On Monday night, Arthur Cheong—the founder of DeFinance Capital, a crypto-centric VC fund—had about $1.7 million worth of NFTs stolen from his wallet in what appears to have been a social engineering attack.
“Well not sure what happened, need to take time to figure it out. Didn’t expect this to happen to me as well,” Cheong tweeted. “Guess no more hot wallet usage then,” he said, referring to crypto wallets that are connected to the internet.
“Found out the likely root cause for the exploit, it’s a targeted social engineering attack,” he tweeted on Tuesday morning. “Received a spear-phishing email that really seems to be sent by one of our portco [portfolio companies] with content that seems like general industry-relevant content.”
A spear phishing attack is a relatively simple one: To gain access to a system, an attacker sends fake messages that appear legitimate, tailored to a specific target—usually with domain names or other familiar identifiers so that the target opens a malicious link or file. In this case, the attacker posed as a company that DeFinance Capital had invested in, sharing a document titled “A Huge Risk of Stablecoin (Protected),” Cheong tweeted. After Cheong downloaded the malicious files, they gained access to Cheong’s wallet and began stealing tokens and flipping NFTs, according to blockchain security company PeckShield. Right now, the hacker’s wallet holds some 589 ETH worth about $1.77 million.
Key to all this was Cheong using a “hot” wallet instead of a “cold” one, meaning a wallet that’s connected to the internet as opposed to a hardware one that can keep your seed phrase safe offline. Cheong shared later that the hacker had access to at least two separate hot wallets but it wasn’t exactly clear how.
Later on Tuesday morning, Cheong said that he would contact people who bought his stolen NFTs after some time. “If you bought my stolen NFT (mainly Azuki and CloneX), appreciate if you can hold it first. I will contact you all when I get my stuff sorted,” he tweeted.
One Twitter user named “Cirrus” claimed to have bought two of the stolen NFTs and said they would return them to Cheong at cost.
Cheong did not respond to Motherboard’s request for comment.
This isn’t the first attack targeting a crypto-asset investment firms and it likely won’t be the last. In January, North Korean hackers made headlines after impersonating VCs and workers at major crypto firms like Digital Currency Group in order to steal large amounts of crypto from various startups.
Admittedly, it can be difficult to secure one’s crypto even if proper steps are taken. Ultimately, all it takes is one mistake to let in a hacker who can drain your wallet permanently, since transactions are irreversible.