Hacker Targets Bored Ape NFT Holders in a Reported OpenSea Exploit, $750K Stolen

Someone has reportedly found a way to exploit the front-end of the most popular non-fungible token (NFT) marketplace – OpenSea. The perpetrator is supposedly going after members of the Bored Ape Yacht Club and their valuable apes.

The OpenSea Exploit

PekShieldAlert – the real-time alerts bot of the popular security firm PeckShield, alarmed of a front-end issue of OpenSea earlier today, revealing that the exploited had already gained 332 ETH worth roughly around $750K at the time of this writing.

It appears that @opensea has a front-end issue and the exploiter gained about 332 Etherhttps://t.co/35kCB1n7nv

— PeckShieldAlert (@PeckShieldAlert) January 24, 2022

Another user revealed that the bug makes it possible to buy listings at old prices. The perpetrator is supposedly going after holders of Bored Ape NFTs, targeting members of the Bored Ape Yacht Club.

Bored Apes Sniped for Less Than 25 ETH

Apparently, there’s been an earlier exploit with similar characteristics where the bug allowed for assets to be bought at severely discounted prices.

1/ Recently there’s been an @opensea exploit that has allowed for assets to be purchased at greatly discounted prices, including 3 freshdrops passes, a BAYC https://t.co/8pEgeXkOBo, multiple MAYCs, and more. I did some research this morning and here’s what’s happening -> a 🧵👇

— cap10bad.ΞTH | freshdrops.io (@cap10bad) December 31, 2021

The user explains that if someone using OpenSea listed an NFT for sale and later decided they didn’t want that listing to be active, the platform would charge for its delisting. This, however, can be costly, so users found a workaround where they would transfer the NFT to another wallet which effectively cancels the listing.

This is where things got messy.

The item may not show the listing on OS, but it is, in fact, still active through OS’s API. The quickest way to view these old listings is on Rarible, which uses OS’s API to display and fulfill OS listings.