A Bored Ape Yacht Club (BAYC) NFT holder has lost multiple NFTs, including a “bubble gum ape” after they were tricked into exchanging valuable pieces for worthless PNGs in a fake swap transaction.
BAYC #1584 is one of the 119 bubble gum apes (ape blowing a bubble gum) and has a rarity score of 111.99 out of 10,000, according to Rarity Tools. That implies it is relatively uncommon.
The victim entered into a direct swap trade with the scammer via a third-party service called swapkiwi. Unlike regular marketplaces like OpenSea, platforms like swapkiwi allow direct NFT swaps between collectors, reducing transaction ("gas") fees.
Unknown to s27, the other participant in the trade put up knock-off NFTs in exchange for s27’s legitimate Bored Ape and Mutant Apes. The scammer used images of actual Bored Apes to create fake replicas and uploaded the same ones to OpenSea.
According to 0xQuit, the attacker took advantage of the way swapkiwi displays verified NFTs. Since the checkmark appears within the image, scammers can spoof this verification by simply taking an image of a Bored Ape and editing a checkmark onto it.
0xQuit said that the checkmark should appear outside of the image itself to prevent copycat attacks. He added that if the collection is linked to the NFT’s contract address then it would be easier to check if the NFT was real.
Following the exchange, s27 received worthless pictures while the scammer made away with NFTs worth at least $570,000.
The rogue actor has since sold the bubble gum ape for 98 ETH ($337,000), which is significantly lower than the current BAYC floor price of 111 ETH ($382,000). Both Mutant Ape derivatives stolen in the fake swap transaction have also been sold off at prices lower than the floor price for the collection.
In response to the incident, swapkiwi has published a statement saying that it was working on improvements to its platform to prevent future occurrences.
The incident marks another case of a high-value NFT owner falling victim to social engineering hacks. While poor UI/UX on the part of NFT platforms is partly to blame, the situation is another reminder that web3 participants should be security conscious.
BAYC holders, along with other bluechip NFT collectors are likely to remain targets for rogue actors given the value of the possessions.
© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.