An open letter to the NFT community regarding attacks on social media service providers and the accounts we use, a post mortem of what occurred yesterday, the idea of personal responsibility, and trying to change the precedent on compensation:
A little over 24 hours ago my Twitter account was compromised. A bad actor gained access to my account and tweeted a “stealth mint” with a link to a malicious website. The website looked convincing and was in the style of the official ZenAcademy website. It asked users to connect their wallet and sign a transaction (or transactions) which, if signed, allowed the perpetrator to transfer valuable assets from the user to their wallet.
I am not yet sure of how my account was compromised. I have two prevailing theories, both are, to my mind, highly unlikely. One is an insider at Twitter being involved; this was my immediate reaction, and while still possible, I don’t consider it an especially high likelihood. The other is a phishing attack on me where I gave access to an attacker to the extent that they could bypass my Google Authenticator 2FA. This also seems unlikely to me, but I am not arrogant enough to suggest this is impossible. Going forward I am tightening my security even more — ordering yubikey hardware devices for 2FA for all social accounts for both myself as well as ZA/333. I recommend all other projects and individuals with any sort of reach follow suit.
The response to the attack by the community was remarkable. It was truly an “all hands on deck” situation. Within seconds of the tweet going out, my phone started blowing up. I was in a meeting at the time and while I generally try to stay focused in meetings, I received a WhatsApp call from a member of my team and that alerted me that something might be amiss. I quickly checked our internal Slack server and that’s when I saw what happened. There was already an announcement in both of our Discord servers telling the community what was happening.
This was minutes 0-2. The wider community was already kicking into gear and sharing alerts/safety announcements in their respective Discords, and the word was spreading on twitter. “DO NOT MINT” was literally trending.
I realised that my best course of action was to try and get in contact with someone who worked at Twitter for as quick a response as possible. I spammed about a dozen discord servers asking if anyone knew anyone who worked there. Within 10 minutes, I was speaking to 5 different employees, between email and Twitter DMs (I was using the ZenAcademy account). I was just about to reach out to Justin Sun but he had already heard the news and locked my account down.
In parallel to this, I’m aware of at least two community members who took swift action to have the domain taken down. 13 minutes after my account was compromised and the malicious tweet was sent, the website was taken down.
While all this was happening, within the ZenAcademy Discord, we had a lot of people who had unfortunately interacted with the website / contract and were in a state of panic. Our mods, and other community members, were on hand to help people revoke access to their wallets + help them ensure their remaining assets were safe.
Suffice to say.. I was, and am, humbled and proud of the response to the attack not only from my incredible team and the wonderful community we have, but the absolutely remarkable wider community that is this space. Say what you want about NFT Twitter being toxic at times; when shit hits the fan, we have each others backs. I can’t thank you *all* enough for banding together to support and protect the rest of the community.
Sadly, however, 13 minutes of a malicious website being up with a tweet from an account with almost 300k followers and some FOMO inducing language is going to trap some people. I’m incredibly sorry for everyone who lost assets in this attack. I know many of you blame yourselves, and are beating yourselves up. Please know that this can happen to anyone. While there are steps you can take to put in place best security practices, there is always the capacity for mistakes within us. Seeing a tweet right as you wake up before you’re thinking straight might lead you to make bad decisions. Perhaps you only got 3 hours sleep the previous 3 days total because you were up caring for a loved one. There are infinite scenarios that we can all find ourselves in where a series of events leads us to making a mistake.
Our job as individuals, and as a space, is to do better on two fronts. The first is education: it is clear that we have a lot of work to do in relation to teaching best security practices and wallet safety / hygiene when onboarding new participants to our space. We’re making progress in this area — but it’s tough because the subject matter is relatively technically sophisticated and the average user is going to find it difficult to understand the intricacies of how blockchains work.
This brings me to the second thing we need to do better at: infrastructure. There is a lot of room for improvement at the infrastructure level where we can build in protections to mitigate the scope and extent of damages that can occur when an attack like yesterday happens. There are a lot of people working on a lot of different solutions on this front, and that’s promising and optimistic to see. I’m confident that within the next 6 months there will be solutions in place that drastically reduce the efficacy of hacks like we’ve seen over the last year.
Ultimately, though, the buck and responsibility lies with each individual participant in this space. The ethos of web3, of blockchain technology, is the idea of self custody and full ownership over ones assets. This unlocks tremendous potential and freedom; but it is, of course, not exactly common sense / second nature to many people. We’ve largely grown up in an era of CTRL + Z, of ‘Forgot Password’ buttons, and of calling our banks to put a halt on our credit cards and reverse transactions in a disaster event.
We’ve grown up with safety nets. There aren’t many of those in web3. It’s a mindset shift that needs to occur to truly understand the scope of what happens if you lose your seed phrase, what happens if you sign a malicious transaction. The consequences are usually dire and irreversible, with little to no realistic recourse.
Over the last year we’ve seen an astonishing number of hacks occur, largely via either a Discord or Twitter account being compromised. Somewhere along the way, projects decided that their response would be to take full responsibility and fully reimburse victims for their losses. I understand and empathise with this response. There are many reasons for wanting to do this — because you feel bad for the victims, because you feel guilty, because you want to help. On a more transactional and practical level — perhaps you want to mollify an unhappy crowd and feel that it will assist the reputation of your project and brand. Perhaps you’re doing it because you saw another project do it; and/or because the crowd is expecting it.
I’m not sure this is the best path forward. It’s largely unsustainable for projects to continue to reimburse losses that were, ultimately, the fault of the individuals that lost the assets. It’s also largely impractical to ensure that all victims are genuine — it opens up an additional and hard to identify attack vector — where the attackers will also masquerade as victims and effectively double dip on the damages. Punk4156 made a good thread on this the other day. The sad reality also is that if people get used to / expect compensation, it makes it less likely that people will truly learn the importance of personal security and wallet safety. There is also no guarantee that the compensated parties will hold on to the compensation and not fall prey to another attack vector some time in the future.
It is with all this in mind that I am making a tough, but I think fair, and firm, choice — to not significantly compensate those who lost assets due to the events that occurred from the attack yesterday. I’m genuinely, truly, very sorry for everyone impacted. It deeply pains and saddens me as I talk to and hear the stories of those affected.
Last night I personally responded to every single ticket created in our server to have a real conversation with everyone. I explained my side, relayed my sorrow and regrets, and tried to set expectations. Everyone’s situation is different but by and large the response was once again heartwarming and an absolute testament to the humans in this space; to the humans that were following me and saw and responded to the tweet coming from my hacked account.
Not *one* single person asked (let alone demanded) for me, or ZA, to make them whole. Most were beating themselves up. Many freaking apologised TO ME, and wanted to ask how I was doing. I’m basically tearing up as I write this because I love you all so much and this is the side of the community that makes me get out of bed every day and want to spend every waking minute working to help and add value to.
The empath in me wants to throw caution to the wind, liquidate some assets, and make everyone whole. The pragmatist knows that I shouldn’t do this, and it does pain me. I hope that by not compensating the victims, we begin to shift the narrative and responsibility back on to the individual. I hope the precedent begins to change. It’s an extremely tough pill to swallow and hard lesson to learn for some; but that’s what I really want everyone to focus on — learning, regrouping, and paving and finding a path forward that allows you to be better and stronger than ever.
I’ve offered my personal support to everyone impacted, and want to extend the support of the wonderful ZenAcademy community as well. The one piece of compensation that I will be giving back is to send a ZA Genesis Token to everyone impacted. This will give everyone access to our Discord community, as well as other benefits, and hopefully we will be able to provide emotional support + help, as well as educational help to better prevent a situation like this happening again. In addition, I will keep a record of the wallet addresses of everyone impacted for posterities sake — and because, due to the beauty of the blockchain, there might be avenues in the future to help those impacted. I can’t and don’t promise anything on this front — the expectation should be zero, but if and when a time comes to try and give some small things back to those impacted, it’ll be on my mind and within our ability to do so.
I have many more topics and ideas I could go on about (ie reporting stolen assets, but I don’t want to open that can of worms right now); this is beyond long enough as it is. If you made it to the end, thank you for reading. One final thought before I wrap up — I want to state for the record that I do not blame any project or person for compensating their respective communities in the event of an incident like this. Every situation is unique, and there are exceptions to every rule. I think the status quo should be to not compensate — sad and difficult as that is for some — and that the compensation scenarios should remain exceptions, not the standard response.
Some might not agree with me, and that’s okay. I am always open to changing my mind and thoughts — that is how we as a space grow. This is all really new to all of us and we’re figuring out best practices and ideas as we go along. Just 4 months ago The 333 Club server was hacked and I *did* compensate (not fully), and tried to find a middle ground for everyone impacted.
Actually one more thing (sorry) — it’s worth noting that there are legal issues at play that most people are entirely unaware of. These situations are messy and murky. None of what I have said constitutes legal advice.
To end on a brighter note (for those keeping count, this is my third time trying to end this thread) — let’s remember the remarkable response by the community in safeguarding and locking things down incredibly swiftly. Thank you all from the bottom of my heart.
Zeneca / Roy