The Fvckrender hack - Post Mortem
The Fvckrender hack - Post Mortem
What happened, and how to protect your crypto assets and identity
On June 11th, Fvckrender received an innocuous message though Twitter asking him to open a file for a potential project. This file ended up being a Trojan virus that then targeted his computer and compromised his crypto wallet.
When the hackers began to drain Fvckrender’s wallets, it became a race to secure his assets and minimize the damage.
We hope others can learn from this experience and wish to share what can happen if you don’t take the proper precautions to secure your wallet and seed phrase.
https://twitter.com/fvckrender/status/1403471996017541120
How it happened
Fvckrender opened a file from an unknown person, resulting in a trojan (a virus) being installed on his computer. This virus first attacked his Chrome browser cache, sending all the data to the attacker, it then started to go through his computer and sent other contents and information to the attacker.
Unfortunately for Fvckrender, he did not properly secure his crypto wallets, meaning the attacker was able to transfer all his crypto assets at their discretion.
How we tried to minimize damage
After an attacker compromises a wallet, it’s a race against time. We immediately provided a temporary secure address for Fvckrender so he could secure his most important assets. In order of priority, they were:
ETH balance
High value ERC20 tokens
ENS domains
Contract ownership of his minting contract
High value NFT’s
Locking down profiles on OpenSea, Foundation, Makersplace, Rarible, Superrare (thanks to all the teams there!)
Unfortunately, the attackers were still able to steal a small amount of ETH, ERC20’s and all AXS (which were on an Ethereum side chain with no hardware wallet support).
Lessons learned
Aside from opening a suspicious file containing a virus, the primary reason why Fvckrender’s wallet was compromised was because he did not properly secure his wallet. The following bad practices were used:
Did not use a hardware wallet
His primary wallet was a metamask generated wallet, which stores the seed phrase on his computer and browser. If an attacker compromises his computer, they get access to his wallet and can do transactions from his wallet. A hardware wallet prevents this.
Stored his seed phrase on his computer in plain text
Your seed phrase should never be stored on a computer or anything connected to the internet (or in any digital form). If someone gets access to your seed phrase, they can rebuild your wallet and do transactions from your wallet, even if it’s a hardware wallet!
On the positive side, he had 2FA enabled across all his social media accounts and financial institutions, meaning they were unable to compromise those accounts.
Best practices
Expect to get targeted. Expect that someone is going to try and hack you. The best way to secure your accounts is to have proper security setups.
Step 1: Manage your passwords properly
Never store your password on your browser. DO NOT USE CHROME PASSWORD STORAGE! DISABLE THIS!
https://support.1password.com/disable-browser-password-manager/Recommended: Use a password manager like 1password.
If using password managers, DO NOT STORE THE RECOVERY DATA ON YOUR COMPUTER. Print it out (multiple copies) and place them in one or more bank safes.
Step 2: Enable 2FA across all your accounts
Make sure you have 2FA (two factor authentication) across all your accounts.
We recommend using a 2FA authentication app. If you use this, ensure that your recovery phrase is stored in one or more secure locations (like two different banks). Storing multiple copies is important to ensure that you can recover if one location gets destroyed.
Recommendations: Google Authenticator or Authy
Do not use SMS authentication if possible. Sophisticated attackers can compromise phone numbers easily.
Step 3: Setting up a secure hardware wallet
Buy one (or multiple) hardware wallets. Suggestion: Ledger Nano (https://www.ledger.com/)
Warning: Do NOT buy from Amazon or secondary vendors. There are known supply chain attacks, where hackers return compromised hardware wallets to Amazon, waiting for them to get resold to unsuspecting customers. Buy directly from the website.
Average Security: Migrate your metamask wallet to a hardware wallet
ONLY consider this if you already have existing crypto profiles that are hard to migrate. Otherwise, skip to “BEST SECURITY”!
Only do this IF:
You have never stored your metamask seed phrase on your computer
You are very certain you are not currently compromised
Ensure that your seed phrase is stored in multiple secure locations (e.g. two bank vaults). The reason for multiple locations is to ensure that if one location gets destroyed, you can still restore your wallet.
1. Configure your hardware wallet
Set up your hardware wallet and choose the option to restore it from your seed phrase.
Ledger: https://support.ledger.com/hc/en-us/articles/360005434914-Restore-from-recovery-phrase
Trezor:
https://wiki.trezor.io/User_manual:Recovery
2. Verify your hardware wallet matches your metamask wallet
Make sure the wallet address that shows up on your hardware wallet matches your metamask wallet.
Ledger:
https://support.ledger.com/hc/en-us/articles/360006444193-Receive-crypto-assets
Trezor:
https://wiki.trezor.io/User_manual:Receiving_payments
3. Remove metamask from all devices
This will remove all traces of the seed phrase from every device. Make sure you uninstall metamask
4. Reinstall metamask, and connect to the hardware wallet
When you install metamask, set up a new wallet address. Metamask will generate a new set of addresses. You will not be using these. After it generates a new set of addresses, connect to your hardware wallet.
Your old wallet should now show up in metamask, and every future transaction will require your hardware wallet to sign each transaction. This means that even if someone compromises your computer, they cannot send transactions because they don’t have access to your hardware wallet.
Best Security: Set up a completely new wallet
1. Configuring your hardware wallet and writing down your seed phrase
Set up your hardware wallet and write down your seed phrase. DO NOT store this digitally.
Once set up, get your wallet address and write it down.
Ledger:
https://support.ledger.com/hc/en-us/articles/360009576554-Ethereum-ETH-
https://support.ledger.com/hc/en-us/articles/360006410253/
https://support.ledger.com/hc/en-us/articles/360006444193-Receive-crypto-assets
Trezor:
https://wiki.trezor.io/User_manual:Setting_up_the_Trezor_device
2. Confirming you wrote down your seed phrase properly
Then reset your device and try to restore it using your seed phrase.
Ledger Reset:
https://support.ledger.com/hc/en-us/articles/360017582434-Reset-to-factory-settings
Ledger Restore: https://support.ledger.com/hc/en-us/articles/360005434914-Restore-from-recovery-phrase
Trezor Reset:
https://wiki.trezor.io/User_manual:Wiping_the_Trezor_device
Trezor Restore:
https://wiki.trezor.io/User_manual:Recovery
You should get the same wallet address back. This is an important step to ensure that you wrote your seed phrase down properly. If you don’t get the same wallet back, go back to step 1.
3. Connect metamask to the hardware wallet
Connect to your hardware wallet.
You should use this new hardware wallet address for most of your transactions and transfer your assets here. Expect that your existing metamask wallet can be compromised.
4. Migrate any existing crypto identities
You will need to reach out to Foundation, OpenSea, Nifty Gateway, Makersplace, Superrare, Rarible to migrate your profiles to this new wallet.
Step 4: Secure your seed phrase
Write down your 12 or 24 word seed phrase on a piece of paper. Make sure it is never stored on a computer where hackers can access it. The seed phrase is the key to your kingdom.
Once again, since this is important: DO NOT EVER, EVER, EVER, STORE YOUR SEED PHRASE ON YOUR COMPUTER WHERE HACKERS CAN ACCESS IT.
You can also store your seed phrase using something more resilient than paper (like a cryptotag): https://cryptotag.io/
Once you’ve written it down, ensure you have multiple copies stored in various secured locations (e.g. safety deposit box at two separate banks). This is to ensure that if one location gets destroyed, you can still recover your wallet.
If you want to be even more secure, split your seed phrase in half, and store two copies (4 halves) across 4 bank vaults. This ensures that even if a bank vault gets robbed, they will not be able to access your wallet.
You should also do this for your 2FA authentication codes in case you lose access to your 2FA apps.
It’s not recommended that you keep a copy of the seed phrase with you - your own residence is also vulnerable to robbery.
Listen to Batman. NEVER TYPE IN YOUR SEED PHRASE!
Step 5: Create secure funds wallet (Optional)
The setup described above, while secure, does not remove all attack vectors. Since you need to transact with your hardware wallet you will always need to keep it nearby. However, this presents risk - someone could physically attack you and force you to transact from your hardware wallet. This is known as the $5 wrench attack.
It’s a good idea to create another wallet to secure your funds. This is a hardware wallet that will only be used to receive transfers. The main differentiation between this hardware wallet and the prior one is that this one is difficult to physically access for a potential attacker. This hardware wallet would also be kept in a safe.
To do this, simply repeat step 3 and 4 to create a completely new hardware wallet. Use this new hardware wallet to receive funds, and lock up your hardware wallet somewhere secure but hard to access.
This was a very expensive learning experience and we hope others can learn from this incident. Please take the time and effort to properly protect your wallet from attacks and security threats.