Hackers tricked a collector of JPEGs depicting apes and mutants (also known as NFTs) to give them control of their digital art, and sold them for more than half a million dollars.
On Monday, a Twitter user who goes by larrylawliet (with the handle @iloveponzi) said he lost all his digital art and called for help. According to a cybersecurity researcher who specializes in cryptocurrency, it appears the hackers or scammers tricked larrylawliet into approving his wallet to interact with the hackers’ wallet. This kind of scam or hack is increasingly becoming common in the crypto world, especially now that NFTs are worth hundreds of thousands, or even millions, of dollars.
“Probably this somehow is some rogue dAPP [decentralized application] presenting this approve transaction to the user wallet,” Tal Be’ery, the CTO of the crypto wallet app ZenGo, told Motherboard in an online chat.
Be’ery explained that, analyzing the blockchain transactions, it appears larrylawliet gave access to his NFTs to what they likely thought was a dAPP or distributed app, perhaps to help them trade the images. The problem is that it wasn’t actually a dApp, but an individual’s wallet, which proceeded to drain larrylawliet’s wallet of all their NFTs.
“The problem of course is when you give the permission (=’approve’) to a rogue address,” he said.
Larrylawliet told Motherboard that his hack was part of the fallout of a hack on the Moshi Mochi NFT project. "Earlier today, our discord was compromised," the Moshi Mochi Twitter account tweeted on Monday. The project explained that hackers were able to commandeer its official Discord channel, and send users to a fake website. According to Moshi Mochi, project members lost 35 ETH.
But it was worse for larrylawliet, who said in an online chat that they got tricked because the hackers sent a fake link through an official announcement, telling users they could mint the final round of NFTs. That’s what they clicked, and led them to being hacked once they gave the attacker permissions.
Do you have any information about other similar hacks? Or do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
The hacker stole seven NFTs from larrylawliet, according to blockchain records: one from the Bored Ape Yacht Club, five from the Mutant Ape Yacht Club, and one Doodle. Other victims lost four Doodle NFTs. The hacker then sold the NFTs for just under $700,000 total (larrylawliet's Bored Ape sold for 100 ETH, or $275,000). Larrylawliet claimed that the hacker undersold the stolen NFTs, which according to him could have been sold for 1,000 ETH, or $2.7 million. “The hacker wants to sell it asap because they don't want to [get] locked by OpenSea,” he said.
Indeed, the NFTs are now listed as "frozen" on OpenSea.
According to blockchain records, and confirmed by Be’ery, the attacker's wallet has moved 600 ETH worth roughly $1.5 million through the Tornado Cash tumbling and mixing service.
This is just the last in a seemingly endless—and likely never-ending—series of NFT heists. Last year, hackers took over several accounts on the NFT marketplace Nifty Gateway and stole thousands of dollars worth of digital art. Images from the luxe-tier Bored Ape Yacht Club (BAYC) collection have been especially appetizing, given their inflated value. In November, hackers tricked a seller into giving up his Ape JPEGs—worth hundreds of thousands of dollars—for free. And that was a small haul. Earlier this year, scammers stole around $2.3 million worth of Bored and Mutant Apes from the owner of the Manhattan: Chelsea art gallery.
Over and over, we see that NFTs and the ecosystem around them have unique vulnerabilities that arise due to centralized systems interacting with decentralized assets, and the vigilance required from users.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.