On Tuesday, I had my @fredwilson account taken over.
I haven't used that account for almost eighteen months, but it has almost 700,000 followers and has the potential to do a lot of harm in the wrong hands.
I am writing this to explain what happened so that others might learn from my mistakes.
On Tuesday at 3:35pm eastern, while I was in a taxi on my way from a doctor appointment to my home office, I saw this email come into my inbox.
On Tuesday, I had my @fredwilson account taken over.
I haven't used that account for almost eighteen months, but it has almost 700,000 followers and has the potential to do a lot of harm in the wrong hands.
I am writing this to explain what happened so that others might learn from my mistakes.
On Tuesday at 3:35pm eastern, while I was in a taxi on my way from a doctor appointment to my home office, I saw this email come into my inbox.
That got my attention. A "login to my account" from an iPhone in Greece was certainly not me.
I should have looked more closely at the sender email address. That would have told me this was a scam. But I was on a call on my phone, in a taxi, so I clicked on the "Secure your X account now here" link and logged in to change my password. In doing so, I provided my password and two factor code to the hacker.
There are a host of mistakes in that last paragraph. All of them are things I know better than to do. But I did all of them.
First, I should have inspected the sender email address more closely. I did not.
Second, I should have inspected the URL of the webpage that the "secure your account now here" link took me to. I did not.
Third, I should have just ignored the email because I have a strong 2 factor system using Yubikeys on that account. I also have a very strong password on it. A login from an iPhone in Greece would be almost impossible.
But I did none of those things. I was multi-tasking, in transit, and jet lagged. And I screwed up.
I knew it almost instantly. And then, for three hours I tried escalating the situation to Twitter/X support to get them to shut the account down. I knew what was coming. Anyone who has access to that account can run a scam at almost 700k followers.
I was unable to get to anyone who could escalate to Twitter. I filed several account takeover support requests and texted a bunch of people I thought could get to someone at Twitter. But none of that worked.
It was like watching a train wreck in slow motion. I knew what was coming and could not stop it.
Around 6:15pm eastern, this scam was posted to my account.
Almost immediately my phone filled up with messages from all sorts of people letting me know my account had been hacked. A few of them offered to escalate to Twitter/X. I encouraged all of them to do that.
In particular, Sriram Krishnan came to the rescue. Not only did he escalate to the right people at Twitter/X, but he also helped me in the following days to get control of my account back. I am extremely grateful for all that he did for me this week.
I am not clear what kind of scam was run on claim-fred dot com. It could have simply been a way to get minting fees. But I fear it was a more sophisticated attack aimed at sweeping wallets of funds and NFTs. I feel terrible about that. It would not have happened but for my mistakes.
I'd also love any suggestions for getting claim-fred dot com taken down. Coinbase Wallet has a warning on it already which is great.
But I'd like to see it come down entirely if there is a way to make that happen.
I am frequently targeted with hacks. There have been three now that I have written about on AVC. Two of them have come in the last few months. I understand I am a target. I also understand that I have a responsibility to exercise great caution because of that.
I failed to do that this week and I am very sorry about that.
Thirteen years ago, USV invested in the Kik, the company behind the popular messaging app of the same name, and I joined the Board. That set me off on a journey that went from mobile messaging (Kik), to crypto (Kin), to payments (Code).
One of the things about me, and my partners at USV, is we tend to stick with companies and their founders for the long haul. One can argue the merits of that approach, but it is what we do, and this particular journey is an excellent example.
When the Kik messenger app lost out in the race to become the dominant mobile messenger, the team, led by Kik's founder Ted Livingston, pivoted to building a native cryptocurrency, Kin, that would work inside the Kin messenger. That was a novel idea at the time and we are only now starting to see how powerful messaging and money are together in a single app.
That led to the idea of building a developer ecosystem around Kin, which led to the Kin Rewards Engine, another novel idea of giving developers an economic incentive to build on a crypto asset. That idea has very much come of age now.
After giving Kin to the ecosystem, and selling the Kik messenger, Ted and the team behind Kik and Kin, started a non-profit to build the killer app for Kin, called Code.
After two and half years of iterating and building, they have formed a new for-profit company called Code to bring to market a global payments app, also called Code. And they have raised a round of financing to support the go-to-market effort.
You can see Code in action by scrolling down here and you can download it here.
We are very bullish on payment applications being built on web3 rails. The Code team has a novel and different approach to the market that we are excited about.
And, of course, we are always eager to support a team that we have worked with over a long period of time and built strong and deep relationships with.
About a year ago, the USV partnership kicked off a process to articulate an overarching thesis for how we invest across all of the sectors we are active in. Over the years, we have broadened the aperture of where we invest but have approached each sector with a similar angle. We wanted to find the words to articulate that angle and put them on the home page of our website and front and center in our minds.
That process culminated in a blog post that Nick wrote and posted yesterday. You should go read that entire post. It is excellent. But to summarize, we chose these words to describe what we invest in at USV:
USV invests at the edge of large markets being transformed by technological and societal pressures
Each word in that sentence was chosen for a reason but two of them are worth calling out:
Edge - we want to be investing at the edge of markets. We have found that attacking the status quo with a full frontal assault is difficult. Making an end run around it is a lot easier.
Societal - most people think VCs invest in technological changes. We have found that our greatest returns come from societal changes.
A single sentence can say a lot and we think this one does. If you want the detail and context behind it, go read Nick's post.
That got my attention. A "login to my account" from an iPhone in Greece was certainly not me.
I should have looked more closely at the sender email address. That would have told me this was a scam. But I was on a call on my phone, in a taxi, so I clicked on the "Secure your X account now here" link and logged in to change my password. In doing so, I provided my password and two factor code to the hacker.
There are a host of mistakes in that last paragraph. All of them are things I know better than to do. But I did all of them.
First, I should have inspected the sender email address more closely. I did not.
Second, I should have inspected the URL of the webpage that the "secure your account now here" link took me to. I did not.
Third, I should have just ignored the email because I have a strong 2 factor system using Yubikeys on that account. I also have a very strong password on it. A login from an iPhone in Greece would be almost impossible.
But I did none of those things. I was multi-tasking, in transit, and jet lagged. And I screwed up.
I knew it almost instantly. And then, for three hours I tried escalating the situation to Twitter/X support to get them to shut the account down. I knew what was coming. Anyone who has access to that account can run a scam at almost 700k followers.
I was unable to get to anyone who could escalate to Twitter. I filed several account takeover support requests and texted a bunch of people I thought could get to someone at Twitter. But none of that worked.
It was like watching a train wreck in slow motion. I knew what was coming and could not stop it.
Around 6:15pm eastern, this scam was posted to my account.
Almost immediately my phone filled up with messages from all sorts of people letting me know my account had been hacked. A few of them offered to escalate to Twitter/X. I encouraged all of them to do that.
In particular, Sriram Krishnan came to the rescue. Not only did he escalate to the right people at Twitter/X, but he also helped me in the following days to get control of my account back. I am extremely grateful for all that he did for me this week.
I am not clear what kind of scam was run on claim-fred dot com. It could have simply been a way to get minting fees. But I fear it was a more sophisticated attack aimed at sweeping wallets of funds and NFTs. I feel terrible about that. It would not have happened but for my mistakes.
I'd also love any suggestions for getting claim-fred dot com taken down. Coinbase Wallet has a warning on it already which is great.
But I'd like to see it come down entirely if there is a way to make that happen.
I am frequently targeted with hacks. There have been three now that I have written about on AVC. Two of them have come in the last few months. I understand I am a target. I also understand that I have a responsibility to exercise great caution because of that.
I failed to do that this week and I am very sorry about that.
Thirteen years ago, USV invested in the Kik, the company behind the popular messaging app of the same name, and I joined the Board. That set me off on a journey that went from mobile messaging (Kik), to crypto (Kin), to payments (Code).
One of the things about me, and my partners at USV, is we tend to stick with companies and their founders for the long haul. One can argue the merits of that approach, but it is what we do, and this particular journey is an excellent example.
When the Kik messenger app lost out in the race to become the dominant mobile messenger, the team, led by Kik's founder Ted Livingston, pivoted to building a native cryptocurrency, Kin, that would work inside the Kin messenger. That was a novel idea at the time and we are only now starting to see how powerful messaging and money are together in a single app.
That led to the idea of building a developer ecosystem around Kin, which led to the Kin Rewards Engine, another novel idea of giving developers an economic incentive to build on a crypto asset. That idea has very much come of age now.
After giving Kin to the ecosystem, and selling the Kik messenger, Ted and the team behind Kik and Kin, started a non-profit to build the killer app for Kin, called Code.
After two and half years of iterating and building, they have formed a new for-profit company called Code to bring to market a global payments app, also called Code. And they have raised a round of financing to support the go-to-market effort.
You can see Code in action by scrolling down here and you can download it here.
We are very bullish on payment applications being built on web3 rails. The Code team has a novel and different approach to the market that we are excited about.
And, of course, we are always eager to support a team that we have worked with over a long period of time and built strong and deep relationships with.
About a year ago, the USV partnership kicked off a process to articulate an overarching thesis for how we invest across all of the sectors we are active in. Over the years, we have broadened the aperture of where we invest but have approached each sector with a similar angle. We wanted to find the words to articulate that angle and put them on the home page of our website and front and center in our minds.
That process culminated in a blog post that Nick wrote and posted yesterday. You should go read that entire post. It is excellent. But to summarize, we chose these words to describe what we invest in at USV:
USV invests at the edge of large markets being transformed by technological and societal pressures
Each word in that sentence was chosen for a reason but two of them are worth calling out:
Edge - we want to be investing at the edge of markets. We have found that attacking the status quo with a full frontal assault is difficult. Making an end run around it is a lot easier.
Societal - most people think VCs invest in technological changes. We have found that our greatest returns come from societal changes.
A single sentence can say a lot and we think this one does. If you want the detail and context behind it, go read Nick's post.
Share Dialog
Share Dialog
Share Dialog
Share Dialog
Share Dialog
Share Dialog
