Timmy McKimmy of Texas and Michael Valise of New York claim to have lost Bored Apes in a hack that exploited a known security vulnerability in OpenSea’s code. Robert Armijo, of Nevada, said he lost his Apes in a social engineering attack which he claims OpenSea’s negligence failed to ameliorate.
OpenSea did not immediately respond to a request for comment.
McKimmy and Valise lost their Apes in similar hacks, though it isn’t known if the hacker was the same person or not.
“Een through McKimmy didn’t have his NFT listed for sale, OpenSea requires you to connect a wallet, and so people can see what NFTs are in that wallet and can make offers on unlisted NFTs,” Ash Tadghighi, McKimmy’s lawyer, explained. “Exploiting a security vulnerability, the hacker made an offer, hacked the code, and accepted the offer on behalf of Mr. McKimmy. So he basically sold it to himself and within the hour sold it to another user.”
According to publicly available transaction data, the hacker sold the NFT to themself for .01 ETH and sold it to the user for 99 ETH, after which the wallet used to make these transactions disappeared. The hack occurred sometime around February 7.
In court documents, McKimmy said he got in contact with OpenSea numerous times, hoping to get his asset back or be compensated for his lost asset. So far, he said, he hasn’t recieved any kind of offer, though OpenSea allegedly told him that it was “actively investigating” the issue.
Tadghighi, who started to become familiar with the crypto and NFT space after helping some creators with copyrights, said the case is “the first of its kind. There’s no precedent.”
Once this case become public knowledge, Tadghighi and his colleague Andrew Dao were inundated with requests for legal help concerning lost assets.
In the end, Tadghighi and Dao decided to represent Michael Valise, who lost Bored Ape #8858 in a hack that the lawyers also claim was conducted by exploiting a security vulnerability. This time, on January 26 (before the McKimmy hack), the hacker sold Valise’s NFT to themself for 24.89 ETH and then immediately resold it for 92.9 ETH.
Both Valise and McKimmy are suing for negligence that they say led them not only lose to valuable NFTs but also prevented them from cashing in on the benefits of owning Bored Apes.
Recently, BAYC announced that it was were releasing their own currency, ApeCoin. Holders were eligible to claim coins first, but McKimmy and Valise were unable to do so because their assets had been stolen. Tadghighi and Dao are making the argument that OpenSea kept operating despite being aware of security violations that were harming users who had acted exactly as OpenSea had told them to act.
‘OpenSea Has Prioritized Growth’
Robert Armijo’s case is quite different. Armijo lost Bored Ape #4329 and two Mutant Bored Apes, #1819 and #7713, in a social engineering hack.
On or around Febuary 1, Armijo went on the Cool Cats Discord server, a chat room, to discuss trading one of his Mutant Bored Apes for a few Cool Cat NFTs. A user responded and they began chatting about how to trade their assets.
According to the court documents, Armijo suggested a certain website and the user sent him a link to it, claiming that they had already uploaded their NFTs. All Aramijo had to do was upload his. Aramijo clicked the link, which ended up being fraudulent. His wallet containing his two Mutant Apes and his Bored Ape, along with some crypto currency, was drained.
“Although the theft did not occur on OpenSea’s platform, Mr. Armijo suspected that the thief would list the stolen NFTs on OpenSea to try and sell them as quickly as possible,” court documents read. As such, Armijo attempted to contact OpenSea so that when his assets were uploaded to OpenSea they would be frozen and unavailable to sell. But he encountered numerous roadblocks.
“Mr. Armijo tried to find a phone number to contact OpenSea customer service, but no such number exists,” read the court documents. “Mr. Armijo created multiple help tickets, desperately pleading with OpenSea to not allow any sales of his stolen NFTs. He did not receive any responses to his requests. Mr. Armijo next went to OpenSea’s Discord server.”
After posting several messages on Discord, Armijo didn’t receive any responses. Instead, what he saw was messages from other OpenSea users who were complaining that they had filed tickets days and even weeks previously without receiving any feedback or help. As this critical window of time closed, Armijo watched as his Bored Ape was listed on OpenSea and sold off two hours after the hack. Four hours after the hack, OpenSea responded to Armijo’s help tickets and froze his Mutant Apes. The hacker then listed the Mutant Apes on LooksRare, where they were almost immediately sold. Armijo is also suing LooksRare.
“OpenSea has prioritized growth over consumer safety and the security of consumer’s digital assets,” the complaint reads.
The complaint gives the example of an approval process that OpenSea used to have, which required that NFTs be verified as uploaded by their proper owner before being listed to the site. The process was discontinued in March 2021, when the NFT market exploded.
Since removing this screening process, theft has run rampant on the site. In a statement, OpenSea acknowledged that “over 80% of the items created with this tool were plagiarized works, fake collections, and spam.”