Today, a significant security breach at the peer-to-peer NFT trading platform, NFT Trader, resulted in the theft of NFTs valued at millions of dollars. The stolen assets include coveted items from collections such as Bored Ape and Mutant Ape Yacht Club, World of Women, VeeFriends, Art Blocks, among others.
NFT Trader acknowledged the incident in a recent statement, highlighting that the exploit targeted “outdated smart contracts.” The company has advised its users to immediately revoke any previously granted permissions to these contracts. According to user foobar, the attacks ceased following NFT Trader’s update of its smart contracts to address a reentrancy weakness.
In a surprising turn of events, the primary individual behind the hack broadcasted a message on the blockchain. This message implicated another user in the creation of the exploit and justified the attack as an effort to “clear up lingering remnants.” The hacker has proposed to return the stolen tokens in exchange for a ransom, demanding 3 Ethereum for each Bored Ape and 0.6 Ethereum for each Mutant Ape token.
Furthermore, the attacker’s subsequent actions have been erratic. They returned one Bored Ape and 31 Ethereum to a specific user, restored some staked Bored Apes to their original owners, but retained the associated ApeCoin rewards. This complex situation continues to unfold, leaving many in the NFT community in a state of uncertainty and concern.
And now the hacker just sent me 31 eth? What in the world is going on. Is this real life?
— Ricky Sanders (@RSandersDFS) December 16, 2023
In addition to the primary cyber attack, there are emerging reports of secondary hacking incidents leading to the loss of various tokens like Cool Cats and Squiggles from individual wallets. As of now, NFT Trader has not provided a response to The Block’s inquiry for a statement.