Bored Ape NFTs: For the ‘up only’ crypto crowd, 2022 has been a year to forget. Aside from depressed asset prices impacting virtually all aspects of the ecosystem, including NFTs, it’s also been a record year for hacks with October being the worst on record. We’ve seen it all, or so we thought. In the latest saga, 14 Bored Ape NFTs have been stolen through a feat of what can only be described as magnificent social engineering, in the most devious possible way.
What makes this different to the other 3,044 hacks this year? The sheer attention to detail and degree of manipulation puts this one in a league of its own.
The tale of 14 Bored Ape NFTs and the long con
Recently, Twitter user and serial NFT collector @_sevenseason_ was relieved of his entire Bored Ape NFT collection worth over US$1 million.
Most scams happen in an instant, but not this one. This particular scammer spent months carefully curating an alluring offer designed to deprive the target of his prized apes – talk about a long con.
Twitter user @Serpent broke down how the con took place.
The scammer @JasonBrubeck contacted the victim asking to licence intellectual property (IP) rights for Bored Ape Yacht Club (BAYC) #2060. “Jason” claimed to be a casting director working for Forte Pictures which is an LA-based Emmy award winning company with offices at Sony Pictures Studio.
Bored Ape NFTs
Turns out, “Jason Brubeck” does not exist, but Forte Pictures and Marcus Mizelle mentioned in the Twitter DMs both are. Interestingly, the real Forte Pictures company did not own the domain forte.pictures, but rather operated under Mizelle’s website, marcusmizelle.com.
This is where the foresight and planning kicked into overdrive. Recognising the opportunity to pose as Forte Pictures through a fake website, the domain forte.pictures was registered 118 days ago. “Jason”, posing as the Emmy award-winning company, pretended that the company was creating an NFT-related film called ‘The Return of Time’ in collaboration with ‘Unemployd’.
According to to Serpent, “Unemployd was an “AI powered social IP platform for NFTs” which was also a scam. They spent many hours in calls, talked with victims for weeks, created fake pitches and partnerships, formed fake legal contracts, hosting frequent Twitter spaces.”
Furthermore, they were also said to create fake Bored Ape NFT Twitter accounts who also pretended to be doing licensing deals for their NFTs with ‘Unemployd’.
Up a notch
Now this is when things cranked up a notch. After going through the contracts, they sent what was claimed to be a contract, asking the victim to head on over to Unemployd to sign it. Except it wasn’t a contract, it was essentially an offer made to the scammer for all 14 Bored Ape NFTs at the paltry price of 0.00000001 ETH (we’re talking about fractions of a penny here).
After completing the private sale, the scammer went on to list the NFTs and accept the highest WETH offers on all of them. They then converted the proceeds, some 852.86 WETH to US$1.07 million in stablecoin DAI. At the time of writing, the funds remain dormant on a single address.
Lessons anyone?
As Serpent points out, there are a few critical takeaways from this particularly sly scam that relied on building trust over an extended period of time.
You could say that these ought to be viewed as common sense, particularly when dealing in the digital realm with characters whose online representations may be the complete opposite of their intentions. These include:
- Understand what you’re signing, don’t blindly sign random signatures/transactions.
- Don’t trust new/random platforms.
- Use multiple wallets (Hot, cold, hardware).
- Always confirm authenticity/identities.
While many cite the lack of intermediaries in the crypto world as a benefit, it of course comes at a cost – namely that when things go wrong, there is nobody there to save you. Naturally, this hasn’t stopped folks from whining about how platforms such as OpenSea should ‘do better’.
Logical consistency would require one to pick a lane. Then again, when these sorts of things happen, logic tends to be the first casualty.