The NFT marketplace OpenSea is now facing at least three lawsuits over stolen cartoon apes after lawyers for a New York man filed a lawsuit in New York State Supreme Court claiming that his Bored Ape Yacht Club NFT was taken from him due to what he characterized as “security vulnerabilities” of the OpenSea platform.
Lawyers unaffiliated with the cases told Motherboard that, whatever the merits of the individual suits, the situation has the potential to cause trouble for the $13 billion Web3 startup, often referred to as the “eBay of NFTs,” as they could potentially reveal its inner workings and invite a torrent of other suits that the company will be forced to defend against.
“I think they're sitting on a ticking bomb,” said Max Dilendorf, a lawyer specializing in digital assets, cryptocurrency, and asset tokenization who is not involved in any of the Bored Ape lawsuits. (Dilendorf spoke to Motherboard before the third lawsuit was filed.)
Over email, an OpenSea spokesperson told Motherboard the comment does not comment on active litigation.
Do you work at OpenSea or have information about the NFT market? From a non-work device, contact our reporter at firstname.lastname@example.org or via Signal at 310-614-3752 for extra security.
The newest $1 million lawsuit, filed on behalf of Michael Vasile, is similar to another lawsuit filed in February by the same lawyers on behalf of an aggrieved Texas man. In both cases, the men say they lost their apes because of alleged bugs in OpenSea’s code that the company knew about but did not take appropriate steps to fix.
A third ape-related lawsuit, filed in the U.S. District Court for the District of Nevada and also naming the NFT marketplace LooksRare and Yuga Labs, the company behind the Bored Ape Yacht Club, claimed OpenSea did not “implement common sense and reasonable security measures'' against fraud and instead put “all the onus” on users.
Altogether, the cases against OpenSea and other platforms could prove to be an arena where the courts figure out if the platform or the individual should be to blame when people lose thousands of dollars in a matter of seconds to illicit and irreversible blockchain scams.
One of Vasile’s lawyers, Ash Tadghighi, said a hacker took advantage of a “glitch” in OpenSea’s code that allowed earlier listings to be activated and fulfilled by a scammer. In late January, after one of Vasile’s listings for 135 ETH expired—and before he re-listed it at a higher price—he alleges that a scammer, via what the suit calls a "forced listing," bought the Ape at 24.89 ETH, or $80,000 as of today, and then flipped the Bored Ape for 92.9 ETH, or almost $300,000, according to the complaint.
"Essentially, OpenSea's vulnerabilities allowed others to enter through its code and force the sale of an NFT," the suit states. "This is through no fault of the owner."
Vasile submitted “numerous tickets” to OpenSea and reached out through the company’s Discord channel but OpenSea “ignored” him, the complaint states. OpenSea has itself admitted that the startup's customer support is not as fast as it would like it to be; “we’re working on it,” the company stated in an October blog post listing ways for users to avoid scams.
Vasile’s particular Bored Ape (#8858) was “highly desirable” because of certain characteristics it possesses, like including “the Captain’s hat, colors, fur, etc.,” the complaint argues.
The other cases share similarities with Vasile’s but are not identical. Timothy McKimmy, the Texas man suing OpenSea, claims that he never listed his Bored Ape for sale at any price. “He never even wanted to sell it. He had no intent to sell it. He didn't want to because he wanted to hold it for the utility that it had,” said Tadghighi, who is also representing McKimmy. According to Tadghighi, a "hacker" nevertheless accessed his account through OpenSea, listed the ape for 0.1 ETH, sold it to his or herself, then resold it for 99 ETH, turning a huge profit in moments.
The third person to sue OpenSea, a Nevada man named Robert Armijo, allegedly fell victim to an elaborate phishing attack in February after attempting to trade his Mutant Ape NFT for three Cool Cat NFTs in a Discord channel. When he clicked a link, Armijo allowed the scammer access to his digital wallet and lost one Bored Ape NFT and two Mutant Ape NFTs, according to his own complaint.
The issue of stolen apes extends beyond the three people who have filed formal complaints. Days before Vasile lost his own ape, researchers at the blockchain analytics firm Elliptic reported on a “loophole” in OpenSea’s system that allowed at least five thieves to purchase Bored Apes and other valuable NFTs at well below their market value.
The issue in that case was that some users had listed and then never properly delisted their NFTs—a process that initiates a fee on Ethereum—only to watch in horror as the orders were fulfilled on another NFT marketplace at the earlier listing price. (OpenSea advises users to delist regardless of the fee or risk accidentally selling their NFTs.)
Last week, the official Discord channels for the Bored Apes and other prominent NFT collections were hacked, leading to at least one Mutant Ape Yacht Club NFT to be stolen and flipped.
The subsequent losses are significant. As of Wednesday, the price floor of a Bored Ape stood at 111 ETH, or $357,000, according to OpenSea’s own data.
At times, OpenSea has taken a proactive approach to compensate for bad actors. It has said it gives “generous reimbursements” to some users whose NFTs were stolen, though the amounts have seemed to vary. In past instances, OpenSea also has frozen trading on NFTs that were stolen or involved in money-laundering cases.
But Andrew Dao, who is Tadghighi’s co-counsel, claims neither of his clients were offered refunds and that OpenSea should compensate the victims.
“This is an opportunity for OpenSea essentially to show the public how it's going to treat users of the platform that have suffered significant losses,” Dao told Motherboard. “Is OpenSea going to step up and try to maintain that public trust and say we're going to make this right?”
David Hoppe, a lawyer specializing in emerging legal issues in technology sectors including blockchain and digital assets who is also unaffiliated with the suits, said before the third suit that the ape-related lawsuits struck him as “fairly opportunistic” and unlikely to succeed.
OpenSea’s terms of service expressly state that the company will not be held liable for third-party scams and require disputes to be settled through arbitration rather than in the courts, and Hoppe said such terms of service agreements have been considered carefully in past cases. He did not see OpenSea’s conduct as “egregious” enough for them to be disregarded.
Since the early days of the internet, the U.S. Congress has taken a “hands off” approach to issues of counterfeit goods sold on platforms like Amazon, according to Hoppe.
“Once they are informed of that, and they take reasonable steps to take it down and perhaps to ban repeat offenders, then they can't be held liable for copyright infringements,” he said. “The question is going to be, did the platform take reasonable steps to identify and to protect users of the platform from bad actors?”
The plaintiffs in the three cases believe the company did not. Lawyers for Armijo, for example, argued in their February complaint that “unlike eBay or Amazon, OpenSea has failed to adequately scale its customer support services or create a dedicated fraud department.” Vasile and McKimmy’s lawyers claim OpenSea was well-aware of its platform’s vulnerabilities and chose not to suspend operations until they instituted appropriate safety measures. Doing so put “users at risk” but allowed the company to continue financially benefiting through the 2.5 percent fee it charges for every transaction that takes place on the site, according to the complaint.
Regardless of the suits’ merits, the unaffiliated lawyers said the OpenSea suits could place the popular NFT marketplace in a difficult position, as anything less than an all-out victory could invite a spate of similar lawsuits. Dilendorf added that OpenSea had reason to consider settling the case in order to avoid offering up the company’s internal emails and documents during the discovery process.
“I would not want to open up a Pandora's Box,” Dilendorf said. “Because looking at how OpenSea operates the platform from a 10,000-foot view, it's very, very questionable.”
The regulatory agencies have been encircling the NFT sector with questions about its legality. The SEC is reportedly in the process of investigating whether NFTs are being used similarly to carefully regulated securities offerings. The Treasury Department, for its part, said in February report that the digital art market was “vulnerable” to money laundering and that OpenSea and other NFT platforms like Dapper Labs and SuperRare could one day fall under regulation by FinCEN, the financial crimes bureau tasked that requires many U.S. financial institutions to file reports about potential suspicious activity.
As of now, OpenSea is not required to perform know-your-customer and anti-money laundering checks.
In the meantime, some of the affiliated companies are expanding dramatically whatever the questions. OpenSea has surpassed $20 billion in sales volume, and Yuga Labs, the company behind the Bored Ape Yacht Club, has expanded its empire, raising $450 million at a $4 billion, acquiring the NFT collection CryptoPunks, and announcing metaverse plans.
Dao, the lawyer representing two of the men, said the “ripple effects” of situations like the ones his clients faced could harm the company’s reputation. He hopes OpenSea’s team will shore up trust in the platform by improving how it handles customer issues moving forward.
For now, Dao believes the lawsuits will put pressure on OpenSea to improve how it treats individuals who have lost hundreds of thousands of dollars in seconds.
"It's an opportunity for them to make things right,” he said. “But if they continue to let people feel like they can't trust this company, it's going to be more damaging to them in the long run.”