OpenSea Freezes 16 NFTs Worth $2.2 Million Following Phishing Scam

A Bored Ape collector’s NFTs have been stolen in a phishing attack, prompting top NFT marketplace OpenSea to step in and freeze the assets on its site as some community members tried to get them back.

On December 30, an NFT collector was the victim of a successful phishing attack which led the hacker to a collection of Bored Ape Yacht Club (BAYC) and other NFTs worth an estimated US$2.2 million:

@NFTX_ these apes and mutants have been stolen and flagged on @opensea please remove from your liquidiry pool
Ape 2771
Ape 6416
Ape 1623
Ape 1708
Ape 8214
Ape 7528
Ape 9988
Ape 9410

Mutants 25057
Mutant 11177
Mutant 28752
Mutant 24718
Mutant 2436
Mutant 9278
Mutant 2434

— toddkramer.eth (@toddkramer1) December 30, 2021

Collector Todd Kramer, who runs the Ross+Kramer art gallery in New York and East Hampton, revealed in a series of tweets that he was hacked after clicking a malicious link fronting as a Dapp. The attack resulted in him losing 16 of his NFTs, with Kramer stating in a now deleted tweet: “I have been hacked. […] all my apes gone. [T]his just sold [referring to his profile picture] please help me”, further pleading with the OpenSea and NFT community to assist in any way.

BAYC has been one of the most successful NFT projects so far, with celebrities including talkshow host Jimmy Fallon and rapper Eminem also owning a few. So far, nearly US$1 billion has been spent on trading Bored Ape Yacht Club NFTs. 

Community Works to Return Stolen NFTs

Some buyers found the activity questionable as these NFTs were being sold for fractions of their value and had been flagged as suspicious by the marketplace:

Yo can somone tell me what happened. I put in lowball offers on around 30 different #BAYC apes yesterday, and tonight I woke up to someone selling to me for 82 WETH, but the transaction is flagged as suspicious activity. WTF??? https://t.co/fQobv4Kdql

— ElonBricks (@ElonBricks) December 30, 2021

After word got out, some community members approached Kramer to either sell back (albeit at a loss) or give back some of his NFTs.

Just wanted to say thank you to @j1mmyeth and @evankeast for your support in arguably the worst night of my life. I still believe #wagmi

— toddkramer.eth (@toddkramer1) December 30, 2021

The end result of the stolen BAYC and MAYC NFT fiasco has not been disclosed publicly, but it seems a few individuals helped ease Kramer’s worries and have assisted him in retrieving some of his stolen NFTs.

Freezing NFTs Brings Up Questions

After Kramer’s NFTs were stolen, OpenSea – the largest NFT marketplace – froze the assets, so they can’t be traded. In an earlier tweet, Kramer said: “All Apes are frozen […] Waiting for OpenSea team to get in”. This can be seen on OpenSea, where the items can no longer be bought or sold.

This comment attracted criticism from the community since a third party was getting involved, which goes against the idea of true decentralisation. One Twitter user commented: “Feels pretty anti-crypto to be asking third parties to do this and ideally they shouldn’t be able to.”

Even famed software engineer Grady Booch added his opinion about the lack of decentralisation in this case when he commented:

Silly me. And here I thought that the code is the law and that one of the very ideas of cryptocurrencies was the elimination of any possibility of centralised intervention. Hypocrites; every one of you.

Grady Booch

Lack of Operational Security Partly to Blame

In the end, one can be sure that if other owners were in Kramer’s shoes, they would be thankful. One other mistake on his part was not practising good operational security – Kramer’s stolen NFTs were stored on a hot wallet connected to the internet, rather than using a cold wallet that requires physical action on the part of the holder to verify transactions.

Phishing has been a growing problem in the crypto space, with cybersecurity company PhishLabs reporting a tenfold increase in such attacks on crypto exchanges in the first half of 2021, compared to the previous year.