Hi! My name is Jules Blanc, and I’m an artist and designer from Brazil. As some of you know, I was planning on publishing an article about web3 and my point of view as an artist, but given the recent unfortunate events, that article will be delayed because this one is more urgent.
If you don't know, my wallet has been hacked and… forever compromised.
Well, I need to be honest with all of you, I'm still not okay, but I know I will eventually be. The support I received on DMs and comments was huge and and it makes me believe in my future in this community. I appreciate all of you. Given my mental and physical health condition at the moment I couldn’t reply to everyone, but please know I read all of them and I cried my eyes out (in a good way, this time). Thank you.
Every day I receive at least 1 scam/spam email, and every week I get friend requests and DMs from people who are certainly going to try to scam me as well. It's exhausting. Every day I have to go through these and check if they're really scam or not, because as an artist you also receive actual job propositions/exhibition invitations via email or DMs, and if you don’t check it you might miss it. So it's an absolute pain. It’s unfortunate but it’s during tiring times that the scammers get us, and this week I’ve been very busy and working on too many stuff at the same time. So, yeah, you know.
I wish I could write this text in the most sophisticated way, but… I think it will be most helpful if delivered as soon as possible. Also, it’s a bit personal. So let’s just get started.
Also yeah sorry for my bad english and swearing.
So, how did it happen?
It all started when I received an email, supposedly from Mintable (an NFT marketplace) saying they were going to launch a new feature: auctions! And they were selecting some artists for the launch which would be a private auction with invited collectors, etc.
I went to check on Mintable, and I saw it was a real platform, alright, and I tried finding their official emails on the website which wasn’t possible, as they haven’t informed it on the contact page – and shame on them, because they were totally aware this scam was happening but didn’t bother to address it on social media nor put their official emails on the website to avoid having artists fall for it. An irresponsible position, in my opinion. I’m in too many discord servers so I was unable to join theirs, but I thought, well okay, let’s reply and see how this thing works. The email was pretty polite and well written.
Next, they sent me the official mintable website link (mintable.app) and another link, supposedly of a “private section” in which artists had to register (auction.mintable.app). Thing is, the second link didn’t work, Chrome simply couldn’t access it. When I told them, they replied asking me to uninstall and re-install Metamask and also saying they could schedule a google meet session with a specialist if that didn’t work, so this specialist could try checking what the problem was.
Next day, I went on their google meet link at the scheduled time. I wish I never did. The “specialist” first got me to share my screen and test my internet connection and see how high the ping was, everything was obviously normal, but these silly tests took a great amount of time, so it just felt like a genuine website support experience to me (lmao). I believe one of the reasons I was eager to see this page's problem solved was that I had the very same issue with Premint (yes, the website for whitelist giveaways) on my devices for the longest time, it had been fixed but still I wanted to know how to solve this if it came to happen again with other websites.
The fact that it was a live chat (and not an email, which I have a lot of time to respond and so it gives me the opportunity to google things and check with my friends) i got caught off-guard with their next step to “solve the problem”. Basically, they gave me a link with a big block of code and told me to open google chrome’s console on the web page that wasn’t working, paste the block of code and press enter. (I’m not going to provide the code itself in this article to prevent people from using it for evil. Please understand.) After that, I was told to do the same on the Metamask extension page. I did it. Because of my social anxiety and the fact it was a live chat, I didn’t even hesitate. Then they told me to wait a bit as they were going to check with the main specialist to “confirm what the problem was”. At this moment, when I had a break, I felt a shiver down my spine. What the fuck. Whatever I had just done, it was very…very suspicious…maybe? I instantly opened my Metamask and transferred most of my ETH to my Binance account. Not all of it because I really wanted to purchase a specific NFT soon and I also needed some to mint my future works, maybe this was all some silly paranoia… (well, too bad). I quickly uninstalled Chrome and Metamask and re-installed them. I left a random discord server and joined Mintable's, after a few minutes searching, I found someone asking if an email about the auction events was real or not, and the answer said it was a scam.
It was confirmed it was a scam now. But I wasn’t sure this was the step in which they got access to my wallet. I hadn’t accepted anything on Metamask, I hadn’t downloaded anything, I hadn’t given anyone my private key or seed phrase… These were all the scams I had read about. And it had already been some time, but my wallet remained untouched. I kept the scammers still, told them I was leaving to work and would try again when I got to my work computer.
So then, I decided to ask Kiwi (uwulabs developer) for advice. Kiwi told me it was potentially compromised but he wasn't completely sure, and that he'd send it to a friend who could most likely help. He said it seemed there was a Telegram API in the code, and something was being sent to this Telegram chat, possibly some important info from my Metamask wallet. By now, the scammers had emailed me back saying there was “another issue” preventing my registration to the auction, which was… I didn’t have 3 ETH on my wallet, oh no! (if I weren’t crying I would have laughed at how stupid and bold this was). I told them, oh alright, I’ll get some ETH from my other wallet later when I get home! Of course! This actually kept them waiting for a long time and gave me more room to do research, even though I was already panicking.
However, the hypothesis that the code was sending info from my Metamask to a Telegram chat was later confirmed by Kiwi’s friend, but it seems this friend ended up running the code multiple times (apparently, I’m unsure) which caused a spam towards the scammer’s end, so, as soon as I received this confirmation from Kiwi, the scammer immediately took all my ETH – because they noticed someone was messing with the code, so they hurried up.
My entire body felt completely cold and I couldn’t breathe properly. I didn't have enough to transfer my NFTs to prevent them from selling them, and I was really scared of putting some ETH there and having them take it too before I could use it to make my transactions.
That's when the scammer started listing my NFTs for sale, they sold my Bird Site (from rwx quest) and I just panicked and couldn’t stop crying. With the few ETH the scammer had put in the wallet to list the NFTs, I started transferring what I could to my partner’s (Poena's) wallet, and I could also privately list some stuff for him to buy for 0 ETH. That's when Kiwi and his friend started helping me transfer stuff to a new wallet. Without Kiwi’s, his friend’s and Poena’s help I probably would have lost all my sell-able NFTs.
As I tried to sleep that day it occurred to me that maybe my new wallet could be compromised as well – I didn’t want to risk it and live in fear until maybe one day my wallet got drained. Not again. After all, once I uninstalled and re-installed Chrome, it still had my favorites bar, my extensions and all. Turns out it wasn’t fully reset. So yeah, I had to make a new wallet, again, and use another browser to be sure.
It was all absolutely horrible and I don’t think I'd be overreacting if I said traumatizing.
How much did I lose?
Writing this part really makes me feel very sick so let’s get this over with. I lost 0.22 ETH, $1,925.00 USDC in Arbitrum (L2) (which I had received as a payment for 40 hours of work, kill me), apparently some Polygon ETH from my charity project (I can’t find the hash properly, I might be stupid), the NFT from rwx (for which he gave me a replacement, and I am forever grateful ;_;) and I’ve wasted a big amount of ETH transferring everything my new safe wallet as well.
But it’s not just that. What also hurts really bad is that Foundation doesn’t allow transferring accounts from one wallet to another when the artists get hacked, which seems okay considering it’s web3 but also is just…sad. I feel none of this is user-friendly or about authenticity. Most artists aren’t that experienced in crypto, I believe they should allow the change if proof is provided. But it might just be my opinion. However. The fact that my entire NFT art portfolio is just there, lost forever, makes me feel sick to the stomach.
I’m also really scared that if I ever get a secondary sale on those artworks, the scammer might immediately take the ETH.
I believe I’ll offer my collectors the option to burn the FND artworks they bought from me so I can re-mint on the my account and transfer to them if they’re willing to pay for gas. I’m thinking of giving all collectors who decide to do it a stamp that works as a ticket for a cool giveaway. Not set yet, though. Would like to know you guys’ opinion on this, by the way, and if you can think of a better solution.
I’m currently contacting OpenSea to check the possibility of transferring ownership of my collections to my new wallet. They said it’ll be done and my new wallet will be set as the owner of my collections. About Foundation, I got them to take down my latest (unsold) work to prevent people from buying it, and it’s been done as well.
About feelings and mental health
It’s the third day since this happened and I still find it very difficult to eat. I feel nauseated the entire day, and I can barely sleep. Sometimes I catch myself crying or shaking even when I'm just trying to distract myself from this. Seems impossible. And it’s not like it's over anyway. I've been searching and asking around whether my new wallet could also be compromised somehow, and now I’ve created another one and I'm trying to transfer everything to it. This is all so exhausting. I can’t wait for it to end.
I can’t explain how much I felt like shit when I saw my mom’s face as she walked into my room, bringing a snack, probably about to invite me to watch a movie with her in the living room. I was crying, sobbing even, but trying to smile to her and pretend everything was okay as I told her “not now” multiple times, while rushing to transfer my stuff before the scammer took them. She looked so worried. Even after I explained her everything, she still couldn’t understand it all, and I just wish I could make her proud and proud only. I had never felt so stupid and worthless in my life. After a while sulking over it, I realized I have to be grateful – I live in one of the most dangerous cities of the world, but I wasn’t victim to any physical violence, I could simply go back to my family, hug them and explain what happened. It could have been way worse.
I’m trying to get better as soon as I can, but I also understand it's important to give yourself time. My mom told me not to blame myself, because I’m just a victim, and I want to bring this advice to everyone who’s reading this, because sometimes it’s so hard to realize that. If you fell for a scam or if you fall for one some day:
Do not blame yourself. You are the victim.
And these things unfortunately happen.
To me, it is incredibly fucked up that most of the scammers are targeting artists. Might be because we probably understand less about how these things works or because we’re very vulnerable as we have to check DMs/emails since our jobs mostly depend on it. It's really sad, because we artists are just trying to get our work recognized and finally make a living out of it. Every penny we get is from our hard work. And we're being targeted like crazy. These people have no hearts.
So please, stay strong and stay vigilant. Read about the new scams, and if you were scammed, try explaining what happened to others so they don’t have to go through it. It is not a good moment for me but I believe we are all in this together. We all can help each other.
Conclusion and a few pieces of advice?
I don't know exactly what kind of brand new advice to give, except:
- Don’t keep too much money on your Metamask if you use it regularly;
- Don’t type or paste anything on Google Chrome's console (nor your computer’s terminal, obviously) when someone asks you to.
As usual, some good old tips:
- Don’t give anyone your private key nor seed phrase. Don’t type it in any website. In fact, keep your seed phrase somewhere only YOU have access;
- Don’t download files from strangers. Watch out for .rar, .zip, but especially .word files, as apparently they can execute scripts even if you don’t open them;
- Don’t open file sharing websites (Dropbox, Mega, OneDrive, etc) secured by password that were sent by strangers;
- Don’t start work before receiving any payment unless the company/person hiring you is absolutely trustworthy;
- Don’t send anyone ETH “for gas” if they’re saying they’re gonna bid high amounts of ETH on your work. If they have that much ETH they can certainly afford gas;
- Use Multi-factor authentication / 2FA on websites like Binance;
- Try having different passwords for different websites, so if you’re hacked in one of them, you won’t compromise the others;
- And finally, if you’re too new to crypto and these kinds of things, try reading the official security guides from the services you’re using (Metamask, Binance, etc) to learn how to stay safe.
This is all I could think of, but I'm no specialist. If you're a degenerate, sorry, I mean, an investor, or if you want to mint/trade NFTs, these tips are certainly not enough to protect you. I'd recommend looking for actual guides and entering alpha chats from the projects you're in, and before you do anything, you can ask their opinion because they might be able to help you a lot. Don't trust DMs from strangers though, try to talk in public spaces to make sure what they’re saying is true. Oh yeah also do check KaijuKing779’s firewall which blocks sussy shit on your Metamask.
Kiwi (yes, the uwulabs dev) is currently working on a guide on cyber security and avoiding scams, I recommend you all to keep an eye on him and uwucrew so you can read it when released, because I’m 100% sure it will be helpful for us all.
If you found this article to be helpful for you or a friend, just share around. I had never heard of this sort of scam before, and I’m sure if I had seen anything about it, I wouldn’t have fallen for it.
One more thing
If you want to support me, feel free to purchase a copy of the article, and/or the animated OpenSea NFT. These will kinda work as fundraisers for me to start recovering what they stole from me, and if somehow I raise more money than what I lost, I will use the extra money to help my dear web3 friends Popo – super sweet art collector and supporter – and Ruri – amazing artist and animator – who, unfortunately, also fell for scams some time ago.
Editions of the animated version of “Vulnerability” can be purchased for 0.02 ETH here!
And thank you, once again, for reading this.
Love you all.