The Heist

On Saturday, September 9th, the Gotham Gal and I arrived at JFK airport after an eight-hour flight from Paris. While waiting for our luggage, I got pushed a notification in my web3 wallet that there was an NFT drop underway that I could participate in. So I clicked on the link, signed the transaction, and nothing happened (or so I thought). So I tried again. Again nothing happened. Frustrated, I turned my attention to the luggage, retrieved it, got in a car, and headed home. On the way home, I tried again a few times to no avail.

It turns out that each of my failed attempts to mint an NFT was a scam that allowed a thief to eventually take 46 of my most valuable NFTs out of my wallet. I did not realize any of this until I woke the next morning to a text from a friend saying:

did your wallet get compromised? your NFTs from fredwilson.eth were transferred out and sold

That’s when I realized that all of the failed minting activities from the night before were actually me getting scammed.

For much of August, I along with a lot of NFT enthusiasts had been participating in something called “Onchain Summer” which was a rollout of the new Base layer two blockchain from Coinbase. Part of Onchain Summer was a daily NFT drop. You simply clicked on the link in the message in your web3 inbox and went and minted. It was fun and I collected some great NFTs that way.

The message I was scammed with looked exactly like those Onchain Summer messages but was not from the same sender. I should have noticed that but did not. Mistake number one.

The fact that I signed a transaction and nothing happened should have been a sign that something was wrong. Normally when you sign a minting transaction, a new NFT shows up in your wallet. When it did not, I should have sensed something was wrong. I did not. Mistake number two.

The fact that I was signing transactions in the same wallet where I keep my NFTs is also bad practice and I knew it. The best practice is to hold NFTs in a “vault” wallet where you never sign transactions and to have a separate “mint” wallet where you hold nothing but do all of your signing. Mistake number three.

What I was doing by signing those scam transactions was giving the thief access to a number of smart contracts that secured multiple NFTs that I owned. So even though I did not sign 46 scam transactions, the thief was able to take 46 NFTs.

Signing transactions is risky business and needs to be done carefully. I knew that but did not take the required care on the evening of September 9th.

This story has a happy ending. With the help of my USV colleague Nikhil, I have recovered 38 of the 46 NFTs that the thief took from me for a fairly modest sum. As I put it to a friend, it cost me between weeks and months of my personal ETH staking rewards. It was enough to sting and that’s good. It was a lesson that I learned the hard way and it was worth every ETH that it cost me to get them back.

There are a few NFTs that I am not going to try and get back, but I am still trying to buy back these two NFTs that the thief sold to others who are likely unaware that they are holding stolen goods:

Anticyclone #212 currently held by this wallet

WoW #8105 currently held by this wallet

If you recognize those wallets and know who holds those NFTs, I would appreciate an introduction so I can offer to buy them back at their cost.

I do want to thank everyone who sold me back my NFTs (including the thief who we bought quite a few from). Many people sold them back to me at their cost when they heard they were taken from me. I really appreciate that.

Subscribe to AVC
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.