My Metamask wallet got hacked – NFT artist guide
I am an NFT artist who got my Metamask wallet hacked: a post-hack fix guide for artists who sell on Opensea, Foundation App and other Crypto blockchains.
I’m writing this guide from an NFT artists perspective, because when I got my Metamask wallet hacked there really wasn’t much information available on what to do and how to apply a fix in such a situation. I hope that my experience will empower you with knowledge not to get hacked yourself and what to do with your NFT marketplaces in case it happens to you.
Spoiler alert: besides all the bombardment of messages claiming a white hat hacker can help restore your Metamask account and restore your crypto there is no known solution appart from cutting your losses and starting over.
TLDR/SUMMARY: My Metamask wallet got hacked, I sell NFTs on Opensea and Foundation App. I had to abandon existing wallet, I did not get my ether back. I nuked my PC from orbit, installed Norton 360 and a password manager, I started to write all passwords on paper. I bought a ledger nano S, re-opened Metamask wallet by connecting hardware wallet.
I had to migrate my Foundation account to new wallet address (all followers, royalties from old ether wallet address get diverted to new ether wallet address).
⚠️Foundation 2022 update: Foundation no longer migrates accounts! Why? No idea, please see the Foundation section below to see what can be done…
On Opensea I deleted any unsold NFT art, I re-minted the sold ones and transferred them to the collectors, I advised them to burn the old one I installed a notice on my profiles explaining what had happened. I celebrated my resurrection in the NFT world by minting a new piece on my foundation account.
⚠️Remember above all else: Never share, e-mail, photograph your secret 24 word seed phrase, even with Metamask’s official support. This phrase is only meant for your use in the event of having to restore or recover your wallet. One a hacker has your 24 word recovery phrase it’s game over, all they need to do is install Metamask and import your account using the 24 word phrase, once they have done so, total control, they can drain your wallet of all crypto funds.⚠️
If you find this guide useful, please give me a follow on your preferred platform: https://linktr.ee/vinnikiniki
Ok let’s get in to things, this is a long sordid saga, with not so much twists and turns, just rather boring procedure and accepting the loss of a reasonable amount of Ethereum.
Metamask Post-Hack Guide Contents
I’ll break this down into the following sections.
- Background – my setup at the time of the hack
- Getting hacked Part 1 – Immediate actions, remedies and fix
- Foundation App NFT – Their support and migration procedure (updated for 2022)
- Opensea NFT – What I did with my NFTs on Opensea after getting hacked
- Getting hacked Part 2 – How did my wallet get hacked?
- Getting hacked Part 3 – Who did it, what was at stake? Scripts?
- Metamask support – Connecting hardware wallet
- Fight fire with fire; Can white hat hackers really help restore your crypto and regain control of compromised wallet?
- Summary / Further reading
hack by 0x0945198dd98c78d88568004d775e33800cfe4bfa
-Win 10 x64 win AV
-FF browser for minting NFT @opensea + @withfnd
-Metamask (DL official https://t.co/NZlCW5uBAM)
-No Hardware wallet
-Copy n paste passwords from notepad
-Used autofill on browser
— 🆁🅴🅰🅻🅸🅴🅽👽💚👌 (@vinnikiniki) August 27, 2021
1 Background: My Setup Before Getting Hacked
I sell NFTs on Opensea and Foundation App, prior to getting hacked I did NOT use a hardware wallet (aka cold wallet like a ledger nano X or a Trezor one). I was using Metamask wallet extension which was installed and used on a dedicated browser which I would use solely for the purpose of minting and collecting NFTs (Mozilla Firefox not signed in). A windows 10 64-bit user, at the time I was using only inbuilt windows anti-virus, I did not use a password manager (like 1password) I stored all my passwords in a notepad file (yes, I know…). I downloaded Metamask from the official metamask.io website, I had about 4 separate wallet accounts in that wallet, I did not “lock” my wallet, I did close my browser when it was not being used.
#8 Which hardware wallet should i buy? #Ledger vs #Trezor?
I got Ledger Nano X, Trezor is equally good, but in my opinion touchscreen is one more thing that could go wrong. Honest tho, it’s buggy and a pain in the a$$, but i do feel more secure!
⚠️only buy from official store⚠️ pic.twitter.com/ZJ6ahyCplN
— 🆁🅴🅰🅻🅸🅴🅽👽💚👌 (@vinnikiniki) August 27, 2021
2 – Getting hacked Part 1 – What should I do after I get my Metamask wallet hacked
Ok I’ll keep it brief, but simply put here’s what I believe should be done after getting your Metamask wallet hacked
- Breathe deeply, massage your temples, keep any sharp objects out of reach. Optionally cry and/or scream
- Check your hacked wallet and NFT marketplace accounts associated with it – can you still log in to your wallet, are your NFTs safe? Delete any unsold NFTs – abandon your wallet
- Are there any other accounts associated with the Metamask install that got hacked? Check them all, if they remain untouched (funds remain) immediately transfer out your funds to a newly setup wallet.
- Nuke your PC from orbit, maybe overkill but better safe than sorry, wipe your computer, wipe it again, reinstall your OS and don’t forget to format your hard drives during the re-install process, some virus and malware can remain in recovery partitions and re-install themselves during the OS install. Formatting the hard drive during install should result in a clean and safe fresh OS.
- Install a decent antivirus and consider an encrypted password vault manager, do not use autofill and password manager built in to your newly installed browsers AND NEVER SHARE OR STORE YOUR 24 WORD RECOVERY PHRASE IN DIGITAL FORMAT!
- Buy and start using a hardware crypto wallet, make sure you buy direct from the manufacturer. I bought a Ledger Nano X, but the Trezor series is equally respected. On freshly installed OS setup a new Metamask wallet by connecting it to the hardware aka cold wallet.
- Setup new NFT marketplace accounts (in my case Opensea and Foundation.App, contact their support and ask if they can migrate your account including royalties to your new hardware wallet connected Ether address.
- Shill.Chill.Repeat – you should now be good to start your NFT crypto journey all over again, reinforced but not impenetrable, just maintain good practice moving forward and remain mindful and vigilant.
⚠️NOTE ON LEDGER PURCHASE: only buy from official store, I’ve even heard of a batch of dodgy metamask wallets being sold on ebay, when your ledger arrives make sure it is factory sealed (hasn’t been previously opened)⚠️
What if your Metamask get hacked and sell NFT Art?
Ok we are now getting to the really important stuff, especially as an NFT artist, I can’t speak for every platform, but I will tell you all about what I did to safeguard and move forward on Opensea and Foundation App, the two NFT marketplaces where I was selling connected to the hacked account.
Naturally if you’ve already sold some NFTs and they are being sold on the secondary market there are no benefits to receiving royalties to a Metamask wallet which has been hacked, compromised and abandoned (or in some cases inaccessible by you).
My main concerns:
- Not losing existing followers followers (only applies to Foundation)
- Being able to receive royalties for any NFTs I’d sold already
- Maintaining control of my minted unsold NFT art
- Not having to change my NFT marketplace profile URL
- Not losing invite codes (only applies to Foundation)
- Not losing verified status
- Maintaining one official ether wallet address for my artist profile
3 – FOUNDATION APP NFT Marketplace
Background (at time of hack):
- 4 Nfts minted + (3 of which were sold, 1 unsold)
- 1 split NFT minted by another NFT artist
- 200+ followers
Frankly speaking their support was awesome, I guess to be expected from a premium platform, really fast and excellent solution protocol.
⚠️Foundation 2022 update⚠️
Foundation no longer migrate accounts! Why? No idea, here’s what you can do…
1/ DAMAGE CONTROL
If you do have access to compromised wallet log in and make changes to hacked profile.
— Remove username (or rename something like USERNAME-DEFUNKT)
— Remove any other details you want on your hacked profile
— Advise your collector of what has happened
If you do not have access to old wallet the content are lost, including any profile details and access to NFTs
2. SETUP NEW FND PROFILE with NEW WALLET
IF you previously had creator status that can be moved to new profile, you must contact Foundation support to do so. Simply send them your old profile which got hacked and your new profile you need creator status transferred to.
The below struck out text not possible anymore.
Foundation App confirmed they can migrate existing account to a new wallet address. This meant I could setup a new foundation profile and maintain my existing followers, profile URL, minted NFT, and also redirect royalties from already sold NFTs now on secondary sale. The migration of the profile was really simple, all I had to do was contact support via their website, I received a migration link and it was very easy to do. Migration was completed within 24 hours! NOTE: I’m not sure how the process would work IF I did not still have access to my old hacked Metamask wallet.
I was so happy with the migration experience as soon as I was up and running again I created and minted an NFT on their platform to celebrate – I called it “My metamask got hacked and all I made was this NFT”
4 – Opensea NFT Marketplace
- 1 collection of 33 NFT collectibles (9 of which were sold, 7 owners)
- No NFTs purchased
Please don’t make the same mistakes I did, this story is a bit longer. If only I had more patience and received the support e-mail a little sooner I might’ve not wasted over 200 USD re-minting and transferring already sold NFTs to existing collectors.
Then again, one of my primary (possibly stupid) concerns is/was having all NFTs I create as ViNNi KiNiKi to be associated with the same wallet address, bearing that statement in mind, what I had to do was unavoidable. If however this is not important to you, the experience of migrating and setting up a replacement Opensea NFT artist profile might not be so harrowing for you!
Opensea unlike foundation cannot migrate your account and existing NFTs to a new wallet address. If like me you want all your NFT art to be associated to only one wallet address the only answer is to open a new Opensea account using your secure hardware wallet Eth address. Here’s what I did
Bearing in mind I COULD log into said account, as soon as I found out my wallet Metamask wallet had been hacked I….
- Logged in to my Opensea account and deleted ANY unsold Opensea NFTs (the deletion is only possibly if NFTs are unsold, the process is free and easy). Simply go to unsold NFT > EDIT > DELETE
- Contacted my collectors – I told them I would need to restart my opensea account. I advised as soon as I was back up and running I will re-mint the NFT they purchased, I will transfer an exact same replacement. I offered an incentive to send a bonus NFT if they burned or sent back the initial NFT to me for burning.
- I renamed my old profile to ViNNiKiNiKiDeAD < a token gesture, the profile also explains the hack and the fact that I had to setup a new profile. I included a link to my new official opensea in the description.
- One I had setup my Opensea profile I had to make some adjustments to my old collection. (a collection can only be deleted IF it contains no unsold NFTs).
- Changed the banner of the old collection and included a QR to the new Official collection.
- Changed the URL of the old collection, used the old URL on the new collection. Remember all existing URLs I had posted were pointing to this URL, so I need to keep that URL in my possession.
⚠️IMPORTANT NOTE: If you are not concerned about selling all your NFTs from the same wallet address you can simply merge collections with your new account (add as collaborator) also do not forget to make wallet payout address to your new hardware protected wallet.⚠️
#7 OPENSEA FIX Pt.2
If you are OK with minting new NFTs from new address AND keeping existing NFTs minted from old address you can..
– Invite New Opensea account to be collaborator of existing collection
– Change payout address to new wallet address
– Carry on with new account 👍 pic.twitter.com/RlupjlxsTG
— 🆁🅴🅰🅻🅸🅴🅽👽💚👌 (@vinnikiniki) August 27, 2021
5 – Getting Hacked Part 2 – How did my Metamask wallet get hacked
This was the most asked question from all my NFT buddies and piers, embarrassing it happened in the first place, even more embarrassing is not knowing how to answer the question. To this day I am unsure of how my Metamask wallet was hacked. I did extensive reading online as to how it may have happened, so I’ll go through some of the scenarios below.
Clicking suspicious links – clicking suspicious links can lead to malware being installed on your computer. The level of sophistication can vary, but in essence once malware is installed your system become compromised and can lead to leaving your computer open to others to gain control of or be able to access remotely. Certainly the benefit of having a decent antivirus installed is notifying the user of which links or files may be harmful to access or download.
Screensaver (SCR hack) – Although an age old hack commonly associated with buying digital items it has been revised and adapted for the NFT world. As an artist you might receive a message from someone saying they are a fan of you work and would like to commission you to do some art. Rather then sending you a image files (jpeg, png etc.) they send you a screensaver file (.SCR) – rather than being a screensaver this results in a nasty trojan virus being installed on your system.
Key word sniffer / Keyword logger – Both of the above scenarios can ultimately resolve in a key word sniffer/logger being installed. This effectively makes a copy of everything you type on your keyboard and sends it back to the hacker. Remember all a hacker needs is your secret 24 word seed phrase, once they have this they can gain total control of all your funds.
Copy and Paste or type your recovery phrase? In addition to the above I’ve heard there are viruses that are trained specifically to be aware of and notify the hacker of any time you copy and paste and 12 or 24 word string of characters. If like me you store your seed recovery phrase in a notepad or similar word file, this one slip up can result in your 24 word seed phrase falling into the hackers hands. Typing it can be just as bad, so always make sure your system is clean of viruses / malware and in theory you should be fine
Phishing: Fake Metamask and/or fake NFT marketplace website: The Phish technique relies on you inputting your seed phrase into a lookalike Metamask wallet. For example say if you go to a fake Opensea website (or other NFT marketplace you actively log in on) – everything looks like normal, but actually you are inputting your seedphrase to a form which sends it straight into the hackers inbox, game over.
In summary, I think the phishing is the most likely scenario for what happened in my case, I think I remember there was one time I was going to Opensea but rather than Metamask asking for my password it was asking for my seed phrase, I was quite new to things at the time and though it seemed suspicious I was also in a rush, so I just did it anyway. So the key take away message is hurry slowly and if something doesn’t seem quite right, retrace your steps. Also never ever store your 24 word seed phrase in digital format (even a photo) and do not share it with anyone.
6 – Getting hacked Part 3 – Who did it, how much was stolen, were my NFTs stolen?
The beauty of decentralized crypto means every single transaction is publicly accessible, including this nightmare hack where all my funds got drained. However, as an NFT artist it can be a bit more worrying, not only your crypto can be stolen, your NFT art (both the ones your minted and collected can be stolen).
The hackers identity
I really don’t want to be giving the hacker anymore fame, but for the purpose of this article I think it’s important. So as you can imagine my initial kneejerk reaction was to google (and Twitter) the hackers wallet address, it turns out a number of other Metamask users were thieved by 0x0945198dd98c78d88568004d775e33800cfe4bfa – at time of writing this article this account has got 180 Ether at a value of more than $500,000, yes, we can see there activity, but we don’t know who they are, you can look up the account on Etherscan. Some people recommend reporting the hack to local authorities but unlike banks with fiat currency, cryptocurrency is NOT controlled by any financial institution which means it’s completely unregulated, vis a vis; there is really no one to turn to… unless you count other hacker (see the section below: “Can white hat hackers help?”)
What is a script?
Fortunately, I could still access my wallet, but if the hacker had installed a script it meant that any Ether being deposited into that wallet address would immediately get teleported to the hackers account. I did not take the chance, nor did I test to see if this was the case, I took it as a given and just decided to do the most advisable thing: I considered this wallet address to be dead and abandoned it.
But what if your crypto got stolen and a script got installed but you need to transfer your NFTs to another wallet address? Yes, this has happened. To transfer a NFT from one wallet address to another it costs Ether, but if a script is installed adding funds to your wallet is useless as the Ether gets transferred out immediately, so what to do? I’ve heard stories of people who need to do this to save their NFT collections, there is a really well documented account of this online. If this is you Google: “Operation: CryptoKitty Rescue A story of nonce and nonsense” – it can be done! But it will cost you over the usual odds.
7 – Metamask support
Metamask took a few days to respond, although they could in no way help to retrieve the stolen funds (naturally, how could they?) they did however provide excellent advise on steps to take after. I attach some screenshots below.
8 – Can white hat hackers really help restore your crypto and regain control of compromised wallet?
It takes fire to fight fire, so naturally this seems like a reasonable course of action to take right? Short answer: I don’t know. Frankly speaking, if something sounds too good to be true it probably is. When I posted about my wallet getting hacked on my twitter account, friends were really shocked and supportive, another reason to love the NFT community. But another thing happened, it happens on pretty much any tweet or post made featuring the words “Metamask” “wallet” and “hack” you will get a bunch of replies saying “contact this hacker, they will be able to get your crypto back” and you’ll also receive a bunch of DMs saying the same thing. I like to believe people are being nice, and genuinely want to help, but as an natural born cynic and the confirmation that most of these twitter account have 0 followers I take it as a sign of not being true. I’ve challenged a few to provide further evidence, not one provided any. You can try, but I’d suggest proceed with caution, can ultimately consider the deed done and irreversible, you are in a psychologically bad position and there are people out there who know this and want to take advantage of the fact.
9 – SUMMARY / FURTHER READING
Ok, so that’s it, I hope my suffering and misery is something you can avoid and that you managed to learn something from reading this article, stay safe and spread the word. If you have any questions or comments please feel free to contact me – have fun!
- Crypto kitties rescue operation: https://medium.com/mycrypto/operation-cryptokitty-rescue-93fd8e00e4f8 cryptokitty rescue
- How to burn (destroy) NFTs: https://ethereum.stackexchange.com/questions/16188/best-way-to-burn-ethers-and-other-ethereum-tokens
12# FiNAL STEP – You should now be good to start your NFT journey all over again, reinforced but not impenetrable, just maintain good practice moving forward and remain mindful and vigilant.
— 🆁🅴🅰🅻🅸🅴🅽👽💚👌 (@vinnikiniki) August 27, 2021