Kevin Rose, the CEO and founder of Proof, fell victim to an apparent phishing attack, with his hacked wallet estimated to have held rare NFTs worth millions.

After the theft, Rose worked with OpenSea to ensure the stolen NFTs can’t be sold on its marketplace, but they can still be sold on another platform.

His wallet is said to have lost 40 NFTs on Wednesday, with data on NFT marketplace OpenSea showing the assets were transferred to the attacker’s wallet.

Rose confirmed the hack in a late Thursday tweet, saying he would share details soon as a cautionary heads-up. He may have lost assets upwards of $1.4 million including NFTs from collections like Autoglyph, QQL Pass, Cool Cats, Damien Hirst’s The Currency, Admit One and OnChainMonkey, according to nft now.

Kevin Rose was just lost $2m+ in assets by signing an off-chain signature that created a listing for all of his OpenSea approved assets in one go.

While seaport is a powerful tool, it can also be dangerous if you're not aware of how it works.

A bit of context 1/🧵 — quit (@0xQuit) January 25, 2023

In a Twitter thread, Proof’s VP of Engineering Arran Schlosberg broke down what exactly went down. He said Rose was tricked into signing a malicious signature that allowed the hacker to gain access to high-value tokens.

Schlosberg didn’t mention what Rose thought he was signing, but the single misstep appears to have given the hacker his wallet credentials.

“This was a classic piece of social engineering, tricking KRO into a false sense of security. The technical aspect of the hack was limited to crafting signatures accepted by OpenSea’s marketplace contract,” Schlosberg wrote.

This was the one (and only) signature that Kevin Rose signed that cost him ~$2 million. pic.twitter.com/fHbPb7vc6y — 6457.eth (@JKrantz) January 25, 2023

He added that Proof’s assets, which mostly need multiple approvals for access, were not impacted.

OpenSea didn’t return Blockworks’ request for comment by press time.

The NFT phishing problem

Blockchain sleuth ZachXBT claimed that the same hacker who took control of Rose’s NFTs stole 75 ETH ($121,000) from another victim on the same day. The hacker then allegedly used crypto exchange FixedFloat to convert the stolen funds to bitcoin, before transferring them to a bitcoin mixing service to conceal the origin of funds.

Another crypto enthusiast who goes by the name ‘foobar’ on Twitter suggested how such a hack could have been prevented. They recommended a technique known as “wallet siloing,” which involves segregating different wallets for different purposes, and keeping valuable NFTs away from any active hot wallets. This would block the assets from being listed on NFT marketplaces without separate selling approval — a loss of convenience, but a defense against the sort of trap Rose fell into.

Want alpha sent directly to your inbox? Get degen trade ideas, governance updates, token performance, can’t-miss tweets and more from Blockworks Research’s Daily Debrief.