Table of Contents
In a brazen cyber-attack, the official Twitter account of the NFT collective, Gutter Cat Gang, along with its co-founder’s account, was infiltrated, leading to the theft of NFTs valued at a minimum of $750,000. Some estimates peg the losses closer to $900,000. AegisWeb3 has confirmed that at least one of the perpetrator’s digital wallets has already liquidated the looted assets for $640,000.
The discrepancy in the estimates of the stolen assets is primarily due to the diversity of the NFTs seized and their fluctuating floor prices.
The GG Hack
To put it in perspective, a minimum of 87 NFTs were swiped from 16 separate users, with one account losing as many as 36 NFTs. Among the stolen NFTs was a Bored Ape that previously sold for $125,000 in September 2021.
The perpetrator brazenly tweeted about a “public airdrop” of GutterMelo – a legitimate Gutter Cat Gang collection launched just last month, on Friday. They posted a malicious link to a counterfeit airdrop that ended up depleting the wallets of those who connected to the site.
Adrian Hetman, tech lead triager at Immunefi, explained that victims often interact with a malevolent contract and unknowingly grant it approval to transact the tokens on their behalf, thereby enabling the perpetrator to move the user’s NFTs as they wish.
The Gutter Cat Gang Twitter responded to the incident two days later, expressing regret, confirming collaboration with law enforcement, and pledging to implement measures to prevent future attacks. Notably absent, however, was any commitment to compensating the victims, much to the disappointment of the project’s fans.
The Gutter Cat Gang, despite the breach, asserts it had robust “multi-factor authentication and security measures” in place. The exact details of these measures remain unknown. Twitter provides three multi-factor authentication options: app-based, SMS, or a dedicated key.
Cybersecurity specialist, James Bore, asserts that app-based authentication, with options like Authy, Microsoft Authenticator, or Google Authenticator, is the most secure. He states that no network transmission occurs, eliminating interception possibilities.
Bore also notes that a dedicated USB security key offers even more security than a phone app, although it is less commonly used due to the potential for loss, additional cost, and inconvenience.
Nevertheless, ZachXBT, a crypto investigator, alleges that the team was using less secure SMS authentication. According to him, using SMS for two-factor authentication after recent SIM swap incidents is highly irresponsible.
SIM Hacks
Andrew Whaley, a senior technical director at Promon, explained that a SIM swap attack happens when a scammer takes control of a user’s phone number by persuading the phone provider to transfer the number to a new SIM – owned by the scammer.
With the increasing prevalence of SIM swap attacks in the crypto space, Whaley emphasized the need for stronger security measures than SMS-based two-factor authentication (2FA).
This incident has prompted questions about the security measures employed by crypto projects for their social media accounts. Bore advises the use of a unique, lengthy password and a hardware key for second-factor authentication. He also suggests enabling password reset protection, requiring both an email and phone number for resetting a password, and maintaining a dedicated phone number solely for security purposes.
NFT Scams And The Market Affect
Cryptocurrency enthusiasts have reportedly incurred losses exceeding $26 million due to NFT-linked fraudulent activities since the middle of 2021.
The implications of NFT scams permeate deeper than the individual casualties, casting a shadow over the entire market. This repercussion manifests in diverse ways, affecting both the NFT industry’s reputation and its economic vitality.
Reputation damage. The foremost outcome is the tarnishing of the NFT sphere’s reputation. Fear of becoming prey to scams has deterred potential investors and traders from participating in the market. Consequently, this negative publicity makes it challenging for valuable, utility-based projects to garner public trust and investment.
Declining sales. A noticeable contraction in the annual value of the NFT sector is another consequence. The industry saw an 83% reduction in NFT sales between 2022 and May 2023. This dip is unsurprising, given the pilferage of over $20 million worth of NFTs in 2022 alone.
The heaviest blows from NFT scams are felt in North America and Australia. The majority of the scam proceeds are traced back to the United States, Canada, and Australia. Given the NFT category’s popularity among North American users, this is not unexpected.
A significant portion of these users are new to the cryptocurrency landscape and are therefore potentially more vulnerable to deceit, which might explain the higher scam-related revenue figures from these regions.
Growing calls for audits. In response to the increasing number of scams, the NFT community is heightening its security awareness before committing to any project. Community members are frequently demanding comprehensive audits of the codebase to ensure that there are no hidden traps for scams. These audits also serve to boost their confidence in the security of the smart contracts and reduce the likelihood of them being exploited by malicious actors.
