Should Victims of NFT Hacks Be Compensated by Creators?
Social media hacks are on the rise in the NFT community, and it’s rare lately to see a day or two go by without some significant project or creator’s account being compromised.
For collectors, the consequences can be significant: Users who engage with the scams shared by hacked accounts have collectively lost millions of dollars in NFT collectibles and other tokens, all because they connected their wallets to what they believed was a legitimate NFT mint or token claim.
What’s the recourse in these cases, and what responsibility do NFT creators have to collectors when their accounts are hacked and used to perpetrate scams? In some cases, NFT project creators have compensated affected users, typically by repaying the market value of the collectibles in Ethereum.
Bored Ape Yacht Club Instagram Hacked, $2.8M in Ethereum NFTs Stolen
However, there’s rising sentiment among creators against reimbursing users who lose assets by engaging with social media scams. Some see that kind of make-good effort as rewarding the reckless actions of users who don’t take precautions, which goes against crypto industry tenets of self-custody, accountability, and performing adequate research.
As social media hacks proliferate, here’s how the debate over compensation is evolving and what notable builders in the NFT space are saying about it.
Increasing attacks
In the last few weeks alone, the social media accounts of several notable NFT projects, creators, and collectors have been hacked and used to spread scam links. When people engage with these links, connect a wallet, and approve the prompted transaction, it opens them up to having their NFTs and other tokens stolen.
Recent examples of such attacks have included the Ethereum NFT project Nouns, which had its Twitter account compromised on June 27. All told, NFTs worth approximately 42 ETH ($64,000 today) were stolen from 25 users who engaged with the link shared by attackers.
Pseudonymous NFT collector and trader Zeneca had his Twitter account compromised this week, as well, although the extent of the damage to users is unclear. Artist DeeKay’s Twitter account also was hacked recently, along with those of noted collectors Franklin and Keyboard Monkey.
Here’s a running list of Twitter accounts that’ve all been compromised recently: Beeple, DeekayMotion, Zeneca, Nouns DAO, Keyboard Monkey, FranklinIsBored, British Army, Jenkins Valet, Duppies, DegenTown, pic.twitter.com/h7TjwVIZ4N
— ZachXBT (@zachxbt) July 21, 2022
Artist Mike “Beeple” Winkelmann’s account was hacked in late May, with an estimated $438,000 worth of tokens and NFTs stolen from users, according to MetaMask security analyst Harry Denley. Beeple made no mention of planned compensation for affected users.
The Twitter account of Jenkins the Valet, a Tally Labs project based on a Bored Ape Yacht Club NFT, was hacked and taken over in June. The creators said that users had lost Bored Apes, Mutant Apes, and other valuable NFTs via the exploit, and that it would compensate users based on the floor price (or cheapest available NFT) for each project.
One of the most notable examples to date of a social media hack from a major NFT project is the Bored Ape Yacht Club itself, which had its Instagram account compromised with a fake mint link in April. Yuga Labs estimated the value of stolen NFTs at about $2.8 million and said that it was working to get in contact with affected users.
Decrypt asked Yuga representatives on Friday whether it ultimately compensated users, but they didn’t respond. Just this week, Yuga tweeted that it was aware of “a persistent threat group that targets the NFT community,” which it believed “may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts.”
There have been other examples in recent months, including when a project’s Discord server was compromised, with attackers using access to share links to fraudulent NFT mints or token drops. The Bored Ape Yacht Club’s own Discord was hacked in June, for example, with about 200 ETH ($359,000 at the time) worth of NFTs stolen from users.
Premint to Return $500K in Ethereum to NFT Hack Victims
Solana NFT gaming marketplace Fractal faced such an attack last December and said that it would compensate users to the tune of $150,000 worth of SOL, while the Discord for NFT game Phantom Galaxies was hacked in November. Publisher Animoca Brands said that it would reimburse users for $1.1 million worth of ETH in that example.
Just last weekend, Premint—a registration platform for NFT drops—had its website hacked with malicious JavaScript code. Users lost hundreds of NFTs by engaging with the scam link, and Premint decided to reimburse them with more than $500,000 worth of ETH based on the floor price for those NFTs, plus it repurchased and returned two of the most valuable stolen NFTs.
‘Not a guarantee’
Interestingly, in some of the above situations, even creators who compensated users expressed doubt about doing so, at least in the long run, or said they wouldn’t do it again.
In a postmortem account, pseudonymous Nouns co-creator 4156 noted deficiencies in its security setup, such as a lack of two-factor authorization or a plan for dealing with attacks. He described compensation as “a one-time act of goodwill” and “not a guarantee” that the Nouns treasury would reimburse users in any similar situations.
1/ having gone through this with the @nounsdao twitter hack, it’s not clear to me that normalizing reimbursement is the way forward pic.twitter.com/dcgr2gHAmb
— 4156 ⌐◨-◨ (@punk4156) July 15, 2022
“While it sucks to say that people shouldn’t be reimbursed for being tricked via your account, these users are engaging in zero-due-diligence activities in an attempt to make fast money, and are ultimately the ones signing messages that authorize [withdrawals] from their wallets,” 4156 wrote in a follow-up thread last week.
He added that most of the users seeking compensation were “extremely unsophisticated crypto users,” and that many could not prove that they had been affected. He came away from the experience “with the feeling that reimbursement was a short-term PR band-aid” for hacks, and that “normalizing reimbursement removes the incentive for personal responsibility.”
In the case of Premint, founder Brenden Mulligan said specifically that the project would reimburse users because the attack happened on its website, rather than a social media channel. He similarly pointed to OpenSea compensating users in January for a UI issue on its marketplace, which resulted in owners inadvertently selling NFTs for below market value.
Bored Apes Co-Founder Criticizes Discord After NFTs Worth 200 Ethereum Snatched in Exploit
“For us, someone manipulated a file on Premint and was able to launch a UI on our website. We’ll own that. We should have not let that happen, so we are trying to compensate,” Mulligan told Decrypt. “There’s still an argument to be made that people should have been more careful, but in these cases, I think compensation is an option to consider.”
However, Mulligan disagrees with the idea of compensating users who lose NFTs via links clicked on social media platforms. He believes that attacks via Zeneca and DeeKay’s Twitter accounts were not their respective faults, and tweeted that “paying victims shouldn’t be done in most cases. It needs to be the individual’s responsibility.”
“People need to be careful about their own security,” Mulligan told Decrypt. “Ninety-nine percent of the scams are because people aren’t paying attention, and trying to ape into something without thinking.”
7/
This also encourages hackers to keep doing their thing since I am the one covering the mess. Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance. There is no correct answer.— DeeKay (@deekaymotion) July 15, 2022
NFT artist DeeKay tweeted last week that he had “started a process to try and compensate” users affected by the scam link shared from his hacked account, but similarly expressed discomfort with the idea.
“If I am honest, I am uncertain if reimbursement is the way forward since [a] few are pretending to be affected and looking for opportunities,” he wrote. “This also encourages hackers to keep doing their thing since I am the one covering the mess.”
“Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance,” DeeKay added. “There is no correct answer.”
‘Expectation should be zero’
Zeneca took a firmer stance in his own response to his compromised Twitter account. In a postmortem thread shared in tweets and collected in a blog post titled “Evolving Precedents,” Zeneca said that he had two-factor authorization enabled on Twitter and was still figuring out how the hack occurred—but that he did not plan to reimburse affected users.
“Somewhere along the way, projects decided that their response would be to take full responsibility and fully reimburse victims for their losses,” he wrote. “I understand and empathize with this response.”
But then he wrote that it was “unsustainable” for projects to keep doing so, and that it was “impractical” to sort through alleged victims. “The buck and responsibility lies with each individual participant in this space,” he added, noting that many people are used to “safety nets” in society, such as seeking help from centralized banks and financial services amid scams.
Great thread by @Zeneca_33 here. I think his decision not to compensate is the right one.
PREMINT compensated bc it happened ON our website. We’ll own that.
But ? agree that paying victims shouldn’t be done in most cases. It needs to be the individual’s responsibility. https://t.co/V1gQnrwsoX
— BrendΞn Mulligan | PREMINT (@mulligan) July 21, 2022
“It is with all this in mind that I am making a tough, but I think fair, and firm, choice—to not significantly compensate those who lost assets due to the events that occurred from the attack yesterday,” he wrote. “I’m genuinely, truly, very sorry for everyone impacted. It deeply pains and saddens me as I talk to and hear the stories of those affected.”
Zeneca will provide a free NFT access pass to his private ZenAcademy Discord server to affected users, which is currently worth about 0.38 ETH ($580) at present, per OpenSea. He also will keep a list of the victims for potential future benefits or assistance, but noted that “the expectation should be zero” on them receiving anything further.
Reactions to Zeneca’s thread from other NFTs creators and collectors have been largely—but not completely—positive, with crypto die-hards celebrating the ethos of personal responsibility. It treats self-custody and DYOR (“do your own research”) as the standards in a space that’s being flooded with new users who may not fully understand the tech or spot red flags.
Twitter Scammers Are Hijacking Verified Accounts for Fake Azuki NFT Airdrop
It’s still relatively early for large-scale NFT markets. Education may help ease the impact of scams and better prepare NFT traders to stay vigilant, but so may enhancements to technology and user interfaces. Both Mulligan and Zeneca pointed to the need for improved infrastructure and mitigations to limit the impact of attacks.
“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Mulligan told Decrypt. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”
Education, tech tweaks, and security upgrades could help close that gap, but in the meantime, FOMO (“fear of missing out”) and speculative frenzy are turning some NFT collectors into victims. And creators appear increasingly unwilling to foot the bill.