Proof Collective co-founder Kevin Rose is the latest high-profile NFT investor to fall victim to a “social engineering” attack. On Wednesday, he signed a single transaction that triggered the sale of the majority of his collection for free.
Rose is a well-known tech investor. Before entering the world of NFTs, he co-founded Digg, had a stint at Google Ventures, and created apps focused on fasting and meditation. Proof Collective, which launched in late 2021 and created the popular Moonbirds series, counts Beeple and Gary Vee among its members.
Read more: These six-figure NFTs are down 99%
The total loss is hard to specify, given the nature of NFTs. Rarity within a collection, price volatility between sales, and the illiquidity of the markets all make valuation tricky, but Arkham Intelligence puts the figure at $1.09 million (using “the floor price of [the tokens’] relative collections”), while 0xfoobar estimates the value at approximately $2 million.
The lost tokens were all from Rose’s personal collection. Proof Collective’s holdings, which are secured by multi-signature accounts, are unaffected.
Luckily for Rose, some of the highest-valued tokens in his collection weren’t taken. These include two Cryptopunks (one of which last changed hands for $1.8 million), likely because the collection predates the current default token standard for NFTs.
Read more: The best of the worst NFTs minted in 2022
How did Kevin Rose get scammed?
Rose was “phished” into signing a transaction that bundled the NFTs together into a single sale — priced at 0 WETH — and transferred them to the attacker’s address. The bundle was created by manually interacting with OpenSea’s Seaport contracts, which could then be presented to Rose via social engineering.
Read more: The biggest NFT headlines of 2022
While distributed blockchain systems may be highly secure at the network level, the non-human-readable transaction data shown by the majority of wallet software is a huge security risk for many users.
This isn’t the first time a high-profile NFT collector has been phished. In fact, it’s not even the first this month.
Less than two weeks ago, NFT God lost everything after downloading malware and, despite describing himself as “highly technical,” admitted to having entered his seed phrase “in a way that no longer kept it cold.”
It’s likely that we’ll continue to see more collectors relieved of their digital art. A multimillion-dollar industry built around trigger-finger FOMO and often executed via an illegible interface makes bountiful waters for a spot of phishing.