Nearly 150 Bored Ape Yacht Club non-fungible tokens have been stolen since the blue-chip collection was launched in June 2021, according a report released Tuesday by Web3 security firm Immunefi. The 143 NFTs, collectively worth $13,582,962, were stolen from owners through a variety of scams and hacks.
The majority of that value was stolen during two major hacks in 2022. In April, hackers posted a phishing link—a malicious link used to steal user data—to the BAYC official Instagram page. The link led to a copycat of the BAYC’s website, where users were offered previously undisclosed “perks.” Once users clicked the link, the hackers drained victims’ Ethereum wallets. In June, hackers posted a phishing link directly to Discord channels of BAYC and Otherside, an upcoming metaverse “game” developed by BAYC parent company Yuga Labs. The hackers posed as the channels’ moderator Boris Vagner, whose account had already been hacked.
Immunefi collected the data by scanning OpenSea for Bored Apes that had been flagged for suspicious activity as well as combing through social media for claims of theft that were then investigated using blockchain analyses. They looked for suspicious activity dating back to the founding of the collection until they finalized the report in early August 2022.
Though 143 represents but a fraction of the 10,000 available BAYC NFTs, the trouble is that once these goods are stolen, they are very unlikely to be retrieved, given the nature of decentralized assets.
Because Yuga Labs grants IP rights to the holder of a Bored Ape, the IP is essentially lost to the hackers and granted to whomever buys the stolen goods later—whether intentionally or not. In fact, in May, comedian Seth Green announced that several of his NFTs had been stolen in a phishing scam. Green had been developing a television show using his Bored Ape; the hack put the show’s future in question.
As BAYC IP becomes more valuable, as shown by Eminem and Snoop Dogg, who recently used their IP rights to film a music video featuring their Bored Apes and to sell BAYC-themed merch, the entire collection is undermined when hackers muddy the waters of IP ownership.
Of the stolen BAYC NFTs, only nine have been delisted for suspicious activity on NFT platform OpenSea, meaning that 134 Apes are still frozen and can no longer be traded on the platform.
“These days, the marketplaces are not in control,” said Alejandro Muñoz-McDonald, a software engineer at Immunefi, told ARTnews. “People can still transfer [stolen assets] to another account and sell them on decentralized marketplaces where blacklisting features aren’t available.”
After a valuable NFT has been stolen, according to Muñoz-McDonald, hackers will first “wash trade” the item, transferring it to so many different accounts that a new, more innocent-looking provenance is established without readily identifiable links to the hacker’s suspicious, temporary Ethereum address.
According to the report, a Bored Ape reported for suspicious activity on OpenSea recently sold for 194 ETH, equivalent to $267,914 dollars at the time of Immunefi’s reporting in early August.
A report released last week by blockchain analysis firm Elliptic estimated that more than $100m worth of NFTs were stolen between January and July of this year.