1. Home
  2. NFT hack

NFT hack

Over $765K worth of NFTs stolen after SIM swap attack on GutterCatGang

The bad actors utilized a fake GutterCatGang airdrop scam to drain people’s wallets, with at least $700,000 worth of NFTs being stolen from a single address.

More than $765,000 worth of nonfungible tokens has been stolen as part of a reported SIM swap attack on the GutterCatGang NFT project.

The security breach was highlighted by several NFT community members at around 8 pm UTC on July 7, with GutterCatGang co-founder @GutterMitch tweeting out a warning that: “Our Twitter has been compromised please do not interact with any links.”

Alongside the official GutterCatGang account, co-founder @gutterric was also hacked.

The hacker, or hackers used the accounts to share links to fake “limited edition” GutterCatGang NFT sneaker airdrops that essentially drained people’s hot wallets when they clicked on them.

In an effort to make the fictitious links look more legitimate, the tweets included recent GutterCatGang branding and imagery from the project's phygital sneaker drop in partnership with Puma and NBA/Charlotte Hornets star LaMelo Ball.

Responding to Gutter Mitch’s thread, prominent blockchain sleuth ZachXBT asserted that the team was hacked via a  SIM swap attack, as he questioned the team’s cyber security practices.

“Your team better look at a compensation plan for victims as it is gross negligence to have used SMS 2FA on your socials after all of the recent SIM swaps,” ZachXBT said.

Related: $794K SIM swap hacker PlugwalkJoe sentenced to 5 years in prison

In a separate thread, ZachXBT highlighted two victims of the attack, with one losing a Bored Ape Yacht Club NFT worth $65,913 at current floor prices, and another losing a whopping $700,000 worth of NFTs from a host of blue chip collections.

Providing an update on the matter, GutterCatGang co-founder @gutterdan_ stated: “We are working with Twitter to regain access to the compromised Gutter-affiliated Twitter accounts.”

“We deeply sympathize with all those impacted and want to assure you that we are taking this matter very seriously and are working with law enforcement to investigate the hack and security breach,” he wrote.

At the time of writing, it appears that the accounts are still compromised.

GutterCatGang was launched in mid-2021 and consists of 3000 unique NFT cartoon cat avatars. The current floor price sits at 0.5 Ether (ETH), up almost 615% from the initial cost to mint, according to NFT Price Floor.

Magazine: NFT Collector: Snoop’s NFT nostalgia, The Goose draws Gen Y to Sotheby’s

Wall Street Pepe Presale Goes Viral, Raises $31M – Next 100x Gem?

AkuDreams dev team locks up $33M due to smart contract bug

A highly anticipated NFT project has been hit with an exploit and a smart contract bug, causing a disruption to its auction and leaving the team with $33 million unable to be accessed.

The highly anticipated NFT project Akutars was marred by both an exploit and a bug on the weekend causing over 11,500 Ethereum (ETH) worth nearly $33 million to be locked forever within a smart contract, inaccessible even to the development team.

The exploit however, was conducted by someone trying to show a vulnerability in the project and not to steal funds via a hack.

The project went live on Friday April 22 with a Dutch Auction, a type of auction where the price lowers until it receives a bid, with the first bid winning the sale as long as the price is above reserve.

The auction opened at 3.5 Ethereum with only 5,495 of the available 15,000 NFTs up for sale and the smart contract set to refund any bidders who were underbid. Holders of an “Aku Mint Pass” were also given a 0.5 Ethereum discount on each minted NFT.

The $33M Bug

In a April 23 Twitter thread explaining the whopping $33 million bug, 0xInuarashi, a developer of multiple NFT projects explained Akutars' smart contract was coded so that refunds to bidders had to be processed first before the team could withdraw any funds.

The contract had a caveat that a minimum number of bids had to be made before it would allow for the team to withdraw, but the minimum number of bids was set to equal the amount of NFTs available for auction.

Unfortunately, due to some buyers minting multiple NFTs within the same bid, the terms of the contract mean it will never unlock, sealing away the nearly $33 million in Ethereum forever.

Cointelegraph contacted the Akutars team for comment but did not immediately hear back.

The exploit

In a now deleted tweet posted by the Akutars that was shared by DeFi developer foobar, it said that developers reached out to them warning that their contract could be exploited but appeared to  shrug them off  completely as they labelled the potential exploit a “feature”.

During the mint an unknown individual executed what’s known as a “griefing contract” which locked the ability of the Akutars contract to process refunds to those underbid. The individual even embedded a message on the blockchain to the Akutars team saying they would stop the contract:

“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

Akutars then promptly responded by  taking responsibility for the code and suggested that the exploit “was not done out of malice” and the person “intended to bring attention to best practices for highly visible projects.”

In a tweet on the same day, the project's founder and former pro-baseballer Micah Johnson offered an apology to the community, noting that after letting them down he will "continue to build brick by brick" and work tirelessly to avoid any similar issues moving forward. 

The team also said that it will be issuing 0.5 Ethereum refunds to pass holders as well as airdropping the NFT to successful bidders.

In an update posted on Sunday April 24 the team said it had rewritten its minting contract which was then audited by several developers and plans to mint on Monday April 25.

Related: Hacker bungles DeFi exploit: Leaves stolen $1M in contract set to self destruct

This article has been updated, with the headline changing from "$34M" to "$33M"

Wall Street Pepe Presale Goes Viral, Raises $31M – Next 100x Gem?

Attacker Hacks Arbitrum’s Treasure DAO for Over 100 NFTs by Leveraging Marketplace Exploit

Attacker Hacks Arbitrum’s Treasure DAO for Over 100 NFTs by Leveraging Marketplace ExploitA non-fungible token market platform built on top of Arbitrum called Treasure DAO was hacked on March 3 at 7:33 a.m. (EST), according to a post mortem analysis authored by the security-focused firm Certik. The company’s report notes that “over 100 NFTs were stolen in the attack,” as the attacker leveraged a vulnerability in the […]

Wall Street Pepe Presale Goes Viral, Raises $31M – Next 100x Gem?

$2.2M Worth of Bored Ape Yacht Club NFTs Stolen — Victim Says Incident Was ‘Arguably the Worst Night’ of His Life

.2M Worth of Bored Ape Yacht Club NFTs Stolen — Victim Says Incident Was ‘Arguably the Worst Night’ of His LifeAccording to reports, roughly $2.2 million worth of Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC) non-fungible tokens (NFTs) were stolen from a collector. The owner of the NFTs Todd Kramer said the incident was “arguably the worst night” of his life. Furthermore, there’s claims that the NFT marketplace Opensea froze the […]

Wall Street Pepe Presale Goes Viral, Raises $31M – Next 100x Gem?