Hackers tricked a man who was selling three NFT images of apes into giving them up for free on Saturday, according to the man, who claimed that the stolen NFTs were worth "over a million dollars."
NFTs, or non-fungible tokens, are receipts of ownership over digital items like a JPEG that are posted to a blockchain. Investor Calvin Becerra wrote on Twitter that his NFTs linked to three images from the luxe-tier Bored Ape Yacht Club (BAYC) collection “were hacked” on that day. The floor price for a BAYC NFT on OpenSea is currently 34 ETH, or around $136,000.
Becerra said that the alleged hackers posed as interested buyers in a Discord channel and pretended to help him fix a problem with his cryptocurrency wallet, and then deceived him into choosing “an option and took everything.”
In other words, it appears that the hackers tricked Becerra into giving them ownership of the ape NFTs with a typical social engineering scheme. In response to the theft, Becerra was asking people not to buy the NFTs from the hackers and requesting that NFT marketplaces delist the stolen NFTs on their platforms.
“It sucks to not have apes anymore, but I’ve got my family and Gods for my back,” he wrote in a series of tweets. Becerra did not immediately respond to a request for comment via email and through Discord.
It's difficult to verify the specifics of the hack beyond Becerra's word, but records on peer-to-peer marketplace OpenSea show the NFTs being transferred away from Becerra's account on Saturday, and they've been marked as suspicious on the platform. In any case, news of the hack went viral on social media as NFT haters got their dunks in, while others expressed sympathy for Becerra.
Becerra is a self-described “business builder” and “motivational speaker” and he is also a collector and creator of NFTs. He's also a member of the so-called Bored Ape Yacht Club (BAYC), an NFT collection whose founder called it “a collaborative art experiment for the cryptosphere” in an interview with Rolling Stone. The magazine described the group’s apes as “edgy, haphazardly constructed art pieces that also act as membership cards to a decentralized community of madcaps.” They are also JPEGs that people really love to use as profile pictures, basically.
The Bored Ape Yacht Club did not immediately respond to a request for comment.
Ever since the hackers stole the NFTs, Becerra has been trying to tell everyone on the internet not to buy them from the hackers. “Help me get my pfp [profile picture] ape back! Don’t let them win! Please don’t bid or pay for these stolen apes,” he wrote on Twitter. “They took over a million dollars in apes and #NFTS from me.”
Do you have more information about a hack or a scam involving NFTs? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Becerra said on Twitter that his complaints convinced OpenSea, as well as Rarible and NFT Trader to “do the RIGHT THING” and unlisted the three stolen apes from their platforms. The NFT listings are greyed out on Rarible, with a note saying "item has been temporarily blocked from public access," but they are still viewable on OpenSea with a warning that they have been flagged as suspicious. One of the stolen apes currently exists in a staked vault of other Bored Apes on the NFTX platform, which lets people turn their NFTs into liquid tokens backed by the NFTs that can be used for other purposes. Blockchain records show that Becerra paid 70 ETH for it in September, or roughly $245,000 at the time.
“We take matters like this seriously and have no tolerance for theft on the platform. Immediately upon learning about what happened, we halted buying and selling of the NFTs in question and banned the account associated with the suspicious activity,” an OpenSea spokesperson told Motherboard in an email. “We take these actions to deter harmful behavior on OpenSea and limit its upside.”
Rarible did not immediately respond to a request for comment.
NFT Trader is a peer-to-peer marketplace that integrates the Bored Ape Yacht Club smart contract, according to a spokesperson, and didn't take any action on the NFTs. “We did not ban any NFTs from our platform, not that we didn't want to support [Becerra],” the spokesperson told Motherboard in an email.
“First, from a technical standpoint to implement banning or removal of NFTs from our trading system right now is not feasible, but we did share and warn our community about Calvin's dilemma and those BAYC NFTs. Secondly, we ourselves want to be as neutral a bystander as possible,” the spokesperson added. “Because this space is so nascent there are still many things that need to be established for the space to be fully decentralized and we feel it is not our prerogative to get deeply involved but support where we can.”
“From what we know nothing happened to his NFTs on our platform,” the spokesperson said.
In a tweet, Becerra made the argument that instead of buying the NFTs from the hackers—supposedly worth more than a million dollars—people could just download the images from his tweet.
“Don’t buy stolen jpegs. They are free right here. You can right click away,” he wrote.
The theft of these NFTs is certainly not a sophisticated hack. But it shows that hackers and scammers are increasingly targeting NFT creators and owners, trying to take advantage of the fact that some of these images are now worth millions of dollars in what is a largely unregulated market filled with speculators.
Last month, the anonymous developer of a much-hyped project that combined NFT pictures of “evolved apes” and a fighting game that never materialized disappeared after siphoning off 798 ether (at the time worth around $2.7 million). In September, a hacker took advantage of a bug in Banky’s website to trick one of the artist’s fans into buying a fake Banksy NFT.
On Tuesday, Becerra posted in the public BAYC Discord that he was able to get one of the three NFT apes back.
“I got my baby back. HE IS THE MOST FAMOUS APE IN THE WORKD [sic] NOW,” he wrote. “I’m not sellin’ shits worth 1500 eth.”
It’s unclear how he got one of the stolen NFTs back. But the listing for the NFT ape on OpenSea shows it was transferred twice on Tuesday, the last time to an anonymous account that joined in October.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.