A Hardware Wallet is Not Enough: Behind the NFT God Hack

A Hardware Wallet is Not Enough: Behind the NFT God Hack

Recently, one of the most prominent NFT influencers fell victim to a malware phishing attack.

On January 14, 2023, Twitter user @NFT_GOD posted an alarming update:

“Last night my entire digital livelihood was violated. Every account connected to me both personally and professionally was hacked and used to hurt others. Less importantly, I lost a life changing amount of my net worth.”

You see, @NFT_GOD is no ordinary NFT enthusiast. With more than 94,000 followers on Twitter and 16,000+ subscribers on Substack, NFT God is one of today’s largest NFT influencers.

Despite being considered an expert in the realm of NFTs, NFT God still ended up the victim of a popular hack known as phishing, the practice of posing as a trusted company or person and posting links that lead to malicious software downloads.

The trusted company that the hackers posed as in the case of the NFT God hack? A company advertising through a Google sponsored result (which Google had filtered and approved to advertise).

In this article, we recap what exactly happened with the influencer NFT God, how the hackers managed to steal from NFT God’s hardware wallet, and the aftermath of the incident.

Keep reading as we discuss how you can protect yourself and your digital assets from similar hacks.

The Hack Heard ‘Round the World: What Happened to NFT God?

In a thread of more than 20 Tweets, NFT God explains the situation, how it happened, and who was affected by the incident. Here is a quick breakdown of how this travesty occurred:

  • The Hack: The influencer NFT God had been planning to begin live-streaming video games to their audience. To set up the stream, NFT God downloaded OBS (Open Broadcaster Software), an industry-standard open-source software for live streaming. However, rather than visiting the OBS website directly to initiate the download, NFT God instead clicked on a sponsored Google ad. This ad turned out to link to a false website, which NFT God did not realize was fake, leading to the download of malicious software.
  • The Consequences: Once the malicious software was downloaded onto NFT God’s computer, it took some time for the influencer to realize what had happened. During that time, the hackers were able to gain access to all of NFT God’s social media and communication tools, including Twitter, Substack, Gmail, and Discord, as well as the influencer’s hardware wallet containing cryptocurrencies and NFTs, because the wallet was connected to the computer and interacting with dApps. The hackers also posed as the influencer and sent emails to NFT God’s thousands of subscribers containing a malware link (known as a phishing attack). The total amount of collective losses between NFT God and the subscribers who fell victim to the phishing attack is not currently known, but is likely in the five-to-six-digit range (in USD).
  • The Response: Once NFT God realized the hack was actively occurring, the influencer first deleted fake Tweets on the official @NFT_GOD account that contained phishing links. However, NFT God did not immediately realize the hackers had access to their entire digital presence and blockchain wallets. As a result, all of NFT God’s digital assets were stolen. To try and prevent further losses and to protect subscribers from the hackers, the influencer reset all account passwords, wiped the desktop computer, and reinstalled Windows. NFT God also alerted subscribers to the potential threat via Discord, an email mailing list, and Twitter. As blockchain transactions are non-reversible, NFT God was unable to recover any stolen assets.

While the horror of this event will certainly stick with the influencer for years to come, NFT God stated that the biggest consequence of this entire event was the loss of trust from the community.

In NFT God’s own words:

“I'd lose this ugly snot nosed monkey PFP and all my Ethereum 100 times over if it meant I kept the trust and love of those who support me. I honestly was able to keep my cool through losing all my digital assets. I lost my cool when I saw my community was compromised.”

How the Sponsored Google Listing Hack Got Into NFT God’s Wallet

After announcing the hack, followers of NFT God began asking one key question on repeat:

Did NFT God have a cold wallet?

Cold wallets are not connected to the internet, protecting the wallet and its contents from hacks and malware. A cold wallet can either be a hardware wallet that is a physical piece of equipment (like a flash drive) or a platform-based wallet that exists on a computer but is not connected to the internet.

NFT God owned a hardware wallet called Ledger that can be set up as either a hot wallet (one that connects to the internet) or a cold wallet (one that does not). Due to the way NFT God entered the seed phrase (key) for the wallet, it became a hot wallet rather than a cold wallet, making it susceptible to online attacks. This is the key topic of this story: that even with a hardware wallet, it can become a hot wallet that is vulnerable through various ways you use it.

Unfortunately, this now hot wallet lived in the same desktop PC that was infected by the malware downloaded from the fraudulent sponsored Google link. As a result, hackers were able to easily access the wallet and transfer its contents to a different wallet in a non-reversible transaction.

Hardware Wallets are Not Fool-Proof: The Risk of Human Error

The entire fiasco of the NFT God hack provides one crucial lesson for all blockchain investors:

Hardware wallets are not bulletproof.

Storing assets like crypto and NFTs in a hardware wallet that is not connected to the internet is widely viewed as one of the best practices for keeping digital assets safe.

Yet, human error can lead to even hardware wallets becoming susceptible to hackers.

As seen in the NFT God case, cold wallets and hardware wallets can be complex, with just one mistake during set-up leaving the entire wallet vulnerable.

Moreover, as a user, you can choose to allow your hardware wallet to connect to the internet to transfer assets to hot wallets intended for transactional purposes (purchases, payments, etc.). Anytime this wallet’s key or seed phrase is exposed to a computer or web browser, the wallet’s vulnerability heightens.

Final Thoughts: How to Avoid Hardware Wallet Hacks

What the NFT God hack ultimately reveals is that you do not have to directly make a mistake to have your wallet and assets compromised.

NFT God’s thousands of Substack subscribers and Twitter followers were all put at risk due to the hacker’s antics, with an unknown number falling victim to a phishing attack simply because they clicked a link that was posted by a trusted influencer’s account.

Protecting your wallet and digital assets from hacks like the NFT God incident takes a dynamic approach to security. Rather than relying on one sole hardware wallet for protecting your digital assets, you need a combined software and hardware solution for ultimate security.

Multi-signature wallets with smart contracts are one of the best ways to keep your assets safe even if a wallet key is compromised.

With a multi-sig wallet, more than one person holds the keys to a wallet, requiring both people to use their keys to gain access to the wallet. With this layer of security, hackers are rendered unable to access a wallet without the second key authorizing their identity.

At Webacy, our wallet solution offers more than just multi-sig and smart contract capabilities.

Webacy offers an entire suite of tools that make self-custody simpler to manage. Our bring-your-own-wallet system provides you with key security features, such as the Backup Wallet and Panic Button that enable you to transfer your digital assets safely and at a moment’s notice if they become compromised. In other words, Webacy is building towards a safer web3 for everyone.

Get started with Webacy today to ensure the future safety of your digital assets.

You can connect with Webacy on Instagram and Twitter.