Feels like every other day NFT collectors in some discord are experiencing a red wedding, and those days are getting bloodier.

⌐◨-◨

In the nineties, and even beyond, the plot of most hacker movies pitted the rebel hackers against some sort of evil corporate overlords.

Today, hackers have mostly turned heel and are going after customer info to sell, as well as degens doing their best to make it in the world of digital assets.

Hopefully, these hackers will return to their nineties era roots and target mostly evil corporations, but until then, we the people behind the hexadecimal ETH address strings, will have to do our best to protect our assets.

⌐◨-◨

It is important to note that hacks happen no matter where your data and assets are stored.  Recently, it was reported that Okta, a centralized authentication company used by thousands of organizations including Peleton, T*Mobile and the FCC, was hacked. 

Before Okta it was Microsoft, and long before that it was Equifax, so don’t think just because you stay in the cozy confines of centralized corporations you are safe — nope.  

That said, once you realized that on the blockchain the hackers get to look inside the safe before attempting to break in, you realize it is time to take personalized digital asset security seriously.

⌐◨-◨

However, when you see pro-crypto investors like Arthur_0x getting hacked it is hard to think the rest of us even stand a chance.

Throw in the fact that every NFT community constantly asks you to connect your wallet in order to access token gated opportunities and it all starts to feel like we are days away from our own NFT red wedding day.  

Eventually, better wallets & communication platforms, with better protections will be the norm, hopefully, but it is best to always verify, then trust.

⌐◨-◨

Arthur 🌔⛩️🦔👻@Arthur_0x

Well not sure what happened, need to take time to figure it out. Didn't expect this to happen to me as well. Guess no more hot wallet usage then.

2:19 AM · Mar 22, 2022

---

83 Reposts · 1.44K Likes

🔐 Safety First Approach

Ok, before we go into an example wallet set up, let’s get this out of the way, the safest way to operate in Web 3 is:

1. Don’t Be First

2. Don’t Click Links

3. Don’t Trust Anyone, Verify First

4. Turn off DMs in Discord

5. Don’t Wallet From Mobile, PC only.

That said, most of us are looking for a way to experiment in Web 3 and most of us are starting out with seed phrase wallets.  With that in mind….

The following is an example wallet set up — it is not meant to be the be all, end all, and it is definitely not OpsSec advice, or any other type of advice.  

Always do only what you are comfortable doing.

SET UP THREE WALLETS: Hot, Warm, and Cold

*Set up 3 different wallets on three different browsers (Chrome, Firefox, & Brave).

*Make sure each wallet is a brand new install.

*If you have multiple machines, spread out the wallet set ups across different machines as well.

*One will be your hot wallet for minting and trading, one will be your warm wallet, for exchanges and defi, and the third will be your vault (ideally your vault will never be connected to any sites, or execute anything other than receiving and sending NFTs.

CREATE TWO HARDWARE WALLETS

*Buy 2 Ledgers or 2 Trezors, or a Trezor and a Ledger and make two of the wallets hardware wallets (your middle wallet and your cold storage vault wallet).

*Attach one hardware wallet to your warm wallet, and one to your cold storage vault wallet.  

*If you can, do this on two separate machines.

*Do this on two different browsers.

TRANSFER NFTS BETWEEN WALLETS

*Have a Han Solo NFT, meaning, one you can test send to your cold storage wallet to make sure once you freeze your NFTs you can also unfreeze them, by sending them back to the wallets that interact with exchanges or mint sites and sign transactions.

*Once you are sure your test transfer goes through, then you can transfer your prized NFTs from your hot wallet to your warm wallet &/or your cold storage wallet.

PLAY THE SHELL GAME

*Don’t keep your NFTs all in one place, keep some of them in the warm wallet and some in the vault, move them around a bit once you get comfortable with it — yes, this will be costly, so don’t do it that often.  Wallets, however, are free, don’t hesitate to create a new wallet if you are feeling particularly paranoid that day.  That way, if you make a mistake, and get hacked, hopefully you have increased your blast radius enough that the hacker doesn’t get your entire collection.

⬆️ This is the face of a website we are suppose to “trust”? Can devs do something?

UTILITY STRUGGLES

There is a decent chance you are familiar with some form of the above wallet set up, thing is, in order to get any utility out of your NFT you are currently going to be asked to verify your ownership via token gating.

This can happen to enter “owners only” discord channels, to enter mint raffles, to vote in a DAO, or for other reasons.  Thing is, it shouldn’t.  This action compromises whatever NFTs are in the wallet you are signing with, and would you trust a site with a .land domain that looks like this with access to thousands of dollars?  Nope.

This is the most frustrating part of Web 3 right now.

The best way to protect yourself is — don’t connect the wallet with your prized NFTs in it to sign any transactions, not even Collab.Land. Thing is, even with a hardware wallet you are blind signing most of the time, and that, even when you triple check the url and contract, can become a perilous situation.

Obviously, that isn’t any fun and it is impossible to get any utility out of your NFTs if you cold vault them all. You have to look at every wallet signature and do a risk/reward assessment. Is it really worth any risk to vote on most proposals that come through an NFT project, probably not.  In our opinion, security is an area blue chip NFT groups (whether CC0 or corporate controlled) could help us all out by changing their protocols (stop relying on wallet signatures) and funding quality applications that help us utilize our NFTs with protections. Until that time, we are all going to have to be constantly vigilant, and even then, we could get unlucky or have a moment of weakness.

One thing that does help, have a trusted community to go to when a big NFT hack seems to be happening. Check in with that community, see how they are handling it, or just check in to get some moral support from your crew.

What we really need, according to Vitalik, are social recovery wallets like Argent to become more popular. Now that OpenSea and other exchanges are beginning to support them we might all be using these wallets in the not so distant future.  However, today most common folk in Web3 use seed phrase wallets.

Stay safe out there frens.

⏲ Back in the 90s…

The movie Hackers, which is a great homage to the nineties (underground roller blading anyone?), introduced many of us to technology theft scenarios like salami slicing (later the movie Office Space also featured this technique), computer viruses that could topple oil tankers, and suits that used impossible to guess passwords like “love” and “password”.

While there are some things these 90s tech movies didn’t get right — like the prevalence and importance of payphone in the future — what they did get right was how basic social engineering techniques were going to be enough to let future ne’er-do-wells gain access to networks, accounts, and plenty of valuable digital assets.  

🎵 Music To Set The Mood

Send us your GMs won’t ya?