As the NFT community continues to grow, so too does the number of bad-faith actors hoping for a piece of this multi-million-dollar pie. As a result, NFT thefts are getting more and more expensive. In some cases, people have lost millions.
If you’re looking to get started building an NFT collection of your own, the first thing you’ll need to be wary of is rug pulls and scams within the community. But once you navigate past the NFT scams and successfully secure digital items you are about, you’ll need to be even more diligent. Remember: In Web3, third parties won’t manage everything for you. You need to rely on yourself and your own research. So constant vigilance is a must, as theft can happen – even to the most diligent users.
With this in mind, let’s take a look at some of the most expensive NFT losses and thefts. These stories will help you better understand what went wrong and how you can protect yourself from an expensive NFT theft yourself.
Goodbye to an Ape
Chelsea art gallery owner Todd Kramer had an unpleasant end to his year, to say the least. Kramer owns Ross + Kramer Gallery, and right at the end of 2021, he had some problems with some of his personal art. On December 30, Kramer discovered that several NFTs from his personal collection on OpenSea, the world’s largest NFT marketplace, had been stolen.
He detailed what happened in tweets that have since been deleted. Most of the NFTs were Bored Apes and Mutant Apes, some of the most valuable NFTs on the market. Ultimately, Kramer faced an estimated $2.2 million in losses from the theft.
Kramer quickly called for intervention on OpenSea’s part, who promptly froze all transactions on the platform until Kramer could reclaim his lost apes. This drew the ire of many users in the community, who chided him for not storing such expensive NFTs on a hardware wallet. Hardware wallets (also known as “cold wallets”) are important tools when it comes to preventing expensive NFT thefts, as they aren’t connected to the internet unless they are plugged in. As such, they are harder to hack.
Unfortunately, Kramer was using a hot wallet, which is always connected to the internet. As a result, it’s more vulnerable.
Users also criticized OpenSea for their involvement, as some alleged that NFTs aren’t really decentralized if one company is able to freeze transactions in this way. OpenSea responded to the criticism with a statement. “OpenSea is a blockchain explorer, meaning our goal is to provide the most comprehensive view into NFTs across different blockchains. We do not have the power to freeze or delist NFTs that exist on these blockchains, however we do disable the ability to use OpenSea to buy or sell stolen items. Since this issue emerged, we’ve built security tools and processes to combat theft on OpenSea. We are actively expanding our efforts across customer support, trust and safety, and site integrity so we can move faster to protect and empower our users,” they said.
Thankfully, Kramer was eventually reunited with most of his stolen collection. Hopefully, he’ll keep them in a safer place this time around.
More trouble on OpenSea
Sadly, OpenSea witnessed another high-profile heist barely a month after Kramer’s apes were stolen. In February, users on the platform uncovered the trail of a million-dollar heist. The hacker responsible used one of the oldest tricks in the book to pull this off: a phishing attack.
This happened just a day after OpenSea upgraded its smart contract infrastructure to protect users from a bug that enabled attackers to purchase NFTs at far below their market values. This was possible because an error in the system allowed old contracts to stay on the blockchain without appearing in OpenSea. Many of the contracts were years old. By making offers against those contracts, attackers could take advantage of the excessively low, out-of-date prices.
As a result, all OpenSea users had to migrate their NFT listings to a new smart contract. The hacker used a phishing attack to take advantage of the migration.
With this successful attack, the hacker was able to lure 17 users into transferring some of their high-value NFTs into the hacker’s OpenSea account. Among the stolen NFTs were four Azukis, two Coolmans, two Doodles, two KaijuKings, and one Mutant Ape Yacht Club. They then quickly sold off these NFTs, running off with over $1.7 million in profits.
Nifty Gateway compromised
March saw yet another expensive NFT theft take place – but this time it was on a different platform. Several Nifty Gateway users went to social media to report that their accounts had been compromised.
Hackers used these stolen accounts to purchase and sell hundreds of thousands of dollars worth of NFTs. The worst part? Users whose accounts had been broken into were left holding the bag, as these fraudulent transactions were charged to the affected users’ credit cards. This is thanks to one of the specific ways Nifty Gateway’s platform operates: users are free to charge purchases to their credit cards, along with their crypto wallets.
Although Nifty Gateway formally acknowledged the attack, they placed the blame on the users themselves instead of any potential vulnerabilities on the platform. In a statement to Motherboard, a Nifty Gateway spokesperson reported that “none of the impacted users had 2FA (two-factor authentication) enabled.” This implies that hackers used simple phishing tools in order to commandeer these accounts, and were able to gain access just by figuring out the affected users’ passwords.
NFT theft puts the ax on a planned BAYC-themed project
After a long and storied career in the entertainment biz that includes appearances in Family Guy, Austin Powers, and Mass Effect, actor Seth Green announced his plans to head a project of his own featuring his Bored Ape. This new project — a series based on his Ape named Fred — would see Green put on the producer hat for the first time since working on Robot Chicken.
Yuga Labs, the company behind BAYC, gives NFT owners an unlimited worldwide license to use copy, and display their purchased art. This license allows the owners to create derivative works based upon the Bored Ape intellectual property — which is exactly what Green planned to do. All those plans came to a halt though, when the actor fell victim to a phishing scam in late May 2022. Among the stolen NFTs were his Ape, two Mutant Apes, and a Doodle.
Green was phished on a phony version of the Gutter Cats marketplace. While he could trace his stolen property to OpenSea user DarkWing84, his ape remains on the loose at the time of writing.
Hack saw BAYC itself targeted
Unfortunately, it isn’t just Bored Ape Yacht Club’s holders that hackers view as a prime target. Why not go straight to the source?
An April attack saw the BAYC Instagram and Discords compromised. This was done via a phishing scam: the hackers distributed links to unsuspecting members of the BAYC community, leading them to a fake Bored Ape Yacht Club website.
Once there, users were prompted to connect their MetaMask wallets to the scammers’ wallets, who then proceeded to transfer the high-value NFTs into their wallets. The theft saw over 54 NFTs parted from their original owners, totaling more than $13.7 million in cumulative losses.
29 Moonbirds stolen from their nest
When Moonbirds made its way into the top 10 highest-grossing collections of all time less than a week after its launch, some bad actors saw it as an opportunity for a quick buck. Yet another phishing scheme in late May saw 29 Moonbird NFTs stolen from their original owner.
At the time, NFTs from this collection had floor prices of roughly 24 ETH, or almost $48,000. The high-ticket pieces stolen in the attack meant that the original owner, reportedly a member of Proof Collective, lost almost $1.5 million.
Beeple gets hacked
Digital artist Mike Winkelmann, popularly known as Beeple, quickly made a name for himself in the NFT space with a series of multi-million dollar sales. This includes the highest-grossing NFT sale to date: “Everydays: The First 5000 Days,” which sold for over $69 million.
Since then, Beeple has become a fixture in the community, collaborating on and creating other successful projects since that fateful sale. One such collaboration was with legacy fashion brand Louis Vuitton. Hackers used this to their advantage, as they were able to break into the artist’s Twitter account in late May 2022.
The hackers subsequently posted links to a fake Louis Vuitton NFT raffle on the artist’s account, which understandably led some of his followers to get duped by the fishing scam. All in all, the scam netted the attacker roughly $438K in cryptocurrency and NFTs from their unsuspecting victims.
It’s not always possible to avoid NFT theft, but there are steps holders can take toward keeping themselves safe. First, only click links on websites you know and trust. Even if a link looks like it may have come from someone you know, don’t assume. Always verify before proceeding.
Next, be sure to enable multi-factor authentication on all your accounts and hardware. This only takes a few minutes and is key. It’s also important to create a strong password and never reuse it. If one account is compromised, you don’t want all your accounts to be compromised. Finally, keep your Secret Recovery Phrase (also known as a seed phrase or mnemonic) safe. Never give it to anyone.
Stay safe out there.