The Heist

On Saturday, September 9th, the Gotham Gal and I arrived at JFK airport after an eight-hour flight from Paris. While waiting for our luggage, I got pushed a notification in my web3 wallet that there was an NFT drop underway that I could participate in. So I clicked on the link, signed the transaction, and nothing happened (or so I thought). So I tried again. Again nothing happened. Frustrated, I turned my attention to the luggage, retrieved it, got in a car, and headed home. On the way home, I tried again a few times to no avail.

It turns out that each of my failed attempts to mint an NFT was a scam that allowed a thief to eventually take 46 of my most valuable NFTs out of my wallet. I did not realize any of this until I woke the next morning to a text from a friend saying:

did your wallet get compromised? your NFTs from fredwilson.eth were transferred out and sold

That’s when I realized that all of the failed minting activities from the night before were actually me getting scammed.

For much of August, I along with a lot of NFT enthusiasts had been participating in something called “Onchain Summer” which was a rollout of the new Base layer two blockchain from Coinbase. Part of Onchain Summer was a daily NFT drop. You simply clicked on the link in the message in your web3 inbox and went and minted. It was fun and I collected some great NFTs that way.

The message I was scammed with looked exactly like those Onchain Summer messages but was not from the same sender. I should have noticed that but did not. Mistake number one.

The fact that I signed a transaction and nothing happened should have been a sign that something was wrong. Normally when you sign a minting transaction, a new NFT shows up in your wallet. When it did not, I should have sensed something was wrong. I did not. Mistake number two.

The fact that I was signing transactions in the same wallet where I keep my NFTs is also bad practice and I knew it. The best practice is to hold NFTs in a “vault” wallet where you never sign transactions and to have a separate “mint” wallet where you hold nothing but do all of your signing. Mistake number three.

What I was doing by signing those scam transactions was giving the thief access to a number of smart contracts that secured multiple NFTs that I owned. So even though I did not sign 46 scam transactions, the thief was able to take 46 NFTs.

Signing transactions is risky business and needs to be done carefully. I knew that but did not take the required care on the evening of September 9th.

This story has a happy ending. With the help of my USV colleague Nikhil, I have recovered 38 of the 46 NFTs that the thief took from me for a fairly modest sum. As I put it to a friend, it cost me between weeks and months of my personal ETH staking rewards. It was enough to sting and that’s good. It was a lesson that I learned the hard way and it was worth every ETH that it cost me to get them back.

There are a few NFTs that I am not going to try and get back, but I am still trying to buy back these two NFTs that the thief sold to others who are likely unaware that they are holding stolen goods:

Anticyclone #212 currently held by this wallet

WoW #8105 currently held by this wallet

If you recognize those wallets and know who holds those NFTs, I would appreciate an introduction so I can offer to buy them back at their cost.

I do want to thank everyone who sold me back my NFTs (including the thief who we bought quite a few from). Many people sold them back to me at their cost when they heard they were taken from me. I really appreciate that.