NFT Trader is suspected to have been breached after several blue-chip non-fungible tokens (NFTs) were wrongfully transferred.
According to an X post by Chinese crypto news reporter Colin Wu, the NFTs were transferred to the address 0x909F2159780e64143CF08f32dBBF56Ed19478fda.
🚨🚨🚨🚨 RED ALERT
If you’ve ever used NFT Trader in the past, revoke approval to their contract ASAP (0x13d8faF4A690f5AE52E2D2C52938d1167057B9af)
So far already 37 BAYC and 13 MAYC have already been drained to this address https://t.co/KBdpkb8woX
— dingaling (@dingalingts) December 16, 2023
Wu gave an update about the address holder’s on-chain message, denying they hacked the P2P trading platform, and claiming they rescued the NFTs to return them.
The holder, who identified themselves as a female “scavenger,” revealed the real hacker’s address as 0x3dc115307c7b79e9ff0afe4c1a0796c22e366a47b47ed2d82194bcd59bb4bd46
0x90…8fda sent a message on the chain to deny that he was a hacker. He said that he had rescued these NFT assets and would return them, but required the original holders to pay him a 10% bounty; and the real hacker was 0x3dc. ..bd46. https://t.co/3cXW7ibmcA
— Wu Blockchain (@WuBlockchain) December 16, 2023
NFT Trader also announced it has suffered an attack on old smart contracts on X (formerly Twitter), asking users to remove delegations via Revoke.cash to the following addresses:
- 0xc310e760778ecbca4c65b6c559874757a4c4ece0
- 0x13d8faF4A690f5AE52E2D2C52938d1167057B9af
The P2P trading platform is fairly unknown by most NFT traders. its website shows its CEO is John Pak, working together with co-founders Mattia Migliore and an individual who goes by the pseudonym “Bruckzr.”
🚨🚨We’ve suffered an attack on old smart contracts, please remove the delegation using https://t.co/zEMgkS96nP to the following addresses:
-0xc310e760778ecbca4c65b6c559874757a4c4ece0
-0x13d8faF4A690f5AE52E2D2C52938d1167057B9af— NFT Trader (@NftTrader) December 16, 2023
On X, an NFT collector (@dingalingts) urged traders to “revoke approval to their contract ASAP” if they’ve used NFT Trader before. They identified all the stolen digital assets, which amounted to more than $2 million, including 37 BAYC, 13 MAYC, 4 World of Women, and 6 VeeFriends.
You might also like: US court sides with Yuga Labs, agrees RC BAYC are copycats
For the hacker to return the NFTs, they sent some demands through their on-chain message, insisting owners need to pay them a bounty because “it is what they deserve,” asking for 10% of the NFTs’ values for their “work.”
Don’t ‘blindly send ETH‘
The crypto community is skeptical about the demands. Market analysts like ZachXBT are warning traders not to “blindly send their ETH.”
ZachXBT exchanged some words with the exploiter, questioning the integrity of their word to return the assets.
The analyst reckoned that if they were up to giving back the stolen assets, they should consider listing the Apes to the original wallet address or using a middleman for the process.
Amazing things are happening for the monkey nft people
NFT Trader exploiter and ZachXBT exchange words pic.twitter.com/FAL0GgnvAt
— davis 🐺🦊 (@basedkarbon) December 16, 2023
Esports platform Kungama founder Michael Padilla, famously known as TFG, was among the victims of the NFT Trade exploit.
TFG took to X to announce he has lost two of his most valued BAYC NFTs, revealing he used NFT trade about 1 and a half years ago and didn’t think he was at risk because he “removed it as a connected site.”
TFG acknowledged he didn’t take the necessary steps to shield his assets from the exploit, including revoking permissions on Etherscan.
Just got drained for my two favorite NFTs @BoredApeYC
Was drained cause I used NFTtrader as a trading platform 1.5 years ago.
I assumed I wasn’t at risk because I removed it as a connected site, but that isn’t the full steps. Needed to revoke on etherscan
GG😣 pic.twitter.com/6MbK7Kwgp3
— TFG (@TFGmykL) December 16, 2023
According to Eden Block VC founder, who goes by the handle Lior.Eth on X, this is not the first time NFT Trader has been hacked, although there haven’t been any other incidents reported by the platform prior to today’s hack.
An X user dubbed bytes032.xyz, who describes themselves as a white glove smart contract security service provider, described the hack as “peak degeneracy.”
They shared a javascript report of NFTTrader’s exploited smart contract, which showcased how everyone was helpless in pausing the contract because the platform’s team didn’t expose the _pause function with public visibility.
– NFTTrader getting hacked
– contract is pausable so they can pause if getting hacked
– team cannot pause the contract because they forgot to expose the _pause function with a public visibilitythis is peak degeneracy pic.twitter.com/Q2SvTXcSEJ
— @bytes032.xyz (@bytes032) December 16, 2023
The _pause function is used in a smart contract to halt all activity if something goes wrong. If the _pause function is not public, then only the original creator can stop the contract and prevent further loss of funds.
However, if the original creator is unaware of the problem or not available at the time, the hacker could potentially drain all the funds before anyone can stop them.
Nonetheless, there could be a light among the dark clouds seen by the victims of the NFT Trader hack, as BAYC’s founder Greg Solano has offered to pay 10% of the bounty the exploiter has asked for to see the NFTs have been returned to their rightful owners.
And if the info below is real, I will gladly put up the ETH to see these 50 apes back to their rightful owners. https://t.co/7jBwQHQRCj
— Garga.eth (Greg Solano) (@CryptoGarga) December 16, 2023
Hacker returns one NFT without bounty
In a remarkable twist, the exploiter has willingly given back a World of Women (WOW) NFT without charge, per Etherscan data. After returning the stolen WOW NFT, the hacker also returned a BAYC and a VFT to its rightful owners, without any further demand for payment.
Two more apes sent home to from the @NftTrader exploiter. pic.twitter.com/M5GdhEoHUl
— Xeer (@Xeer) December 16, 2023
This unexpected twist has added a sense of unpredictability to the ongoing saga, leaving the community both astonished and uncertain about the hacker’s motives.
Read more: BAYC NFT floor price drops 90% from $600,000 in 18 months