Reading time: ~2 m
Following multiple hacks and scams on the OpenSea NFT platform over the past year, the company has faced three lawsuits from people who lost access to their NFTs from the Bored Ape Yacht Club (BAYC) collection.
Timmy McKimmy of Texas and Michael Valis of New York claim to have lost Bored Ape NFTs in a hack that exploited a well-known security vulnerability in the OpenSea code. Another victim, Robert Armijo of Nevada, said he lost his Bored Ape tokens as a result of a social engineering attack that he says was made possible by OpenSea’s neglect of user protection.
Timmy McKimmy and Michael Valis lost their tokens in similar hacks. Whether the same hacker was behind the theft of their NFTs is unknown.
Even though McKimmy did not list his NFT for sale, OpenSea requires the user to connect a wallet so that people can see what NFTs are on that wallet and can make offers for NFTs that are not for sale,” explained Ash Tadghigi, attorney for Mr. McKimmy. .
Using a security vulnerability, a hacker placed a bid, cracked the code, and accepted the offer on McKimmy’s behalf. That is, he actually sold the NFT to himself and resold it to another user within an hour.
According to publicly available transaction data, the hacker sold NFTs to himself for 0.01 ETH and then sold to another user for 99 ETH, after which the wallet used to make these transactions disappeared. The break-in took place around February 7th.
In court filings, McKimmy indicated that he repeatedly contacted OpenSea, hoping to return his asset or receive compensation for it. So far, he says, he has not received any offers, although OpenSea allegedly told him that it was “actively investigating” the incident.
Tadghigi, who began his introduction to crypto and the NFT space after helping some content creators deal with copyright, said the case is “the first of its kind. There has never been such a precedent.”
As soon as the case became public, Tadghigi and his colleague Andrew Dao were bombarded with requests for legal assistance regarding the lost assets.
Eventually, Tadghigi and Tao decided to represent Michael Valis, who had lost NFT Bored Ape #8858 in a hack that lawyers claim was carried out by exploiting a security vulnerability. Then, on January 26 (before the McKimmy hack), the hacker sold himself Valis NFT for 24.89 ETH, and then immediately resold the token for 92.9 ETH.
Both Valis and McKimmy sued for negligence, which they say not only resulted in the loss of valuable NFTs, but also prevented them from capitalizing on Bored Ape’s NFT ownership privileges.
Recently, the BAYC project announced the release of its own currency, ApeCoin. The owners had the right to claim the coins first, but McKimmy and Valis were unable to do so because their assets were stolen. Tadgiga and Tao’s argument is that OpenSea kept running despite being aware of security breaches that harmed users acting on OpenSea’s own instructions.
Robert Armijo’s case is quite different: he lost NFT Bored Ape #4329 and two Mutant Bored Ape NFTs #1819 and #7713 in a social engineering hack.
Around February 1st, Armijo logged into the Cool Cats Discord chat room to discuss trading one of his Mutant Bored Ape NFTs for some Cool Cat NFTs. A user responded to his request, and they began a correspondence on the topic of selling their assets.
According to court documents, Armijo suggested a certain website, and the user sent him a link to it, claiming that he had already uploaded his NFTs there. All Armijo had to do was upload his tokens there. Armijo followed the link, but it turned out to be a scam. His wallet containing two Mutant Bored Ape NFTs and one Bored Ape NFT, as well as some cryptocurrency, was emptied.
Even though the theft did not take place on the OpenSea platform, Armijo suspected that the thief would list the stolen NFTs on OpenSea in order to try and sell them as quickly as possible, according to court filings. In this regard, Armijo tried to contact OpenSea to ask to freeze his assets when they were uploaded to the platform, but he faced numerous obstacles.
After posting multiple messages on Discord, Armijo hasn’t received a single response. What’s more, he saw messages from other OpenSea users who complained that they had submitted applications days or even weeks ago without receiving any feedback or assistance in that time.
As this critical time period drew to a close, Armijo saw that his Bored Ape NFT was up for sale on OpenSea and sold, which happened two hours after the hack. Four hours after the hack, OpenSea responded to Armijo’s requests and froze his other NFT Mutant Ape tokens. The hacker then listed these NFTs on the LooksRare platform, where they were sold almost immediately. As a result, Armijo is also suing LooksRare.
The complaint cites an example of an approval process previously used on OpenSea, in which the platform verified that uploaded NFTs were uploaded directly by the owners. Only then did they register on the site. The process was terminated in March 2021, when the NFT market was overwhelmed by a wave of popularity.
After the elimination of verification, cases of theft on the platform increased dramatically.
#Users #lost #NFT #Bored #Ape #sued #OpenSea
