- A hacker has returned 54 Bored and Mutant Apes he had stolen from the NFT Trader marketplace
- All stolen NFTs were worth close to $3 million
- He agreed to return the collectibles after receiving 120 ETH as a bounty from Yuga Labs’ Greg Solano
A malicious actor has returned 54 NFTs worth nearly $3 million that he had siphoned from the NFT Trader marketplace. The hacker agreed to return the funds after Yuga Labs co-founder Greg Solano agreed to pay him 120 ETH worth roughly $267,000 at the time of writing. According to the malicious actor, he managed to steal the collectibles after another attacker compromised the security of the NFT exchange, raising questions on whether the original exploit was discovered and how many hackers capitalized on the flaw.
Picking Up Residual Garbage
The security on NFT Trader was breached on December 16 leading to the loss of 36 Bored Apes, 18 Mutant Apes and other NFTs, with the platform disclosing that the hacker targeted recently upgraded old smart contracts.
All 36 BAYC and 18 MAYC that the exploiter had are now in our possession.
We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge.
Right after this coffee break…
Victims please…
— Boring Security (@BoringSecDAO) December 17, 2023
In a blockchain message, the hacker said that he was picking “up residual garbage,” adding that he initially wanted to steal tokens associated with the collectibles but later learnt that he “could also get NFT[s].”
Web3 platform Boring Security helped recover and distribute the collectibles after the hacker’s demands were met. Solano said that he paid the bounty on behalf of the affected collectors and does not expect any refund from them.
As we finish up getting these apes back to their rightful owners, I just want to give a huge shoutout to the team for working overtime this weekend to come together on this. The DAO is comprised of dozens of individuals, and are all here to further the mission of web3 security…
— Boring Security (@BoringSecDAO) December 18, 2023
Likely to be Compromised Again
Some individuals in the web3 community have noted that the P2P NFT exchange is bound to be compromised again if traders fail to revoke permissions they had granted using the old smart contracts.
Although the hacker’s actions correspond to a trend where malicious actors exploit web3 platforms and then request a 10% bounty, it’s not a common occurrence in the NFT space.
With the number of hackers that have exploited NFT Trader likely to be more than one, the exact number of stolen NFTs is likely higher.
