This past weekend saw a dramatic heist and recovery involving valuable non-fungible tokens (NFT) from top collections like the Bored Ape Yacht Club. On Saturday December 16, a hacker exploited a security vulnerability in the NFT Trader platform to steal 36 Bored Ape and 18 Mutant Ape NFTs worth nearly $3 million.
The culprit publicly gloated about the theft online and demanded a sizable ransom payment in Ethereum crypto token to return the rare digital collectibles.
- 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs were hacked and stolen from the NFT Trader platform on December 16.
- The hacker publicly announced the theft and demanded a ransom payment in crypto to return the NFTs.
- Yuga Labs co-founder Greg Solano and the group Boring Security coordinated paying the hacker a bounty of 120 Ether (around $260,000).
- After receiving the payment, the hacker returned all of the stolen NFTs as promised.
- The hack was made possible by a loophole introduced during a platform upgrade 11 days prior.
In coordination with Yuga Labs co-founder Greg Solano, the nonprofit group Boring Security took the lead on negotiating with the hacker. They ultimately agreed to pay a bounty worth around 10% of the value of the stolen NFTs, which amounted to 120 Ether or approximately $260,000.
This bounty payment came directly from Solano’s own crypto wallet to retain control of the situation. True to his word, the hacker transferred all of the NFTs back to Boring Security shortly after receiving the payment.
All 36 BAYC and 18 MAYC that the exploiter had are now in our possession.
We sent her 10% of the floor price of the collections as bounty. We will be working with the affected victims getting them back to them free of charge.
Right after this coffee break…
— Boring Security (@BoringSecDAO) December 17, 2023
The successful recovery highlights the vulnerabilities that persist across platforms dealing with high-value NFTs and crypto assets. According to reports, the breach resulted from issues introduced during a platform upgrade of NFT Trader 11 days prior to the incident. In the process, certain security permissions appear to have been left open, enabling the forcible transfer of NFTs stored in accounts.
Beyond the technological lapses, the response also speaks to the power decentralized communities are gaining through Web3 models. Rather than relying solely on law enforcement or centralized authorities, Boring Security and Solano took matters into their own hands to negotiate a practical solution using the transparency of blockchain.
Of course, paying ransoms risks encouraging similar crimes down the line. Yet for collectors and creators losing access to rare digital art and collectibles, the priority lay first in recovering the lost NFTs by any means available.
The event showcases why security and backups should remain top of mind across Web3 ecosystems, especially as more mainstream assets transition to blockchain and crypto-based models. Fortunately the instincts of digital communities are proving responsive even in crisis situations. But preventing breaches in the first place may save millions down the road.