On Saturday, December 16, the NFT Trader marketplace was breached by hackers. This resulted in the theft of dozens of ERC-721 tokens. Most notably, NFTs from the valuable Bored Ape Yacht Club (BAYC) collection were stolen.
By Monday morning, many kidnapped Apes had been released thanks to ransom payments worth hundreds of millions of dollars. But the incident threatens to serve as a major reputational blow to NFT Trader and the wider market.
The recent incident is among the most dramatic in the history of NFT heists.
Apparently the work of multiple parties and competing interests, hackers gained access to NFT Trader wallets belonging to users who had previously approved vulnerable contracts.
According to a series of on-chain messages , the BAYC burglar was not the initial contract exploiter. Identifying as a “scavenger” who “came here to pick up residual garbage,” from the vulnerability, they ended up stumbling upon some of the most valuable NFTs on the market.
The hacker made off with 36 Bored Apes and 18 NFTs from the Mutant Ape Yacht Club (MAYC). The exploiter said they would return the stolen NFTs for a ransom of 3 ETH per BAYC and 0.6 ETH per MAYC.
As the community reacted to the proposal, Yuga Labs co-founder Greg Solano offered to pay the 120 ETH bounty in full, joining forces with the non-profit DAO Boring Security to negotiate their release.
By Sunday morning, Boring Security confirmed that the stolen apes were in its possession. The Ape Coin-funded DAO said it was working to return the NFTs to their original owners. The DAO asked victims of the hack to get in touch via Discord.
Having received her ransom payment, the NFT Trader exploiter offered a final warning to her victims. She said: “Don’t let me catch you next time.”
Such remarks are common among so-called “gray hat” hackers. Grey hats fall somewhere between those “black hat” actors who exploit for maximum profit and “white hat” cybersecurity researchers engaged in official bug bounty programs. Moreover, the comments highlight how poor security poses a threat to an industry that is struggling to make a comeback.
NFT floor prices rallied in mid-October, triggered by a bullish turn in cryptocurrency markets. As a result, many collectors celebrated the end of an NFT winter that depressed trading for over a year. However, the recent hack threatens to derail that recovery.
Over the weekend, the floor price for the BAYC collection fell nearly 8% from over $61,000 to just $56,748 by Monday morning. With just 25 sales in the past 24 hours, trading volume has fallen to its lowest level since October.
The most lasting damage inflicted by the most recent hack might not be to BAYC floor prices but to NFT Trader’s reputation.
Despite reassurances that “our commitment to safeguarding your assets remains unwavering,” the platform has been broadly condemned for its response. Many users blame NFT Trader for the stolen bored apes. If it weren’t for the actions of Solano and Boring Security, collectors could have lost some of their most prized assets for good.