# NFT Theft Analysis

<figure><img src="/files/fxbvKYcvvSp62oK39iX0" alt=""><figcaption></figcaption></figure>

In this article I’d like to provide some data regarding the recent NFT thefts. The original data is provided by Decrypt. Analysis is provided by [Callisto Security Department](https://callisto.network/smart-contract-audit/).

{% embed url="<https://decrypt.co/105385/300-nfts-stolen-400k-in-ethereum-taken-in-premint-hack>" %}

{% embed url="<https://decrypt.co/93371/opensea-ceo-devin-finzer-responds-1-7-million-phishing-attack>" %}

{% embed url="<https://decrypt.co/98614/bored-ape-yacht-club-instagram-hacked-ethereum-nfts-stolen>" %}

{% embed url="<https://decrypt.co/102505/seth-green-pays-300k-to-recover-his-stolen-bored-ape-yacht-club-nft>" %}

## 1. Premint platform hack <a href="#id-3536" id="id-3536"></a>

### What happened? <a href="#ebe6" id="ebe6"></a>

On July 17 2022 the hackers compromised the Premint website and caused a malicious pop-up to be displayed to Premint users. The message in the pop-up tricked users into sending funds to the hackers address masquerading it as a “security measure”.

As the result 320 NFTs were stolen. At the moment of writing hackers sold 302 NFTs and kept another 18.

### What failed? <a href="#d47a" id="d47a"></a>

Backend security model of the Premint platform.

### Possible causes <a href="#id-846b" id="id-846b"></a>

* Human factor / internal privileges exploitation. Premint team member with sufficient privileges could deploy the malicious code intentionally.
* Backend security model flaws.
* Error on service provider side. Human factor exploit or security model flaw could happen on the side of service provider that Premint was using.

### Conclusions <a href="#e138" id="e138"></a>

* Users could avoid losing their funds in this hack by simply not providing their sensitive data to the malicious pop-up. If something looks like a service is acting as if it wanted to steal your funds — it may be true.

## 2. OpenSea phishing attack <a href="#a7d4" id="a7d4"></a>

### What happened? <a href="#a9ce" id="a9ce"></a>

On February 19 2022 a number of addresses transferred their ETH and NFTs to [this address](https://etherscan.io/address/0x3e0defb880cd8e163bad68abe66437f99a7a8a74#tokentxnsErc721) (labeled as phishing by Etherscan now). According to their feedbacks this was unintentional.

It is assumed that someone created a phishing copy of the OpenSea marketplace service that tricked users into sending Ether and NFTs to the hackers address.

We don’t know where this happened exactly.

### What failed? <a href="#id-429a" id="id-429a"></a>

This is a mistake on the user’s side. Someone created and promoted a version of the web page that was then used by confused NFT owners. This could not be prevented by the OpenSea team.

### Conclusions <a href="#id-8c9a" id="id-8c9a"></a>

* Users could avoid losing their funds by paying more attention to (1) what services they use and (2) what these services are going to do with their funds.
* Transaction should include a description of what actions it is intended to trigger and users must be allowed to verify the exact destination of the transaction.

## 3. Bored Ape Instagram hack <a href="#id-0de5" id="id-0de5"></a>

### What happened? <a href="#fb47" id="fb47"></a>

On April 25 2022 a hacker compromised the official Bored Ape Yacht Club Instagram account and shared a malicious link to the web page. The web page promised users to airdrop virtual land in the upcoming metaverse but requested them to sign a transfer of their funds instead.

As the result 91 NFT evaluated at roughly $2,800,000 were drained from users.

### What failed? <a href="#id-4de0" id="id-4de0"></a>

Social media management security model.

### Possible causes <a href="#f0b8" id="f0b8"></a>

* Human factor / internal privileges exploitation. Any person in charge of the official Instagram account could intentionally share a malicious link.
* Human failure. A person in charge of official Instagram account could unintentionally compromise the account.
* Failure on Instagram side. Human-factor errors also apply to the Instagram platform as well.

### Conclusions <a href="#id-1988" id="id-1988"></a>

* As always, users could avoid being scammed by not following the announcement and not giving their NFTs to the hackers.
* Transaction info should have been verified prior to signing.

## 4. Bored Fred kidnapping <a href="#bdc0" id="bdc0"></a>

Actor and producer Seth Green purchased ‘*Bored Ape Yacht Club #8398’* NFT which granted him the rights to use a cartoonish character displayed on this NFT. He called this character [Fred Simian](https://www.instagram.com/fred_simian/).

Unfortunately Fred NFT was stolen from Seth Green and thus the actor lost his intellectual property rights. The NFT [was bought by the collector](https://etherscan.io/tx/0x8e456f0b4b42e9bdbc9be050c547f0a748ade6046c9fbca2f07e98f21a4b419d) ([DarkWing84](https://opensea.io/DarkWing84)) from the hacker. In order to reclaim the rights to use Fred Seth Green purchased the NFT again for $300,000.

Source: <https://www.buzzfeednews.com/article/sarahemerson/seth-green-bored-ape-stolen-tv-show>

### What happened? <a href="#bfca" id="bfca"></a>

Seth Green [lost control](https://twitter.com/SethGreen/status/1526588358859759617?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1526588358859759617%7Ctwgr%5E8e1a3b28056a181748c5e299dd176fe4c4b27ab1%7Ctwcon%5Es1_\&ref_url=https%3A%2F%2Fwww.buzzfeednews.com%2Farticle%2Fsarahemerson%2Fseth-green-bored-ape-stolen-tv-show) over 4 of his NFTs while trying to mint a new collection using a fake site.

### What failed? <a href="#id-2845" id="id-2845"></a>

* This is a mistake on the user’s side.
* Ethereum account management mistake — Seth Green should have separated his “hot wallet” that was used to pay for interactions and “storage wallet” that actually held his most valuable assets.

## General conclusions on NFT infrastructure security <a href="#a5cd" id="a5cd"></a>

* It is evident that in most cases NFT hacks do not involve any exploits in the NFT smart-contracts — unlike ERC20 that could potentially harm users on their own ERC721 standard is a step forwards security-wise.
* In most cases security issues appear on the side of third party services or user interfaces.
* It is incredibly important to understand that **nothing is perfectly secure**. Official accounts are prone to hacks. Teams of people are prone to bribery, corruption and greed. Secure applications must be designed with this in mind and communities of must be informed that every interaction must be verified.
* The main target for the attackers is third party service providers / infrastructure applications.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://callisto-network.gitbook.io/callisto-network/hack-investigation-dept./nft-theft-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.