The world has evolved quite a lot since Home Alone came out in 1990, but one thing that hasn't changed is that Christmas remains a prime season for theft. While houses continue to be the most common criminal targets, digital assets are increasingly becoming an extra source of illicit holiday revenue.
Over the past weekend, hackers targeted the non-fungible tokens market, stealing $3 million of assets from the platform NFT Trader and $1.5 to $1.6 million from Flooring Protocol.
While both attacks started out similarly - by exploiting vulnerabilities in smart contracts, they ended quite differently. While the first had a classic seasonal happy ending, the second did not.
NFT Trader attack
The first theft of the weekend happened when attackers exploited a vulnerability in some of the NFT Trader platform’s old smart contracts. These allowed unrevoked trading permissions to be used for transferring digital assets from their legitimate users into the wallets of the hackers. 36 Bored Apes (BAYC), 18 Mutant Apes (MAYC), World of Women and VeeFriends NFTs were stolen, along with tokens from these projects’ ecosystems.
A few hours after the attack, one of the attackers claimed in an Etherscan message that she ("a good, kind kid and a beautiful girl") was not the mastermind. However, she said she would return the NFTs that were illicitly collected if the original owners paid a ransom for their prized possessions.
“if you want the monkey nft back, then you need to pay me a bounty, which is what I deserve. 1 BAYC = 30 ETH 1 MAYC = 6 ETH you need to pay me %10 ETH for my work if you have a BAYC with me then you need to pay me 3 ETH if it's a BAYC and a MAYC then 3.6 ETH.”
ApeCoin-funded Web3 non-profit security project BoringSecurityDAO and Yuga Labs partnered up to negotiate with the hacker and sent her 120 ETH, approximately $267,000, for the monkeys and mutants to be returned to the wallets where they belonged.
Boring Security was also working with World of Women to retrieve the collections’ stolen NFTs and some VeeFriends were also reportedly returned by the exploiter free of charge.
“I'd like to wish you all an early Merry Christmas, so, so, so, so, so, so, so, so, so don't let me catch you next time, okay?” NFT Trader Exploiter
Flooring Protocol attack
Flooring Protocol launched in October with a new solution for NFT fragmentation that turned the tokens into tradeable derivatives. It garnered a lot of attention and quickly became the largest holder of Azuki Elementals, Pudgy Penguins, and y00ts collections.
With the NFT market recovering from a tough year, reaching almost $1 billion in trading volume last month, the newcomer apparently seemed like low-hanging fruit. Hackers found a vulnerability in the protocol's peripheral or multi-call smart contract and got away with 36 Pudgy Penguins and 14 Bored Apes.
In a time frame of two hours, the project’s developers fixed the issue and safeguarded the remaining assets. Unfortunately, nothing could be done to recover the stolen goods and make good for the owners. Allowing no time for a change of heart, the exploiters dumped the NFTs in Blur immediately after exploiting the protocol.
In a message to the victims of the assaults, Boring Security told its users that “it turns out being your own bank is complicated.” However, it believes that with future developments in technology, security will become simpler to manage and guarantee. For now, Web3 will have to be prepared during the festive theft season like any other industry.