By Luke Whyte, Editorial Director
On the morning of June 11th, NFT artist Natasha Smith – whose name we changed due to fear of retaliation – came across an email from a Danish company seeking to purchase her work.
At first glance, it seemed legitimate. There was a company logo, examples of their previous work, and even a blurb about donating 10% of proceeds to a charity.
“I get a bunch of these emails so I wasn’t really thinking about it,” Smith said. “It didn’t trigger any, ‘Oh, this is sketchy’ feelings so I clicked it and it brought me to a Google Slides [presentation] that was attached to the email.”
Inside the presentation was a link: “Click here to view the terms”. This led to a .RAR file, which unzipped to what looked like a Microsoft Word file. Except, it wasn’t a Word file. It was a screensaver file (.SCR) that had been compromised by a hacker.
“I clicked on it and nothing happened,” Smith said. “Immediately, the alarms went off in my head: ‘Oh shit, this is a Trojan’. I Googled it and, sure enough.”
Her first thought was, ‘transfer everything out of Metamask’. What she didn’t realize, however, was that the virus had loaded a keylogger onto her computer. Now hackers could see everything she typed, including her Metamask password. A Supermarket Sweeps-style race ensued inside her wallet with hackers stealing one of her artworks and a few hundred dollars worth of ETH before she cleared the rest out.
3,000 miles away on the same day, artist Fvckrender opened a similar file following a similar request.
“For many years, I’ve been working with people sending me files and mockups for their projects,” he said. “And that’s exactly what happened.”
The hackers wiped out his Metamask completely, every token, and swiped 40,000 AXS (worth over $200,000 at the time and roughly a million today).
Three days prior in Indonesia, artist Suryanto Sur fell victim to a similar scam and, a month before him, artist Liquido Densidad was conned by a social engineering campaign attacking hundreds.
The wolves are circling
It seems that as the NFT market for artists and collectors has grown, the market for hacking their wallets has grown with it. Bolster Inc, a company that detects phishing sites, reported a nearly 300% increase in suspicious-looking domain registrations with names of NFT stores in March alone. In June, ZDNet reported that Russian underground forums were launching competitions for NFT hacks and, though it’s impossible to measure the exact number of compromised wallets, today Twitter is alive with artists and collectors discussing attacks.
“I don’t have a great handle on how widespread the scamming is,” said Caff, an NFT art enthusiast who’s been watching the trend carefully and raising awareness on Twitter. “I think there are a number of small organized scammer groups and then a number of individuals that seem to be more opportunistic.”
“Definitely over 100” wallets have been hacked, he said, but “probably under 1,000.”
As is always the case, these scammers hide behind the internet’s anonymity and, publicly, none have been identified. Or, at least, none had been identified until, on June 3rd, one engaged with Nathan Beer, SuperRare’s Head of Content. This scammer’s technique was to impersonate a collector and use social engineering, not the .SCR virus, to steal from artists through an egregious breach of trust.
“I was on my flight to Bitcoin Miami,” Beer said. “He tried to threaten me (via Twitter) for calling him out and I was like, ‘Fuck this guy, I’m going to find out who he is’. And so I spent a couple hours and I found him.”
Beer scrolled to the bottom of the scammer’s Twitter account where he found a link to a YouTube video featuring his real name, Mike Pinto Okebe. This led to an Instagram account and, within the hour, Beer slid into Okebe’s DMs.
The two began a dialogue that, though at first antagonistic, soon became inquisitive and, over the next 15 days, dozens of messages were exchanged. Finally, on June 18th, Beer convinced him to sit down for a video chat and over the course of an hour, the full story of Okebe and his motivations began to take shape.
Confessions of a crypto scammer
Born in Kenya in September of 1997, 23-year-old Okebe lives in the port city of Kismu on the edge of Lake Victoria near the borders with Uganda and Tanzania, and across the lake from Rwanda.
He claims to have watched both of his parents die – his father when he was a child and his mother quite recently – but we cannot prove this claim. What we can prove is that in October of 2019, he opened a Twitter account named YellowStorm and immediately took an interest in NFT art.
A year later on October 28th, 2020, his girlfriend gave birth to their first child, but the boy was jaundiced, according to medical records shown to SuperRare. Expenses quickly began adding up.
“So why don’t you get a legitimate job?” Beer asked.
“(In Kismu), either you know someone that knows someone or you have the best degree,” Okebe replied, “but even then it is a 50:50 percent chance for you to get a job.”
Okebe, who says he never graduated high school, instead asked the NFT community for donations on Twitter. Small amounts trickled in but, according to him, it was far from enough to cover basic needs and medical bills for him and his child. In March, he began minting his own work on OpenSea, but no one seemed interested, at least not fast enough.
“When I started my artist account nothing was ever selling,” Okebe said. “So I thought that impersonating a collector would be… uhhh… would be easier.”
Okebe began opening (or purchasing) Twitter accounts. The primary two being @MohammadBorhann, an alleged NFT collector from the United Arab Emirates, and @BullishBape, an account he’s since closed. Through these accounts, he orchestrated a manipulative social engineering scam to steal ETH from the hands of artists.
“He approaches artists through Twitter and tells them he’s a crypto trader and he has a Binance account,” Beer said. Okebe then points to a piece of their art, often something that’s been sitting unsold for some time and then tells the artist, “I’ve got this open position on Binance. It’s where all my money is,” Beer said.
Okebe tells the artist, ‘if you can give me a little money to cover the gas (transaction) fees, I can close this open position and then buy your art.’
“So he uses social engineering to get artists to send him 0.1 to 0.3 ETH ($200-$600 at time of publication),” Beer said,” but then he never bids on their work.”
According to SuperRare’s analysis of Etherscan data and the estimates of Caff and Beer, Okebe reached out to over a hundred artists between March and early July, leading to anywhere from 15 to 40 successful scams and resulting in the theft of over $13,000 in Ethereum.
In a place like Kismu, where the average cost of rent and utilities for a family of four is $295/month, this is no small amount of money. And, despite claims that the money would be used to help his family and pay medical bills, dozens of photos and videos posted to Instagram at the time appear to show Okebe posing with cash, expensive bottles of alcohol, and new sneakers.
And, when NFT artist community members started highlighting his tactics, Okebe retaliated by threatening them and justifying his actions by claiming those artists he hacked didn’t appreciate what life had given them and were undeserving of the sales they’d made.
“I am your karma,” Okebe said. That was, of course, until Beer caught him.
“I just had a couple of issues, that’s why I’m doing this shit,” he apologetically told Beer during their video call. “I’m not even proud of it. I was trying to impress a lot of friends. I just ended up blowing all the cash and there was nothing useful coming from it.”
During the call, Okebe can be seen sitting on the floor of a room he rented in a Kismu apartment using money he confessed was stolen from artists. It is not a glamorous living situation, just a mattress on the floor, clothes strewn around it’s base. His tone is desperate and Beer, wanting to remedy the situation, extends an olive branch.
“I said, look, if you can get yourself a camera, I will help you sell photos you take of your life in Kenya. Let’s make a story. You can pay back the community,” Beer said he told Okebe. “But he just kept asking for ETH.”
So I told him I’d send him a camera,” Beer said, “and he said, just send ETH.”
Within two days, Okebe was pawning jewelry for cash and, within a week, he’d started a new Twitter account, @PerpetualColli, which he was using to again con artists with his social engineering scheme.
In the month since, Okebe has continued to scam artists but, thanks to the collaborative efforts of the NFT community on Twitter, he’s become well recognized as an untrustworthy actor, culminating in the release of an awareness video partially inspired by his actions:
Through all this, the conversation with Beer has continued.
“I don’t believe for one second that you want to change,” Beer wrote to Okebe at the beginning of July. “I have given you multiple opportunities to stop stealing from people and yet you continue to steal, lie, and cheat.”
“Because I have to,” Okebe replied. “I’m not proud, I swear, and everything I have been telling you is not a lie: I have to pay rent. I have to send money to my baby mama. I have to pay for a business and I don’t have a job nor do I have a high school certificate… I’m fucking desperate.”
Finally, on July 14th, at Beer’s request Okebe confessed to everything publically on Twitter.
“I’m really sorry to everyone I hurt,” he wrote, “They literally gave me their trust and I let them down. I can’t even sleep at night.”
Okebe explained that he has a plan to turn things around. He just needs a few donations to get started.
Caution: Falling rocks
Early in 2018, journalists Bob Sullivan and Alia Tavakolian released the first season of a podcast titled, ‘Breach’, which sought to investigate history’s most notorious data security breaches. At the series’ heart was a message about the perils of data management in a Web2 world – a world where a small group of tech companies control an exorbitant amount of our personal data: Companies are going to be hacked, our data is going to be stolen and, as it stands, there is nothing we can do about it.
“Okay so you’re on the highway going 65 miles an hour on the Pennsylvania Turnpike, and you see a sign that says ‘caution falling rocks.’ What are you supposed to do?” Sullivan asks in the podcast’s first episode. “Do you hit the brakes? Do you get off on an exit? It’s literally the worst advice you can give and yet almost every single piece of advice we give people in (the data security) realm is essentially ‘caution falling rocks.’”
Part of the promise of Web3 and decentralized blockchain networks is a step away from this problem. No longer, advocates say, do we need centralized banks, art galleries or social networks to hold and manage our data, we can do it ourselves. We can give power back to the people and give all parties a seat at the table.
Yet such liberty is always equal parts freedom and risk. Correspondingly, in a world of sovereign individuals, everyone must assume the risk and reward of becoming their own bank, their own advocate, and their own security.
So, as the Web3 ecosystem grows, how do we manage this reality? Do we slowly give into risk aversion and recreate (or renegotiate with) the centralized systems we’ve aimed to abate? Or can sovereign individuals come together to foster a system of collaboration similar to that for which a scholar like Noam Chomsky might advocate?
And how, in this system would we manage actors like Okebe? Do they also get a seat at the table? Do we curtail their freedoms, their sovereignty? And if so, where do we draw that line?
“I believe in his life story,” said Caff when I asked about Okebe’s motivations, “but I also don’t believe for a moment that he is actually going to stop scamming.”
I mentioned Caff’s sentiment to Beer and said that I tend to agree.
“Yeah, but he blew up his own account so I don’t know,” Beer said. “I mean, if nothing changes for him of course he’s going to keep scamming. He’s not going to starve and watch his kid die.”