Beeple Twitter Account Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
Beeple Mint Scam Website

Beeple was an NFT artist, who achieved a high degree of fame after one of his NFTs, a collection of 5,000 pieces of artwork he had created, sold for $69.3m USD in an auction. On May 22nd, 2022, his Twitter account was compromised and the attackers used their access to launch two separate phishing attacks on his followers. They tricked users into sending or approving access to Ethereum and NFTs with a total value estimated at $438k USD. It does not appear that any of the funds have been recovered.

About Beeple

Beeple (also known as Mike Winkelmann[1]) was a well known artist and NFT creator[2] from South Carolina[3] who has been working on digital art since May 1st, 2007[4], with his first debut into the NFT space in February 2021[4]. He has created three of the top ten most expensive NFTs sold to date[2]. One of those, his "first 5,000 days", where he created a new NFT photo for 5,000 days straight[3], sold for over $69 million[5][3][2], the most expensive NFT ever sold to a sole owner[2].

“I almost look at it now like I’m a political cartoonist,” Beeple explains. “Except instead of doing sketches, I’m using the most advanced 3D tools to make comments on current events, almost in real-time.”

Beeple has a strong following of 1.8 million followers and had previously done collaborations with Louis Vuitton, Nike, Katy Perry, and Choldish Gambino[3]. Earlier in May, Beeple had recently started collaborating with Louis Vuitton. Beeple designed 30 NFTs for Louis Vuitton’s "Louis The Game" mobile game, which were embedded within the game as player rewards[2]. Early in the morning of May 22nd, 2022, the official account of Beeple posted about an exciting new raffle[5]. Beeple's profile had also been updated to feature the same link[5].

"Been working on this with [Louis Vuitton] for a long time behind the scenes. 1000 total unique pieces.

BEEPLE x VUITTON COLLECTION_!: BEEPLES

Official Raffle Below. 1 ETH = 1 Raffle Entry. All non-winning entries are refunded post raffle.

Good luck :)"

This was follows by another promotion a couple hours later - this time promising a free mint[2][6]!

"Had felt the need to release more NFTs from my collection behind the scenes. 200 total unique pieces.

BEEPLE - SPRING/SUMMER COLLECTION 2021

Official Minting Link Below.

FREE mint! 200 UNIQUE pieces for everyone!

Good luck :)"

The Reality

Beeple's Twitter account had been hacked[2] and the raffle was not real. As explained by Harry Denley (@sniko_), the website was malicious and users who participated in attacks simply forfeited their ETH[5][7]. The registered IP addresses used in the attacks had previously been involved is numerous malicious websites and scam operations[8][5]. In the first attack, it appears that the smart contract accepted the 1 ETH and did not perform any mint as promised by the function name[5]. Harry Denley described the first attack[5].

"Once you've connected your wallet, [the malicious website] will initiate a mint() contract call which will send 1ETH to the contract." "As of typing the website is not weaponised to "drain" wallets by filling the wallet tx queue (like we've seen before)" "The contract you are sending a transaction to is in fact a 721 contract, with mint() function defined as: The owner of the contract can withdraw the funds at any moment"

The second attack was described by Harry Denly as being "a little more sophisticated than the first" because it had "a Discord C2". He noted it might be targeting "NFTs with setApprovalForAll()"[6].

Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain. This one seems a little more sophisticated than the first, having a Discord C2 - still investigating. Potentially targets NFTs with setApprovalForAll().

What Happened

Beeple had his Twitter account hacked as part of a phishing scam[1] which posted a fake Louis Vuitton NFT raffle[5] and a free minting scam. Both links would actually drain funds from user's wallets[2][5]. The phishing links lasted roughly 5 hours[2] before Beeple finally woke up[9].

Key Event Timeline - Beeple Twitter Account Hack
Date Event Description
March 11th, 2022 8:02:00 AM Record NFT Sale The auction price of Beeple's NFT "EVERYDAYS: THE FIRST 5000 DAYS" exceeds $60m[10]. Source are mixed between a price tag of $69m[10], $69.3m[2], and $69.4m[4].
May 22nd, 2022 3:20:00 AM First Exploit The very first minting transaction happens, stealing ethereum from an account named "legalguy.eth"[7][11].
May 22nd, 2022 4:24:00 AM Twitter Report The first phishing attack is reported on Twitter by Harry Denley (@_sniko)[2][5]. At the time of that tweet, losses were reported as 25 ETH/$50k[5].
May 22nd, 2022 5:21:00 AM Second Tweet The second compromised tweet is posted on Twitter by @beeple's account. It succeeds to have transfers almost immediately[6][12][13].
May 22nd, 2022 5:41:00 AM Twitter Report The second hack is reported on Twitter by Harry Denley (@_sniko)[2]. "Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain. This one seems a little more sophisticated than the first, having a Discord C2 - still investigating. Potentially targets NFTs with setApprovalForAll()"[6].
May 22nd, 2022 6:19:00 AM Final Exploit The final "setApprovalForAll" transaction is done as part of the first phishing attack[7][14].
May 22nd, 2022 8:02:00 AM Final Exploit The final "setApprovalForAll" transaction is done as part of the second phishing attack[13][15].
May 22nd, 2022 8:21:00 AM Twitter Report Beeple regains control of their account and posts a tweet[2] "Twitter was hacked but we have control now."[9]
May 23rd, 2022 8:27:26 AM MDT ArtNet News Article ArtNet News publishes an article on the situation and outlining the different exploits[16].
May 23rd, 2022 9:54:33 AM MDT Vice Article Published Vice publishes an article on the situation[17].
May 23rd, 2022 12:25:00 PM MDT Fortune Article Published Fortune Magazine publishes an article on the Beeple Twitter account being exploited[18].

Technical Details

Beeple's Twitter account was compromised at some point prior to May 22nd, 2022. A malicious actor posted two tweets to the community with the intent to trick others into paying them and giving them wallet permissions.

Breach of Twitter Account

The attack reportedly lasted only 5 hours[19], however it is unclear whether Beeple's account may have been breached prior to the first tweet being posted[19]. It is unclear how Beeple's Twitter account was breached. Specific details of the breach method do not appear to have been provided.

First Malicious Tweet

The first malicious Tweet claimed to be promoting a raffle for a collaboration with Louis Vuitton, which had specific credibility given Beeple's past work with the brand in 2019[16].

"Been working on this with [Louis Vuitton] for a long time behind the scenes. 1000 total unique pieces.

BEEPLE x VUITTON COLLECTION_!: BEEPLES

Official Raffle Below. 1 ETH = 1 Raffle Entry. All non-winning entries are refunded post raffle.

Good luck :)"

If users click through to the minting page, they would be given the ability to call a "mint" function, which requested 1 ETH from their wallet. However, instead of being minted any NFT, this function simply allowed the attacker to withdraw the funds from the smart contract. There was no capacity to drain funds from wallets in this attack[5].

"Once you've connected your wallet, [the malicious website] will initiate a mint() contract call which will send 1ETH to the contract." "As of typing the website is not weaponised to "drain" wallets by filling the wallet tx queue (like we've seen before)"

"The contract you are sending a transaction to is in fact a 721 contract, with mint() function defined as: The owner of the contract can withdraw the funds at any moment"

In total, this tweet was reported to net the attacker 36 ETH, valued at either $72k[19] or $73k[2].

Second Malicious Tweet

The second Tweet promised users their chance at minting one of 200 unique NFTs which Beeple had spontaneously decided to release[16].

"Had felt the need to release more NFTs from my collection behind the scenes. 200 total unique pieces.

BEEPLE - SPRING/SUMMER COLLECTION 2021

Official Minting Link Below.

FREE mint! 200 UNIQUE pieces for everyone!

Good luck :)"

If users were to click through to the "Official Minting Link", they would be given a request to "setApprovalForAll", which would give the attacker access to withdraw other NFTs in their wallet[6].

"the second, much more profitable, attack, saw around $365,000 in NFTs and crypto exchange hands."

Total Amount Lost

There were multiple phishing links posted through the Beeple account. The first netted roughly $73,000[2][7]. The second netted $365,000 worth of ethereum and several high profile "from high-value collections such as the Mutant Ape Yacht Club, VeeFriends and Otherdeeds", with the grand total being roughly $438,000[2].

Security researcher Harry Denley (@sniko_) also provided a total of $438k USD, which he broke down in a tweet[19].

"Scam #1

36ETH (~$72k)

0xf305 is yet to withdraw

Scam #2

62.35ETH (~$125k)

37.59WETH (~$75k)

45 NFTs (est ~$166k)

Total = $438k (active for ~5hours)"

CoinTelegraph also reports that the scam earned the attacker $438K in cryptocurrency and NFTs from the compromised Beeple account[1][2].

The total amount lost has been estimated at $438,000 USD.

Immediate Reactions

Multiple posts were shared by MetaMask Security Analyst Harry Denley (@sniko_) on Twitter to warn other users[2][5].

Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.

Many victims shared their stories on Twitter. Examples of victims were Twitter users @Helisegundo[20] and @nfactes[21].

"Dumbly I have clicked on the link and connected my wallet and been scammed. Damn I've check again and they also stole 2 of my nfts"

"with all due respect but lost 1 eth believing it was a real account. What I should do now?"

Ultimate Outcome

Beeple regained control of his account and posted to announce the fraud[9], calling it "too good to be true" and that there would never be a surprise mint "mention[ed] one time in one place starting at 6am Sunday morning"[2][9]. There is no indication that he made any effort to assist victims.

ugh we’ll that was fun way to wake up.

Twitter was hacked but we have control now. Huge thanks to @garyvee ‘a team for quick help!!!!

Stay safe out there, anything too good to be true IS A [DEFINITE] SCAM.

And as side note, there will never be a SURPRISE MINT I mention one time in one place starting at 6am Sunday morning.

On-chain data shows that the scammer sold their NFTs on OpenSea and put the stolen ethereum into a cryptocurrency mixing service[2].

Total Amount Recovered

It does not appear that any recovery has been obtained for any users affected. Quoting @super1said[22]:

"They don[']t [c]are bro. We are nobody[. T]he [g]uy had more then 156 [NFT]s stolen and [already] sold more then 80 of them[. M]y trust in [NFTs] is getting smaller by the day."

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There doesn't appear to be any ongoing investigation or effort underway to recover the funds in this case.

Individual Prevention Policies

There are many policies which are applicable in this case. User should exercise care whenever interacting with any smart contract or making any payment. The user must ensure that they fully understand the transaction prior to sending any funds or approvals.

Vigilance Against Unrealistic Giveaways

There were a large number of warning signs including the unrealistic nature of the giveaway, the lack of a prior mention of any giveaway, the timing being early on Sunday morning, and the multiple warnings available online.

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Be Careful What You Approve

When interacting with a smart contract, take the time to look at what you are interacting with and signing. While the first attack required a detailed understanding of the smart contract, the second could have easily been avoided by simply noting the setApprovalForAll request within the transaction.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Avoiding Unaudited Smart Contracts

The scam depended on users giving away funds or permissions to unaudited smart contracts. This is never a good idea.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Storing Most Funds Offline

In this case, the only funds lost were those in the user's active wallet. Particularly, in the second attack, additional NFTs and ethereum beyond any reasonable cost of mint were vulnerable. These losses could have been eliminated by keeping most NFTs in a cold storage wallet which is not used for smart contract interaction.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary prevention method would be better user education. While recovery of the Ethereum sent to a mixer could be challenging, an industry insurance fund could have funds available to assist affected users and help organize the retrieval of the stolen NFTs.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This primarily can be prevented through better user education, both for Beeple in Twitter account security, and for his followers. As a fallback when education fails, an insurance fund which can assist to minimize the impact to victims. The fund can provide some compensation to help minimize the fallout from the loss and also can play an instrumental resource in organizing the recovery of the NFTs.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 NFT owners reminded to be vigilant after 29 Moonbirds were stolen by clicking a bad link - CoinTelegraph (Aug 23, 2022)
  2. 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 Targeted phishing scam nets $438K in crypto and NFTs from hacked Beeple account - CoinTelegraph (Feb 4, 2023)
  3. 3.0 3.1 3.2 3.3 Beeple (b. 1981), EVERYDAYS: THE FIRST 5000 DAYS | Christie’s (Feb 4, 2023)
  4. 4.0 4.1 4.2 Mike Winkelmann - Wikipedia (Feb 15, 2023)
  5. 5.00 5.01 5.02 5.03 5.04 5.05 5.06 5.07 5.08 5.09 5.10 5.11 5.12 Harry Denley (@sniko_) Initial Warning - Twitter (Feb 4, 2023)
  6. 6.0 6.1 6.2 6.3 6.4 sniko_ - "Bad actors continue have access to Beeples Twitter account" - Twitter (Feb 4, 2023)
  7. 7.0 7.1 7.2 7.3 First Smart Contract "Fake_Phishing5739" - Etherscan (Feb 4, 2023)
  8. dubstard - "IP 44.227.238.106 is such an innocent piece of infra, cleaner than melted glacier water" - Twitter (Feb 4, 2023)
  9. 9.0 9.1 9.2 9.3 beeple - "ugh we’ll that was fun way to wake up" - Twitter (Feb 4, 2023)
  10. 10.0 10.1 sniko_ - "Bidding on @beeple "EVERYDAYS: THE FIRST 5000 DAYS" has reached $60 MILLION" - Twitter (Feb 4, 2023)
  11. Ethereum Transaction Hash - First Phishing Mint legalguy.eth - Etherscan (Feb 4, 2023)
  12. Ethereum Transaction Hash - First Transfer From Second Phish - Etherscan (Feb 4, 2023)
  13. 13.0 13.1 Second Exploit Address "Fake_Phishing5741" - Etherscan (Feb 4, 2023)
  14. Ethereum Transaction Hash - Final Approval From First Phish - Etherscan (Feb 4, 2023)
  15. Ethereum Transaction Hash - Final Phishing Transaction - Etherscan (Feb 4, 2023)
  16. 16.0 16.1 16.2 Hackers Took Over Beeple’s Twitter Account and Stole More Than $400,000 in NFTs and Crypto From the Artist’s Followers - ArtNet News (Jun 9, 2023)
  17. Hackers Took Control of Famous NFT Artist Beeple’s Twitter Account - Vice News (Jun 9, 2023)
  18. NFT artist Beeple’s Twitter account was hacked with a phishing scam, and people lost thousands of dollars - Fortune (Jun 9, 2023)
  19. 19.0 19.1 19.2 19.3 Harry Denley (sniko_) Reporting Loss Total - Twitter (Feb 15, 2023)
  20. Hellsegundo - "Dumbly I have clicked on the link and connected my wallet and been scammed" - Twitter (Feb 4, 2023)
  21. nfactes - "lost 1 eth believing it was a real account" - Twitter (Feb 4, 2023)
  22. super1said - "They dont Care bro. We are nobody" - Twitter (Feb 4, 2023)