The attack was carried out by exploiting a security vulnerability in the “old smart contract” of the spouse-to-spouse trading platform NFT Trader. This flaw allowed hackers to access NFT collections on the platform, including popular series like Bored Ape Yacht Club and Mutant Ape Yacht Club. It was determined that 13 Mutant Apes and 37 Bored Apes were stolen. Other significant collections such as VeeFriends and Art Blocks were also affected.
The incident was confirmed by NFT Trader through X. The company advised its users to revoke all permissions they had previously granted to smart contracts.
A user claimed that the attacks ceased after NFT Trader updated their smart contracts to fix the security vulnerability.
The Attacker’s Confusing Actions
Interestingly, the attacker demanded a ransom of 3 ETH for each Bored Ape and 0.6 ETH for each Mutant Ape, offering to return the NFTs to their owners after payment. The attacker also reportedly made some confusing moves, returning certain NFTs to their owners while keeping the ApeCoin rewards.
One of the victims of the attack reported that the attacker not only returned a stolen rare NFT but also sent approximately $70,680 worth of 31 Ethereum (ETH). The victim reacted, saying, “And now the hacker has sent me 31 ETH? What’s happening in the world? Is this real life?”