Let’s Talk About Scams, Baby

Last week I lost $50,000 USD, which was fun.

I signed two malicious transactions on Ethereum and one of my wallets got drained, which felt like the digital equivalent of getting mugged… except instead of losing a phone and credit cards, you lose an average American’s entire yearly salary. Not great.

I want to talk about what happened for a couple reasons.

First, I hope that this reminds people to brush up on their security practices (don’t worry we won’t be talking about that in depth because it’s boring, but just a general nudge).

Second, I hope as I share the story that people who have lost money in one way or another would feel less alone. Loads of folks I know have been phished, socially engineered, or they’ve signed transactions without thinking (I am here), and there can be a lot of shame in that… so if this is you, know that you’re in good company.

Ok let’s get to it. What happened?

To start, it’s tax season, and I needed to sell some coins so that I could cash out and pay the government. I went to do this late at night, which was my first mistake because I was tired.

I moved some funds off a blockchain I don’t often use, into a wallet I don’t typically use, on a browser I don’t normally use… this only matters because I didn’t have an anti-scam browser extension set up there, which would have been a life saver.

After swapping my coins to USDC, I paused before sending that money to an exchange and taking it out. Why? Well, markets were dumping, and I saw a token that was undervalued given what I know about the team, so I wanted to use some of this money to buy a small position in that token.

To do this, I needed to bridge to another blockchain (Base), then use a decentralized exchange on that network called Aerodrome, but for some reason my wallet wasn’t connecting to the site. This happens all the time, crypto is a nascent industry, but this is where I started getting sloppy.

To connect to an application on a blockchain you need to make sure your wallet is using the right “RPC.” In normal person speak this means that you need to “point” your wallet at the correct network, and often, when you’re unable to connect to an app, it’s because your wallet isn’t using the correct RPC. After tinkering in settings, I confirmed that I was connected to Base, but Aerodrome still wasn’t working, so I went to try one final thing.

A trick to make sure your wallet is connected to the right network is to go to a different application on that network and sign in (this prompts you to switch to the relevant network if you’re not already using the right one). So, since Aerodrome wasn’t working, I went to Fren Pet, which is this Tamagotchi-ish game on Base… but my mistake was googling to find the site instead of going to it via their verified Twitter.

The top result when searching for Fren Pet on Google is a “sponsored” link, which seems to present a credible URL, but serves you a scam site instead that is a mirror of the Fren Pet app. In short, because the URL and site looked legit at first glance, I signed two transactions there, which my tired brain thought was me signing into the app, but this gave the scam contract permission to drain my USDC on Ethereum.

I figured out what happened quickly. That second transaction seemed fishy, wait… oh shit, ok I’m cooked. I checked a block explorer and saw the draining transactions, then had all the stages of grief in the span of about 2 hours.

Denial. Did I really lose, like, $50,000 in two clicks just now? No chance that actually happened, let me check my wallet again.

Anger. Nah, fuck that. You have got to be kidding me. Pacing around the kitchen.

Bargaining. What if I had just gone to sleep instead? What if I was using a different browser? etc.

Depression. I’ve put so much time and work into earning this money. I’ll never make it back. Also no one cares. This was my fault. I should probably sell everything and quit the industry.

Acceptance. Actually whatever, fuck the North Koreans. Live and learn, charge it to the game. Crypto is like minesweeper and I just hit a mine. I’ll rally, play again, and make it all back.

After reflecting on this experience for a few days, my lessons from it are fairly straightforward: don’t do transactions after 8pm, always have an anti-scam browser extension installed, double check URLs, and find websites via Twitter and never Google (so they’re official).

That said, no matter what your security hygiene is, the real challenge here is the meat computer in our heads is just flawed sometimes: we miss things and/or we move too quickly. So, stay safe out there. When in doubt, move slow. If you’ve lost money have some grace with yourself. And if you’re rekt and need to talk to someone, please feel free to reach out.

Thank you to all the people who have messaged me and offered encouragement over the past few days, all love.