Cybersecurity attacks have been one of the persisting problems in the crypto space today. Hacking, exploits, and security breaches have all resulted in millions to even billions of dollars in losses. Blockchain innovations like decentralized finance (DeFi) and NFTs have been plagued by serious exploits which lead to huge losses.
As the crypto market thrives with the creation of new investments, bad actors look for ways to make it a milking cow by launching hacking attacks. As the technology advances, rigid securities were implemented to avoid these attacks but perpetrators find a way to exploit even the slightest vulnerability in these projects.
One of the beauties and strengths of blockchain, the technology that fuels the entire crypto industry is decentralization which eliminates intermediaries. This makes transactions seamless, cheap, and fast. But it has also turned into one of its ugly sides as exploiters took advantage of it. In this article, we will be featuring the biggest NFT hacking incidents in the crypto space today. Let’s begin our round-up of the largest NFT hacks to date.
Axie Infinity’s Ronin Network $622 million
Dubbed as the biggest hacking in the NFT space and in the entire crypto space surpassing the PolyNetwork’s $611 million supposed conspiracy exploit. Rising into fame amid the consecutive crypto market crashes, Axie Infinity became the leading blockchain-powered NFT gaming platform with a large following mostly from poverty-stricken countries like the Philippines and Venezuela. Before the end of 2021, active users of the platform surged to 2 million. But after its huge success, Ronin, the platform’s network experienced the largest exploit in the history of crypto.
On Mar. 23, hackers emptied the Ronin network’s coffer after exploiting a security flaw. Exploiters compromised private keys used to validate transactions on the network. These keys were then used to forge fake withdrawals from users’ funds. Binance, the largest crypto exchange acted swiftly by suspending withdrawals and deposits on the Ronin network on its platform following the hacking incident. There were allegations that the heist was carried out by a North Korean hacking group. In a report by Chainalysis, North Korean hackers were notorious and have been responsible for 7 other hacking incidents in crypto in 2021 resulting in $400 million losses. Fortunately, all lost funds will be reimbursed all thanks to Binance for bailing out the NFT game company. The largest trading platform has also invested $150 million in the NFT gaming platform. In a report by Bloomberg, Binance was also able to recover $5.8 million from the exploited funds.
Bored Ape Yacht Club Instagram and Discord $13.7 million
Hackers have now found their way to official social media accounts of leading NFT projects like Bored Ape Yacht Club to exploit users. A phishing attack was launched on Instagram and the Discord channel of the NFT primate collection by sending an unofficial “mint” link. 54 BAYC NFTs were stolen as a result of the attack valued at $13.7 million based on the NFT collection’s floor price at that time. According to reports, 24 Bored Apes and 30 Mutant Apes were stolen but the real number remains unconfirmed.
On April 25, BAYC revealed the hacking on its official Twitter account.
🚨There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.
— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
In a statement by BAYC spokesperson on Coindesk in an email commenting on the matter.
“The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake Airdrop.”
The spokesperson further added:
“At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account.”
Most owners of the BAYC and MAYC collections were mostly rich and famous which has highly attributed to its price surge. The NFT collection is now one of the most expensive collections in the crypto market today. The BAYC floor price is now up to 137 ETH or more than $268,383 and the MAYC price on the other hand increased to 32 ETH or $62,688 with ETH (ethereum) current price at $1,959.
This is the second that the Discord channel of BAYC has fallen victim to hacking. On Apr. 1, another hacking incident occurred where the culprit stole a MAYC NFT worth $69.5k.
BAYC Discord hacked pic.twitter.com/xSQh7YtC8N
— 0xGav.eth (@0xGav) April 1, 2022
According to a report by Yahoo, @SerpentAU revealed that the Ticket Tool was the real source of the hack in a tweet.
I have received inside information from one of the hackers.
🚨 THE OFFICIAL CAPTCHA BOT IS HACKED, REMOVE IT FROM YOUR SERVER 🚨
BAYC & Doodles have already been hacked within the last 30 minutes but MANY MORE SERVERS WILL BE HACKED.
BAYC along with NFT Collection Doodles were attacked on the same day.
Art Collector Todd Kramer $2.2 million
In January, gallery owner Todd Kramer of New York’s Ross + Kramer Gallery in a tweet revealed he has fallen victim to an NFT theft.
“I have been hacked. All my apes gone. This just sold please help me.”
The art collector has fallen victim to a phishing scam draining all his 15 NFTs from his Ethereum wallet which includes four BAYC NFTs valued at $2.2 million. Fortunately, he was able to retrieve several of his NFTs after getting help from NFT buyers and the OpenSea platform. In another tweet, the art dealer later stated:
“Update.. All Apes are frozen,,. Waiting for opensea team to get in,,,lessons learned. Use a hard wallet…”
Kramer later deleted his tweets regarding the supposed exploit on his hot wallet stored NFTs.
DeFiance Capital’s founder Arthur Cheong $1.7 million
Arthur Cheong, the founder of DeFiance Capital, has brought to Twitter about the hacking of his wallet holding his NFTs. The attack took place on March 22 as stated in this tweet.
Well not sure what happened, need to take time to figure it out. Didn't expect this to happen to me as well.
Guess no more hot wallet usage then.
— Arthur (@Arthur_0x) March 22, 2022
The stolen NFTs were from expensive collections that include 17 Azuki, 5 CloneX, 2 Hedgies, and 33 Second Self – which were immediately sold on OpenSea according to a report a Peckshield. A total of 59 expensive NFTs were stolen in a single attack.
#PeckShieldAlert @Arthur_0x ’s hot wallet appears to be compromised. ~59 #NFTs was transferred to https://t.co/MZXIWN4ING , including ~5 #CloneX, ~17 $Azuki @AzukiZen, ~2 @TabinekoKIKI, ~2 @HedgiesOfficial, ~33 @SecondSelfNFT
~19 stolen NFTs wiped for ~233 $ETH (~$690k). pic.twitter.com/oqM08ex1Yg
— PeckShieldAlert (@PeckShieldAlert) March 22, 2022
The attacker then transferred the digital assets to a wallet in their control. Cheong stated that the “likely root cause” for the exploit is a “spear-phishing email” he received recently.
Found out the likely root cause for the exploit, it's a targeted social engineering attack. Received a spear-phishing email that really seems to be sent by one of our portco with content that seems like general industry-relevant content.
They are likely targeting all crypto peep pic.twitter.com/SegYBcoLX2
— Arthur (@Arthur_0x) March 22, 2022
The email was reported from one of DeFiance Capital’s portfolio companies leaving him off-guard. Upon accessing the email, the attacker was able to get hold of his seed phrase, or password, and breach his crypto wallet.
According to Cheong, although hacking incidents are nothing new to him, he stated that he didn’t expect that it could happen to him.
OpenSea NFT Marketplace $1.7 million
In February, the largest NFT marketplace suffered from a hacking attack resulting in a $1.7 million loss. The exploit occurred while the NFT platform was undergoing an update on its contract system but OpenSea was quick to rebuff that the exploit came from the new contracts. Chairman and CEO of OpenSea Devin Finzer reiterated that it was not a hack but rather a phishing attack.
“This is a phishing attack. We don’t believe it’s connected to the OpenSea website.”
Initially, 32 users were affected but were later reduced to only 15 since only 17 of these have lost their NFT assets according to OpenSea. According to reports, the attacker has exploited the vulnerability in the Wyvern Protocol, the open-source standard utilized by the NFT platform. CEO Devin Finzer revealed that the targets have signed a blank check prior to the attack. The attacker then filled in the rest to steal their NFTs. This was confirmed by Twitter user Neso.
“I checked every transaction. They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
There were approximately 254 stolen NFTs according to Peckshield. OpenSea has reimbursed the value of lost assets by affected users. Robert Garcia, one of the affected users who lost his Mutant Ape NFT used the refund to purchase a new Mutant NFT.
NFTs are definitely the newest trend in the crypto market and with their prices skyrocketing, they may turn into a honeypot by bad actors lurking in the crypto space. In a now deleted tweet, Cheong stated:
“Well, this hit me hard but if I got exploited as a fairly sophisticated 5 years crypto user (DeFi user, password manager, mostly hardware wallet), I’m not sure how I can persuade most normal people to put a substantial part of their net worth on chain anymore.”
Are there ways to protect your NFT assets? Using the safest storage could be the key. Most of the affected users stored their NFTs in hot wallets making them vulnerable to attacks. Cold wallets are highly recommended for this purpose since they are connected to the internet and hacking is next to impossible.