean exchanges and platforms.
As one commenter on Twitter said, “Not gonna lie, a bit shook by this. If someone as smart as Arthur is getting compromised, what hope do the plebs have?”