It’s no secret that Yuga Labs’ Bored Ape Yacht Club (BAYC) non-fungible token (NFT) series is hot property. In the 12 months following the project’s launch, it’s hit over $2 billion in total sales, attracted more than 6,000 members, and collected A-list fans like Pokemon cards.
But there’s a flip side to this runaway success, namely that it’s not only legit traders wanting a piece of the action. As such, millions of dollars worth of Apes have been lost to scams.
It’s easy to see why. Similar to CryptoPunks, the 10,000 Apes were bestowed with random characteristics, including hats, button eyes, and cigarettes. Rarer combinations are obviously deemed more valuable and despite a launch price of 0.08 ETH ($190), a single one of the algorithmically generated characters can now fetch hundreds of thousands of dollars. The collection’s gold-furred Apes even sold for millions at the height of the hype.
But this level of hype is always going to bring risk. And thanks to a trend of owners flaunting their Apes on social media, it’s not been hard for hackers to seek out their next mark.
While many large-scale hacks have been widely reported, it’s likely that many more Apes have been lost to unreported scams thanks to red-faced former owners being too ashamed to own up to falling for a con.
Thing is, it’s not just the amount of money that’s been lost to Bored Ape scammers, it’s the sheer breadth of scams. If bad actors want to get their hands on your Ape, there’s not a lot they won’t do. Put simply, if you own an Ape, you’ve got to be on your guard 24/7.
BAYC NFTs sold to low-ball chancers
On April 23, 10,000 images of Apes sold out in just 12 hours. Those that bought into the NFT market’s latest gimmick now owned an image considered throughout the wider crypto community to be incredibly valuable. Understandably, many BAYC NFT holders choose to sell their Apes on but when excitement around potentially massive profits sets in, essential details can be overlooked.
Consider this transaction from May 17, 2021. An NFT trader acquired Ape #6874 from its first owner for 0.42 ETH (at the time around $1,000). Three weeks later the same Ape was sold for 2.75 USDC ($2.75).
NFT blogger Metaverse Morgan suggested that the bargain sale was a result of the seller not spotting the denomination of the offer and mistaking the dollar-pegged proposed settlement as payment in ETH. On the same day, the teary-eyed bunny-eared Ape was transferred through two different OpenSea accounts, eventually selling for 1.97 ETH (then $4,300).
Bored Ape Bargain Club thanks to OpenSea “loophole”
In January this year, TBALLER.eth appeared to have fallen victim to a similar scam. Ape #9991 sold for 0.77 ETH equivalent to just over $2,000 at the time and roughly one 100th of the NFT’s value. In this instance, the attacker is believed to have exploited a loophole on the NFT marketplace OpenSea.
This situation was less a low-ball sale and more an opportunistic understanding of how OpenSea really works. When an NFT is listed for sale, a transaction is added to the blockchain where it remains unless it’s canceled by the user.
However, as CoinDesk notes, OpenSea has a function that will adjust the NFT’s price without the need to pay the gas fee for a new listing. This does create a new listing but it doesn’t cancel the old one, leaving unfulfilled listings open for this type of sniping.
In TBALLER’s case, the Ape was transferred through several wallets where it was listed for various amounts. One of these — for 0.77 ETH — was fulfilled and the Ape was sold. Following TBALLER’s troubles, OpenSea notified users if they had unfulfilled listings which could make their NFTs vulnerable to sniping.
Phishing for Apes
Earlier this week, actor Seth Green told the world how he lost a Bored Ape worth $200,000 and a number of other valuable NFTs to a phishing scam. Green begged the internet not to buy his NFTs but left out specific details about the scam he fell for. Normally phishing scam victims are tricked into handing over access after a bad actor impersonates a trusted party. This is also known as social engineering.
Back in August, two BAYC NFT owners lost their Apes when scammers lurking on OpenSea’s discord server posed as support staff. The scammers tricked the two unlucky collectors into handing over their MetaMask QR codes which allowed access to their wallets and the soon-to-be stolen Apes stored inside.
More recently, a BAYC member lost their Bubble Gum Ape and two other mutant derivatives worth more than $500,000. The scammer lured the victim into handing over their NFT for a set of worthless images disguised as official BAYC NFTs.
The owner known online as s27 agreed to the proposed swap on NFT trading app Swap.Kiwi. While green verified ticks suggested that the three Apes on offer were legit, they weren’t. The scammer had simply right-click-saved three random Apes online and added a green tick to the worthless jpegs.
If it sounds too good to be true then it’s probably a scam
Other phishing scams are disguised as giveaways and malicious links pray on Ape owners’ thirst for crypto rewards. Judging by the success rate of some of these scams, people are all too happy to let down their guard when promised something for nothing.
One of the most famous examples of this is the heavily memed “all my apes are gone” incident, now legendary in the NFT community. Art gallery owner Todd Kramer ran to crypto Twitter after he clicked a dodgy link that relieved him of his collection worth around $2 million.
Similarly, hackers used airdrops of BAYC’s token Ape Coin and virtual land in Yuga Lab’s metaverse to the same effect. They commandeered official BAYC and Yuga Labs channels as well as the accounts of crypto influencers, resulting in millions of dollars worth of NFTs being stolen.
This particular type of scam isn’t helped by the fact that previous legitimate benefits have come in the form of free mints and airdrops from Yuga Labs.
Bored Apes (sometimes) reunited with owners
What sticks out in many of the BAYC scams is the lack of sympathy for the owners. Unlucky victims are often taunted by both scammers and crypto Twitter with quips along the lines of, “boo hoo, expensive monkey picture gone?“
However, there is occasionally some evidence that Bored Ape NFTs find their way back to their rightful owners.
After a barrage of internet ridicule, it was a happy ending for Todd Kramer. Following his Twitter plea, OpenSea froze the Apes still up for sale and crypto Twitter worked together to return the rest to him.
In any case, the efforts of hackers trying to get their hands on other people’s Apes don’t seem to be slowing. In fact, it’s only likely to increase with celebrities like Eminem, Elon Musk, and Madonna joining the BAYC. Not to mention the BAYC band that Universal is developing.