Stolen Bored Ape Yacht Club and Mutant Ape Yacht Club NFTs Recovered

According to CryptoPotato, all stolen nonfungible tokens (NFTs) from the Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) on the peer-to-peer trading platform NFT Trader have been recovered following a bounty payment. A security firm operating in the Web3 space reported the successful retrieval of 36 BAYC and 18 MAYC NFTs through a well-coordinated effort by their team, which worked extra hours over the weekend. The hack, which occurred on December 16, led to the loss of nearly $3 million of NFTs. The attacker communicated through public messages wherein they falsely implicated another user in the initial exploit and demanded ransom payments for the NFTs, mentioning, “I came here to pick up residual garbage.” The attacker then proposed to return tokens to victims after being paid a ransom of 3 ETH per Bored Ape and 0.6 ETH per Mutant Ape. However, in a bizarre turn of events, they returned Bored Ape along with 31 ETH to a user along with staked Bored Apes to their owners while retaining the ApeCoin rewards. Within a day, a community effort led by Boring Security, a non-profit Web3 security project funded by ApeCoin, successfully recovered assets valued at around $267,000. The recovery was facilitated by the payment of a 120 Ether bounty by Greg Solano, the co-founder of Yuga Labs, which is the creator of both BAYC and MAYC NFT collections. According to the pseudonymous founder of Delegate, Foobar, the vulnerability allowed multicalling to external contracts surfaced after a “bad upgrade” earlier this month. This enabled unauthorized transfers of NFTs from their owners, stemming from previously granted trading permissions. Foobar mentioned that unless the permissions were revoked, there was a risk of the NFTs being stolen once more. In addition to the NFT Trader hack, reports about additional breaches that resulted in the loss of Cool Cats and Squiggles from user wallets surfaced.