DeFiance founders’ hot wallet hack is a wake-up call for investors
The hot wallet hack of DeFiance Capital Founder, Arthur Cheong, which resulted in the theft of more than US$1.6 million in non-fungible tokens (NFTs) and cryptocurrencies, is a wake-up call for every crypto investor.
According to blockchain security firm PeckShield, the NFT portfolio stolen from Cheong consisted of five CloneXs, 17 Azukis, 33 Second Selfs, two Hedgies, and two Tsubasa NFTs. PeckShield reported that approximately 59 NFTs were stolen in total.
Cheong tweeted he believes the hacker targeted him in a social engineering phishing email, sending over a fake Google Doc link which seemingly compromised his entire computer, as the hacker was able to access multiple hot wallets on his system with different seed phrases.
Cheong tweeted that he was “pretty careful, and stuck with only using a hardware wallet on PC until I started trading NFTs more regularly”, adding that he’ll no longer use a hot wallet.
A warning for all investors
The hack shows that even those who earn a living with crypto are not immune to security lapses and the exploits that can arise from them. If Cheong was following best practices and storing his portfolio on his hardware wallet, this hack may not have happened, or at least made it a lot harder for the attackers to carry out.
The crypto community often warns that any crypto stored on the Internet in a hot wallet is at risk. This month alone, and long before that, phishing attempts on unsuspecting NFT investors have been successful, with millions stolen.
Unlike more traditional assets, investing in cryptocurrency places the security burden entirely on the user, who is wholly responsible for the safety of their assets. Furthermore, nobody can help if those are compromised. So what can investors do to secure their assets?
The simplest way to secure crypto investments is to store them on a hardware wallet, offline, and leave the physical device in a secure location, like a safe, locked drawer, or safe deposit box.
The seed phrase attached to that wallet – a 12 to 24 words that are shown when setting it up for the first time – is arguably more important to keep safe than the device itself, as access to that phrase means access to the crypto. There are many ways to secure a seed phrase. Some companies sell (expensive) titanium wallets designed specifically for this purpose, though a more affordable option would be the DIY “safu ninja” requiring some washers, nut, bolt, and metal stamps. Alternatively, some choose to memorise all 24 words of their seed phrase.
Additionally, using a password manager with a strong password is mandatory for security. These allow for users to have a different password for every website or login needed, and almost all will randomly generate a password. For example, “4Dd@rv#i$aos2” is a much harder password to crack than your dog’s name and birth year. However, despite these being proven to be effective, it is not recommended to store the crypto wallet seed phrases themselves in a password manager.
Finally, don’t click any links when you are unsure of the origin. Always check then double-check the URL to ensure its legitimacy, and never connect a hot wallet to a website until you have verified it.
The author of this article is not a security expert, and any recommendations are the opinion of the author, they should not be considered advice on how to handle the security of your own assets, digital or otherwise. Do your own research on any security measures mentioned in this article, and consider consulting a verified security professional.