Should victims of NFT hacks be compensated by creators?

by James · July 23, 2022

Table of Contents

In short

Social media accounts of NFT projects, creators and influencers are hacked and used to share scam links, which can lead to users’ NFTs and tokens being stolen.
Some notable creators disagree on whether to compensate affected users, citing Web3’s focus on self-preservation and personal responsibility.

Social media hacking is on the rise NFT community, and it’s rare lately to see a day or two go by without a significant project or creator account being compromised.

For collectors, the consequences can be significant: users engaging in scams shared by hacked accounts have collectively lost millions of dollars in NFT collectibles and other tokens, all because they linked their wallets to what they thought was a legitimate NFT coin – or token requirements. .

What is the recourse in these cases and what liability do NFT creators have to collectors when their accounts are hacked and used to commit fraud? In some cases, NFT project creators have compensated affected users, usually by refunding the market value of the collectibles in Ethereum.

However, there is growing sentiment among creators against refunding users who lose assets by engaging in social media scams. Some see these types of efforts as rewarding the reckless actions of users who don’t take precautions, which goes against the crypto industry’s principles of self-preservation, accountability, and conducting adequate research.

As social media hacks spread, here’s how the compensation debate is evolving and what well-known developers in the NFT space are saying about it.

Increasing attack

In the past few weeks alone, the social media accounts of several notable NFT projects, creators, and collectors have been hacked and used to spread scam links. When people engage with these links, connect to a wallet and approve the requested transaction, it opens them up to having their NFTs and other tokens stolen.

Recent examples of such attacks have included Ethereum NFT Project Nounwho had his Twitter account compromised on June 27. All told, NFTs were worth about 42 ETH ($64,000 today) stolen from 25 users which engaged with the link shared by attackers.

Pseudonymous NFT collector and trader Zeneca had his Twitter account compromised this week, too, although the extent of the damage to users is unclear. artist DeeKayHis Twitter account was also hacked recently, along with those of famous collectors Franklin and Keyboard Monkey.

Here is a running list of Twitter accounts that have all been compromised recently: Beeple, DeekayMotion, Zeneca, Substantive DAO, Keyboard Monkey, FranklinIsBored, British Army, Jenkins Valet, Duppies, DegenTown, pic.twitter.com/h7TjwVIZ4N

— ZachXBT (@zachxbt) 21 July 2022

artist Mike “Beeple” Winkelmannaccount was hacked in late May, with an estimated $438,000 worth of tokens and NFTs stolen from users, according to MetaMask security analyst Harry Denley. Beeple made no mention of planned compensation for affected users.

The Twitter account of Jenkins the Valeta Tally Labs project based on a Bored Ape Yacht Club NFT, was hacked and taken over in June. The creators said that users had lost Bored Apes, Mutant monkeysand other valuable NFTs via the exploitation, and that it would compensate the users based on floor price (or cheapest available NFT) for each project.

One of the most notable examples to date of a social media hack from a major NFT project is the Bored Ape Yacht Club, which had its Instagram account compromised with a fake coin link in April. Yuga Labs estimated the value of stolen NFTs at around $2.8 million and said it was working to contact affected users.

Decrypt asked Yuga representatives on Friday if it eventually compensated users, but they did not respond. Only this week, Yuga tweeted that it was aware of “a persistent threat group targeting the NFT community”, which it believed “may soon launch a coordinated attack targeting multiple communities via compromised social media accounts”.

There have been other examples in recent months, including when a project’s Discord server was compromised, with attackers using access to share links to fake NFT coins or token drops. The Bored Ape Yacht Club’s own Discord was hacked in Junefor example with a value of around 200 ETH ($359,000 at the time) NFTs stolen from users.

Solana NFT gaming marketplace Fractal faced such an attack last December and said it would compensate users to a value of $150,000 in SOL, while the Discord for NFT game Phantom Galaxies was hacked in November. Publisher Animoca Brands said it would refund users for $1.1 million in ETH in that example.

Just last weekend, Premint – a registration platform for NFT drops – had its website hacked with malicious JavaScript code. Users lost hundreds of NFTs by engaging with the scam link and Premint decided to reimburse them with more than 500,000 USD in ETH based on the minimum price of these NFTs, plus it bought back and returned two of the most valuable stolen NFTs.

“Not a Guarantee”

Interestingly, in some of the above situations, even creators who compensated users expressed doubts about doing so, at least in the long term, or said they wouldn’t do it again.

IN a postmortem account, pseudonymous nouns co-creator 4156 noted flaws in the security setup, such as a lack of two-factor authorization or a plan to deal with attacks. He described compensation as “a one-off act of goodwill” and “not a guarantee” that the Treasury would reimburse users in similar situations.

“While it’s sad to say that people shouldn’t get reimbursed for being scammed through your account, these users are engaging in zero-due-diligence activities in an effort to make a quick buck, and are ultimately the ones who signs messages authorizing [withdrawals] from the wallet”, wrote 4156 in a follow-up thread last week.

He added that most of the users seeking compensation were “extremely unsophisticated crypto users” and that many could not prove they had been affected. He came away from the experience “feeling that refunds were a short-term PR band-aid” for hacks, and that “normalizing refunds removes the incentive for personal responsibility.”

As for Premint, founder Brenden Mulligan specifically said the project would refund users because the attack happened on their website, rather than a social media channel. He pointed the same way OpenSea compensates users in January for a user interface issue in the marketplace, which resulted in owners inadvertently selling NFTs for below market value.

“For us, someone manipulated a file on Premint and was able to launch a user interface on our website. We must own that. We shouldn’t have let that happen, so we’re trying to compensate,” Mulligan said Decrypt. “There’s still an argument to be made that people should have been more careful, but in these cases I think compensation is an option to consider.”

However, Mulligan disagrees with the idea of compensating users who lose NFTs via links clicked on social media platforms. He believes that attacks via Zeneca and DeeKay’s Twitter accounts were not their respective faults, and tweeted that “paying sacrifices should not be made in most cases. It must be the individual’s responsibility.”

“Human beings need to be careful about their own safety,” Mulligan said Decrypt. “Ninety-nine percent of scams are because people don’t pay attention, and try to get into something without thinking.”

7/
This also encourages hackers to keep doing their thing since I’m the one covering the mess. Part of me says that refunds shouldn’t be a default way of responding, and another part of me says that I should still find a way to compensate and strike a balance. There is no right answer.

— DeeKay (@deekaymotion) 15 July 2022

NFT artist DeeKay tweeted last week that he had “started a process to try to compensate” users affected by the scam link shared from his hacked account, but similarly expressed discomfort with the idea.

“To be honest, I’m not sure if reimbursement is the way forward since [a] few pretend to be affected and look for opportunities,” he wrote. “This also encourages hackers to keep doing their thing, since I’m the one covering the mess.”

“Part of me says refunds shouldn’t be a default response, and another part of me says I should still find a way to compensate and find a balance,” DeeKay added. “There is no right answer.”

“The expectation should be zero”

Zeneca took a firmer stance in its own response to his compromised Twitter account. In a postmortem thread shared in tweets and collected in a blog post Titled “Evolving precedents,” Zeneca said it had two-factor authentication enabled on Twitter and was still figuring out how the hack happened — but that it didn’t plan to refund affected users.

“Somewhere along the way, projects decided that their response would be to take full responsibility and fully reimburse the victims for their losses,” he wrote. “I understand and sympathize with this response.”

But then he wrote that it was “unsustainable” for projects to continue to do so, and that it was “impractical” to sort through alleged victims. “The strength and responsibility lies with each individual participant in this area,” he added, noting that many people are used to “safety nets” in society, such as seeking help from centralized banks and financial services amid fraud.

Great thread by @Zeneca_33 here. I think his decision not to compensate is the right one.

PREMINT compensated bc it happened ON our website. We must own that.

But 💯 agree that in most cases paying victims should not be done. It must be the individual’s responsibility.

— BrendΞn Mulligan | PREMINT (@mulligan) 21 July 2022

“It is with all this in mind that I am making a tough, but I believe fair and firm, choice – not to compensate those who lost significant assets due to the events that occurred from the attack yesterday,” he wrote. “I am truly, truly, deeply sorry for everyone affected. It makes me deeply painful and sad when I talk to and hear the stories of those affected.”

Zeneca will provide a free NFT access pass to its private ZenAcademy Discord server to affected users, who are currently worth about 0.38 ETH ($580) currently, per OpenSea. He will also list the victims for potential future benefits or assistance, but noted that “the expectation should be zero” that they will receive anything more.

Reactions to Zeneca’s thread from other NFTs, creators and collectors have been largely – but not entirely – positive, with crypto die-hards celebrating the ethos of personal responsibility. It treats self-storage and DYOR (“do your own research”) as the standards in an area flooded with new users who may not fully understand the technology or see red flags.

It is still relatively early for large NFT markets. Education can help ease the impact of fraud and better prepare NFT traders to be vigilant, but so can technology and user interface improvements. Both Mulligan and Zeneca pointed to the need for improved infrastructure and mitigation measures to limit the impact of attacks.

“The user interface of the most popular wallets needs to be drastically improved to make it almost impossible for someone to connect to a wallet tapper,” Mulligan said Decrypt. “This is a solvable problem, but it’s crazy that it’s so easy to empty a wallet and there aren’t more warnings in place to protect people.”

Education, technical tweaks, and security upgrades can help close this gap, but in the meantime, FOMO (“fear of missing out”) and speculative frenzy are victimizing some NFT collectors. And creators seem increasingly unwilling to foot the bill.