Beeple Twitter Account Hack
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Beeple was an extremely successful NFT artist, with works selling for upwards of $69.3m in auctions. On May 22nd, 2022, his Twitter account was compromised and the attackers used their access to launch two separate phishing attacks on his followers, netting them a total of $438k. It does not appear that any of the funds have been recovered.
About Beeple
Beeple (also known as Mike Winkelmann[1]) was a well known artist and NFT creator[2] from South Carolina[3] who has been working on digital art since May 1st, 2007[4], with his first debut into the NFT space in February 2021[4]. He has created three of the top ten most expensive NFTs sold to date[2]. One of those, his "first 5,000 days", where he created a new NFT photo for 5,000 days straight[3], sold for over $69 million[5][3][2], the most expensive NFT ever sold to a sole owner[2].
“I almost look at it now like I’m a political cartoonist,” Beeple explains. “Except instead of doing sketches, I’m using the most advanced 3D tools to make comments on current events, almost in real-time.”
Beeple has a strong following of 1.8 million followers and had previously done collaborations with Louis Vuitton, Nike, Katy Perry, and Choldish Gambino[3]. Earlier in May, Beeple had recently started collaborating with Louis Vuitton. Beeple designed 30 NFTs for Louis Vuitton’s "Louis The Game" mobile game, which were embedded within the game as player rewards[2]. On the early morning of May 22nd, 2022, the official account of Beeple posted about an exciting new raffle[5]. Beeple's profile had also been updated to feature the same link[5].
"Been working on this with [Louis Vuitton] for a long time behind the scenes. 1000 total unique pieces.
BEEPLE x VUITTON COLLECTION_!: BEEPLES
Official Raffle Below. 1 ETH = 1 Raffle Entry. All non-winning entries are refunded post raffle.
Good luck :)"
This was follows by yet another promotion a couple hours later - this time promising a free mint[2][6]!
"Had felt the need to release more NFTs from my collection behind the scenes. 200 total unique pieces.
BEEPLE - SPRING/SUMMER COLLECTION 2021
Official Minting Link Below. FREE mint! 200 UNIQUE pieces for everyone!
Good luck :)"
The Reality
Beeple's Twitter account had been hacked[2] and the raffle was not real. As explained by Harry Denley (@sniko_), the website was malicious and users who participated in attacks simply forfeited their ETH[5][7]. The registered IP addresses used in the attacks had previously been involved is numerous malicious websites and scam operations[8][5]. Harry Denley described the first attack[5].
"Once you've connected your wallet, will initiate a mint() contract call which will send 1ETH to the contract." "As of typing the website is not weaponised to "drain" wallets by filling the wallet tx queue (like we've seen before)" "The contract you are sending a transaction to is in fact a 721 contract, with mint() function defined as: The owner of the contract can withdraw the funds at any moment"
The second attack was described by Harry Denly as being "a little more sophisticated than the first" because it had "a Discord C2". He noted it might be targeting "NFTs with setApprovalForAll()"[6].
Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain. This one seems a little more sophisticated than the first, having a Discord C2 - still investigating. Potentially targets NFTs with setApprovalForAll().
What Happened
Beeple had his Twitter account hacked as part of a phishing scam[1] which posted a fake Louis Vuitton NFT raffle[5] and a free minting scam. Both links would actually drain funds from user's wallets[2][5]. The phishing links lasted roughly 5 hours[2] before Beeple finally woke up[9].
| Date | Event | Description |
|---|---|---|
| March 11th, 2022 8:02:00 AM | Record NFT Sale | The auction price of Beeple's NFT "EVERYDAYS: THE FIRST 5000 DAYS" exceeds $60m[10]. Source are mixed between a price tag of $69m[10], $69.3m[2], and $69.4m[4]. |
| May 22nd, 2022 3:20:00 AM | First Exploit | The very first minting transaction happens, stealing ethereum from an account named "legalguy.eth"[7][11]. |
| May 22nd, 2022 4:24:00 AM | Twitter Report | The first phishing attack is reported on Twitter by Harry Denley (@_sniko)[2][5]. At the time of that tweet, losses were reported as 25 ETH/$50k[5]. |
| May 22nd, 2022 5:21:00 AM | Second Tweet | The second compromised tweet is posted on Twitter by @beeple's account. It succeeds to have transfers almost immediately[6][12][13]. |
| May 22nd, 2022 5:41:00 AM | Twitter Report | The second hack is reported on Twitter by Harry Denley (@_sniko)[2]. "Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain. This one seems a little more sophisticated than the first, having a Discord C2 - still investigating. Potentially targets NFTs with setApprovalForAll()"[6]. |
| May 22nd, 2022 6:19:00 AM | Final Exploit | The final "setApprovalForAll" transaction is done as part of the first phishing attack[7][14]. |
| May 22nd, 2022 8:02:00 AM | Final Exploit | The final "setApprovalForAll" transaction is done as part of the second phishing attack[13][15]. |
| May 22nd, 2022 8:21:00 AM | Twitter Report | Beeple regains control of their account and posts a tweet[2] "Twitter was hacked but we have control now."[9] |
| May 23rd, 2022 8:27:26 AM MDT | ArtNet News Article | ArtNet News publishes an article on the situation and outlining the different exploits[16]. |
| May 23rd, 2022 9:54:33 AM MDT | Vice Article Published | Vice publishes an article on the situation[17]. |
| May 23rd, 2022 12:25:00 PM MDT | Fortune Article Published | Fortune Magazine publishes an article on the Beeple Twitter account being exploited[18]. |
Technical Details
Beeple's Twitter account was compromised at some point prior to May 22nd, 2022. A malicious actor posted two tweets to the community with the intent to trick others into giving them wallet permissions.
Breach of Twitter Account
The attack reportedly lasted only 5 hours[19], however it is unclear whether Beeple's account may have been breached earlier than that[19]. It is unclear how Beeple's Twitter account was breached, and information on this does not appear to be available.
First Malicious Tweet
The first malicious Tweet claimed to be promoting a raffle for a collaboration with Louis Vuitton, which had specific credibility given Beeple's past work with the brand in 2019. [16]
“Been working on this with LV for a long time behind the scenes. 1000 total unique pieces […] Official Raffle Below. 1 ETH = 1 Raffle Entry. All non-winning entries are refunded post raffle. Good luck :).”
In total, this tweet netted the attacker
Second Malicious Tweet
The second Tweet is posted. TBD fill in more.[16]
"the second, much more profitable, attack, saw around $365,000 in NFTs and crypto exchange hands."
Total Amount Lost
CoinTelegraph reports that the scam earned the attacker $438K in cryptocurrency and NFTs from the compromised Beeple account[1][2].
There were multiple phishing links posted through the Beeple account. The first netted roughly $73,000[2][7]. The second netted $365,000 worth of ethereum and several high profile "from high-value collections such as the Mutant Ape Yacht Club, VeeFriends and Otherdeeds", with the grand total being roughly $438,000[2].
Security researcher Harry Denley (@sniko_) reached the same total[19].
"Scam #1
36ETH (~$72k) 0xf305 is yet to withdraw
Scam #2 62.35ETH (~$125k) 37.59WETH (~$75k) 45 NFTs (est ~$166k)
Total = $438k (active for ~5hours)"
The total amount lost has been estimated at $438,000 USD.
Immediate Reactions
Multiple posts were shared by MetaMask Security Analyst Harry Denley (@sniko_) on Twitter to warn other users[2][5].
Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.
Examples of victims were Twitter users @Helisegundo[20] and @nfactes[21].
"Dumbly I have clicked on the link and connected my wallet and been scammed. Damn I've check again and they also stole 2 of my nfts"
"with all due respect but lost 1 eth believing it was a real account. What I should do now?"
Ultimate Outcome
Beeple regained control of his account and posted to announce the fraud[9], calling it "too good to be true" that there would be a free mint and criticizing those who fell for it[2][9].
ugh we’ll that was fun way to wake up.
Twitter was hacked but we have control now. Huge thanks to @garyvee ‘a team for quick help!!!!
Stay safe out there, anything too good to be true IS A [DEFINITE] SCAM.
And as side note, there will never be a SURPRISE MINT I mention one time in one place starting at 6am Sunday morning.
On-chain data shows that the scammer sold their NFTs on OpenSea and put the stolen ethereum into a cryptocurrency mixing service[2].
Total Amount Recovered
It does not appear that any recovery has been obtained for any users affected. Quoting @super1said[22]:
"They don[']t [c]are bro. We are nobody[. T]he [g]uy had more then 156 [NFT]s stolen and [already] sold more then 80 of them[. M]y trust in [NFTs] is getting smaller by the day."
There do not appear to have been any funds recovered in this case.
Ongoing Developments
There doesn't appear to be any ongoing investigation or further progress in this case.
Prevention Policies
This can be prevented through exercising care whenever interacting with any smart contract or making any payment. The user must ensure that they understand the transaction prior to sending any funds or approvals.
Individual Prevention Policies
There are many policies which are applicable in this case.
Vigilance Against Unrealistic Giveaways
There were a large number of warning signs including the unrealistic nature of the giveaway, the lack of a prior mention of any giveaway, the timing being early in the morning, and the multiple other warnings online at the time.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
Be Careful What You Approve
When interacting with your primary wallet, do not rush. Take the time to look at what you are interacting with and signing.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Avoiding Unaudited Smart Contracts
The scam depended on users giving away funds or permissions to unaudited smart contracts. This is never a good idea.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Storing Most Funds Offline
In this case, the only funds lost were those in the user's active wallet. One strategy to reduce or eliminate loss would be to keep most NFTs in a cold storage wallet which is not used for active interaction.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
This primarily can be prevented by better user education.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
This primarily can be prevented by better user education.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
As a fallback, it's likely useful to have an insurance fund which can assist to minimize the impact to victims. The fund can provide some compensation to help minimize the fallout from the loss and also can play an instrumental resource in hunting down the assets for recovery.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ 1.0 1.1 1.2 NFT owners reminded to be vigilant after 29 Moonbirds were stolen by clicking a bad link - CoinTelegraph (Aug 23, 2022)
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 Targeted phishing scam nets $438K in crypto and NFTs from hacked Beeple account - CoinTelegraph (Feb 4, 2023)
- ↑ 3.0 3.1 3.2 3.3 Beeple (b. 1981), EVERYDAYS: THE FIRST 5000 DAYS | Christie’s (Feb 4, 2023)
- ↑ 4.0 4.1 4.2 Mike Winkelmann - Wikipedia (Feb 15, 2023)
- ↑ 5.00 5.01 5.02 5.03 5.04 5.05 5.06 5.07 5.08 5.09 5.10 Harry Denley (@sniko_) Initial Warning - Twitter (Feb 4, 2023)
- ↑ 6.0 6.1 6.2 6.3 sniko_ - "Bad actors continue have access to Beeples Twitter account" - Twitter (Feb 4, 2023)
- ↑ 7.0 7.1 7.2 7.3 First Smart Contract "Fake_Phishing5739" - Etherscan (Feb 4, 2023)
- ↑ dubstard - "IP 44.227.238.106 is such an innocent piece of infra, cleaner than melted glacier water" - Twitter (Feb 4, 2023)
- ↑ 9.0 9.1 9.2 9.3 beeple - "ugh we’ll that was fun way to wake up" - Twitter (Feb 4, 2023)
- ↑ 10.0 10.1 sniko_ - "Bidding on @beeple "EVERYDAYS: THE FIRST 5000 DAYS" has reached $60 MILLION" - Twitter (Feb 4, 2023)
- ↑ Ethereum Transaction Hash - First Phishing Mint legalguy.eth - Etherscan (Feb 4, 2023)
- ↑ Ethereum Transaction Hash - First Transfer From Second Phish - Etherscan (Feb 4, 2023)
- ↑ 13.0 13.1 Second Exploit Address "Fake_Phishing5741" - Etherscan (Feb 4, 2023)
- ↑ Ethereum Transaction Hash - Final Approval From First Phish - Etherscan (Feb 4, 2023)
- ↑ Ethereum Transaction Hash - Final Phishing Transaction - Etherscan (Feb 4, 2023)
- ↑ 16.0 16.1 16.2 Hackers Took Over Beeple’s Twitter Account and Stole More Than $400,000 in NFTs and Crypto From the Artist’s Followers - ArtNet News (Jun 9, 2023)
- ↑ Hackers Took Control of Famous NFT Artist Beeple’s Twitter Account - Vice News (Jun 9, 2023)
- ↑ NFT artist Beeple’s Twitter account was hacked with a phishing scam, and people lost thousands of dollars - Fortune (Jun 9, 2023)
- ↑ 19.0 19.1 19.2 Harry Denley (sniko_) Reporting Loss Total - Twitter (Feb 15, 2023)
- ↑ Hellsegundo - "Dumbly I have clicked on the link and connected my wallet and been scammed" - Twitter (Feb 4, 2023)
- ↑ nfactes - "lost 1 eth believing it was a real account" - Twitter (Feb 4, 2023)
- ↑ super1said - "They dont Care bro. We are nobody" - Twitter (Feb 4, 2023)