Kevin Rose, the renowned and affluent founder of the esteemed NFT projects Proof Collective and Moonbirds, was unfortunately targeted by the diabolical practice of social engineering, resulting in a catastrophic loss of an estimated $2 million and beyond. This raises the question – how could a seasoned NFT expert and visionary entrepreneur like Kevin, who has witnessed countless hacking incidents, fall prey to this treacherous tactic? The answer lies in social engineering, a sinister art that involves manipulating individuals into divulging confidential information or performing actions through psychological means instead of relying on technical cracking techniques.

One of the most devastating examples of social engineering in the crypto realm occurred last year in March 2022, when the popular play-to-earn game Axie Infinity suffered a hacking breach via a malicious fake job offer accepted by the chain’s engineer. With just one click on a seemingly harmless PDF document, a staggering $540 million worth of crypto was compromised. This is a stark reminder that no defense can fully protect against a well-executed social engineering attack.

However, we can heed the lessons of the past and educate ourselves as thoroughly as possible to avoid becoming the next target. According to Kevin’s tweet dated January 26th just two weeks ago, he had fallen victim to a hacking attack. The tweet sent shockwaves through the crypto community and garnered over 1.6 million views.

Kevin’s tweet

TXN hash of the bulk transfer of stolen NFTs

How Did the Hack Happen?

Kevin took to Twitter to recount the experience and shared the details with the world. As he was attempting to sell a high-valued Chromie Squiggles from his secure cold wallet (Ledger), Kevin found himself engaged in a multitasking scenario while speaking with his team members. Sadly, this multitasking proved to be the downfall that allowed the hack to occur.

Kevin disclosed that he was an admirer of ‘The Meme by 6529’ and had engaged in online conversations with the creator on multiple occasions. He was excited to receive an airdrop of the 6529 collections and was eager to explore the newfound collection. Kevin noticed there were already transactions in an individual 6529 artwork, Which looked fine at first, leading him to click on a link on OpenSea’s page and was redirected to a seemingly legitimate fake website of 6529 on a .XYZ domain ( if you are curious).

The website was beautifully designed and appeared entirely trustworthy, with no red flags such as the typical ‘mint now’ button or countdown timer commonly found on suspicious websites. This false sense of security caused Kevin to connect his wallet and sign an unknown signature request, only to realize too late that he was being duped. Upon being requested to sign for the second time, he was asked to authorize all of his Meebits NFT, causing Kevin to sense that something was amiss immediately. Tragically, it was too late, and 40 NFTs worth $2 million were transferred before Kevin could revoke the authorization. Aaran, the VP of Engineering of Proof, on the phone call with Kevin, confirmed that this was a textbook case of social engineering.

TXN hash of ‘The Meme by 6529’ airdrop, the genuine NFT collection. It remains unclear which collection Kevin was checking on in OpenSea.

The Hacking Tool – Seaport Drainer

Kevin encountered a classic yet infamous OpenSea wallet drainer, the Seaport Drainer. Seaport, the marketplace protocol of OpenSea, used for trading NFTs, is vulnerable to this peril. The insidious nature of the drainer lies in its ease of use – with just a single click of the signature button, all of your pre-approved NFT collections on OpenSea can be purged. There is no way to differentiate between a legitimate signature and a malicious one, as the signature context can be altered at will. Here are some classic examples:

Even more terrifying is that these drainers are openly sold on GitHub. The source code is free for those with coding prowess and can be altered to suit one’s purposes. As everyday crypto enthusiasts, we must remain vigilant during transactions.

The Trail of Hacking

For those interested in deep-diving the case, three beguiling addresses are at play.

1. Fake_Phishing8158, who engaged in matching OpenSea trades and purchased all the stolen NFTs at the price of 0.001ETH

2. Subsequently, the NFTs were then transferred to Fake_Phishing8212

3. Finally, the NFTs underwent another round of covert transfers to the newly created address 0XB1F3

How Much Did the Hacker Make?

Referring to the screenshot below, the culprit behind the hack ought to have procured a fortune of no less than 250 ETH, garnered from the most prized NFTs that were once the property of Kevin. This amounts to a staggering sum of approximately $420,000, a significant gap compared to their true worth. This shortfall is due to some Chromie Squiggles being flagged as stolen assets on OpenSea, precluding the hacker from selling them on the largest NFT platform.


However, with 17 Squiggles still at his disposal, the hacker proceeded to sell all of them through NFTX, an NFT marketplace that enables users to sell their NFT instantly. Despite trading at prices 20% lower than the OpenSea floor price, averaging 8 – 10 ETH each, the hacker still pocketed another colossal sum of 150 ETH, equivalent to roughly $250,000.

NFTX’s interface

What Precautions Can We Take?

As the wallet drainer has only one chance – the first signature you sign – most of them are Seaport drainers. Since the wallet drainer is targeting NFT collections that were preapproved in OpenSea, there is a simple solution to this problem, revoking approvals! Before the hack, Kevin has a Cryptopunks worth at least a 6-digit figure in his wallet. The punk was not hacked as it cannot be sold via OpenSea hence there is no Seaport approval.

If revoking is the solution to drainer and hacking, why are we not doing it? Even though revoking approvals is a straightforward process, it comes with a cost, as all on-chain transactions in Ethereum’s mainnet require gas fees. This is why many individuals hesitate to revoke their approvals, as the expensive gas fees make it a costly affair. After withdrawing the approval, we will have to pay gas fees the next time we want to approve the same NFT collection again.

For revoking approvals, it can be done effortlessly with the help of, a preventative tool that helps to monitor and revoke active token allowances in your crypto wallet. You can filter the list by token and NFT but leave the other option as it is. Search for the valued NFT you currently hold and check its status. If the status is “Unlimited”, the individual has granted OpenSea permission to transfer all their NFTs of that particular collection. By selecting “Revoke,” the permission can be withdrawn. This process should be repeated for all valuable NFT collections to safeguard against wallet drainers.

Screenshots from Bitget Wallet (Previously BitKeep) Wallet. is available in the Bitget Wallet (Previously BitKeep) Wallet DApp browser.

What Is More That We Can Do to Safeguard Our Crypto Assets?

In the same Twitter space, Aaran was invited as the witness to Kevin’s devastating hack. He shared the concept of “wallet hygiene” to safeguard wallet security. Wallet hygiene includes not merely the differentiation between hot and cold wallets but also one’s own behavior and actions regarding utilization. For instance, a cold wallet (hardware wallet) is not truly cold if it is constantly connected to the internet. Aaran is, by all means, urging the audience to resort to cold wallets as frequently as possible and to maintain clear segregation between their digital assets.

Aaran suggested that there should be three distinct types of wallets: hot, warm, and cold. The hot wallet is intended for daily usage and transactions, while the warm wallet serves as an intermediary step, such as interacting with a contract or signing a signature. In the event of an unexpected situation, the damage would be manageable. Lastly, the cold wallet is the utmost secure wallet, the trust-absolutely-nobody-except-for-myself wallet.

In addition, to further fortify your crypto assets, check out our enlightening article filled with tips and insights from a frequent user. Stay vigilant!

Bitget Wallet Weekly Report|6.Feb - 10.Feb
Blur's Airdrop Launched! Here's the Lowdown

Leave a Comment

Your email address will not be published. Required fields are marked *