哥被偷了! (Brother got robbed!) — Jay Chou’s Ape, not the only one?
A full insight into the NFT phishing campaign that stole King of Mandopop Jay’s BAYC #3738
On 1st April 2022, King of Mandopop Jay Chou posted on his Instagram account, sharing with his 7.1M followers that his Bored Ape Yacht Club (BAYC) NFT, Ape #3738 has been stolen. He emphasized that it was not an April Fool’s joke and let on that it was stolen through a fake mint phishing site — reminding his followers that NFT theft is real and to stay vigilant in the NFT space.
Based on Jay’s revelation that a phishing site was involved, it was likely that his friend — Jay mentioned that it was a friend helping with the mint, was duped by the phishing site to sign a transaction which allowed the bad actor’s wallet address to manage the BAYC NFT tokens in Jay’s wallet.
0x71de, which is apparently Jay’s wallet, had interacted with the BAYC token contract (0xBC4CA), invoking the setApprovalForAll function with the operator as the bad actor’s wallet (0xe34F00) and approved as ‘true’, which in turn emitted the ApprovalForAll event seen below.
This setApprovalForAll function grants (or revokes) the specified operator the right to call the transferFrom and safeTransferFrom functions for any BAYC token owned by the address invoking the function — essentially meaning that the bad actor wallet is now granted permission to transfer any BAYC token from Jay’s wallet to itself, on behalf of Jay’s wallet.
Once granted approval, the bad actor wallet then interacted with the BAYC token contract, executing the transfer of BAYC #3738 from Jay’s purported wallet to itself, thus stealing it.
Not the only stolen Ape?
Investigating into this incident, our team has found on-chain evidence indicating that the wallet that stole Jay’s Ape is likely part of a much larger NFT Theft campaign.
Our investigation found a total of 17 suspicious wallets linked to this campaign.
These wallets have been split into 3 different categories for ease of explanation:
1. NFT Theft Wallets (NT) — Wallets which stole NFTs from victims.
2. Storage/Laundering Wallets (SL) — Wallets which received funds from campaign and are either storing these illicit funds and/or laundering them through Tornado Cash.
3. Miscellaneous (M) — Other wallets used by the campaign for various purposes including relaying of funds.
List of 17 suspicious wallets:
1st Category: NFT Theft Wallets (NT)
Address 1: 0xe34F004BDef6F069b92dc299587D6c8A731072Da
Address 2: 0x91B9487704b3CF97DE4d0784914CfF50f5Ca117d
Address 3: 0xC64642946240251239d49dfCEE00fC8D47B7083F
Address 4: 0x87A9DCF2BA62880d3125A992D4900878f2d688cF
Address 5: 0x334a8Bb398C6Dd05A2CFFf01aBD6b887e6e4d92b
Address 6: 0x5ece881098b12ca6c1f5722Dc9D465EcBb9D9A1d
2nd Category: Storage/Laundering (SL)
Address 1: 0x6E85C36e75dc03A80F2fA393055935C7f3185b15
Address 2: 0x638268f39a15Ba073d0e186b65b959aC0a8fD7A6
Address 3: 0x9630c04Ce3C60aEE0E7dEeD1699112c8cAEe1344
Address 4: 0x931831b102412823716501787a03f3EfE4878c72
Address 5: 0xD22a2083863f29795db40cb35D7Bef38D27f6808
Address 6: 0x53023b2e60c625DCB6D48b3A912842448b8B5846
Address 7: 0xEd0b0aad87046E35091dF0343F4A61e90FbF631F
3rd Category: Miscellaneous (M)
Address 1: 0xc3c18a43A0EFd761f645bc2e69E02fF7637f768F
Address 2: 0x92317DF37f776419E2a164C7C1e77d96E17780cA
Address 3: 0xf7441f425A8Ff8ED19cf470a03a3190083cBF89E
Address 4: 0x1669A5A10512A247AadfC5e3eBa32Ff8aDb1E3f2
A total of 16 NFTs were also identified to have likely been stolen through this campaign. These NFTs were from the following projects: Bored Ape Yacht Club (BAYC), Mutant Ape Yacht Club (MAYC), Azuki, Doodles, CloneX and Bored Ape Kennel Club.
Bored Ape Yacht Club (BAYC) NFTs stolen: #1100, #3738, #5778, #8237, #9481, #9672
Mutant Ape Yacht Club (MAYC) NFTs stolen: #564, #6132, #7657, #7767, #16500
Azuki (AZUKI) NFTs stolen: #2421
Doodles (DOODLE) NFTs stolen: #725, #768
CloneX NFTs stolen: #6297
Bored Ape Kennel Club NFTs stolen: #6834
These are projects with high-value NFTs, and are likely to have been specifically targeted by the bad actors running the phishing campaign.
NFT Theft Wallets
It has been established that NFT Theft wallet #1 which stole Jay’s Ape, is a malicious wallet involved in NFT Theft. Through logical deduction and information obtained, our team is also able to ascertain with confidence that the other 5 NFT Theft wallets identified are also related to stolen NFTs.
Taking a close look at each of these 6 identified NFT Theft wallets, including the one that stole Jay’s NFT, we observe the following commonalities across them:
1. Transfers of high-value NFTs into wallet
2. Immediate sale of NFT
3. Proceeds from NFT sale mostly moved into a storage wallet
A logical explanation behind the transfer of and immediate sale of these high value NFTs would be that these NFTs were stolen, and the bad actor was trying to offload the stolen NFTs as soon as possible before word gets into the community that these are stolen assets. As NFTs are more illiquid due to their non-fungible (each token is unique) nature, it does not come as a surprise that the bad actor would try to sell them off for other fungible crypto assets which would be comparatively easier for the bad actor to launder.
Besides these commonalities, our team was also able to obtain information confirming that some of the NFTs identified were indeed stolen via phishing sites.
Based on on-chain information, MAYC #7767 and #7657 were transferred from 0xcB92828352227755009D444f606a339d0937bF95 to NT #2. This wallet 0xcB928 owns the Ethereum Name Service (ENS) domain baxmachina[.]eth — and a quick search returned the above Twitter profile.
The profile claimed ownership of the same 2 MAYCs that had been identified, and stated that they had been stolen via a phishing campaign. This thus confirms that NT #2, and very much likely the other identified wallets that share the same behavior, are also involved in NFT Thefts.
This is further supported by the establishing of links between these wallets through analyzing the flow of funds — which will be covered next.
Links between these NFT Theft Wallets — Funding each other
By backtracking and following the money flow into the wallet (NT #1) that stole Jay’s Ape, we can confirm that these NFT Theft wallets are all linked, and thus part of the same campaign.
Firstly, we observe that NT #1, the Jay Chou NFT Thief, had received 0.9 Ether across 2 transactions from NT #2. This NT #2 wallet was observed to have also received transfers of 5 NFTs stolen from 4 victims.
Besides transferring 0.9 Ether to NT #1, NT #2 had also sent small amounts of Ether to NT #3 and #4.
It is likely that these small transfers of Ether were meant to fund the NFT Theft Wallets (NTs) so that they can list and sell the stolen NFTs on various NFT marketplaces like Opensea and LooksRare, which require fees. The Ether from NT #2 used to fund the other wallets (NT #1, #3, #4) came from the proceeds it received from selling the NFTs it stole. NT #2 itself was funded through a 0.1 Ether withdrawal from Tornado Cash, a mixing service.
Besides receiving 0.9 Ether from NT #2, NT #1 had also received a funding of 1 Ether from M #1. This 1 Ether originated from yet another NFT Theft wallet, NT #5, and likewise was from the proceeds the latter received from selling 2 of the 3 NFTs it stole.
As expected, NT #5’s funding was from the sale proceeds of BAYC #8237 which NT #6 stole and sold. NT #6 looks to be the first NFT Theft wallet used in the campaign and was interestingly first funded by Ether bridged from Gnosis Chain via OmniBridge.
Storage and Laundering of Stolen NFT Sale Proceeds
Besides funding new NFT Theft (NT) wallets used in the campaign, majority of the stolen NFT sale proceeds were moved by the bad actor from each NT wallet to individual Storage/Laundering (SL) wallets.
There are a total of 7 of these wallets, shown as blue nodes in the entire overview shown below. Some of these wallets have started to pass funds through Tornado Cash, while others are simply holding the funds.
From this, we can see that the bad actor’s modus operandi is clear. The bad actor steals NFTs, immediately sells them for Ether, and either funds new NFT Theft wallets with the proceeds, and/or transfers the proceeds to SL wallets for storage or laundering through Tornado Cash.
Using NFT Theft Sale Proceeds to flip NFTs?
Interestingly, our team observed that the bad actor had even used the sale proceeds from stolen NFTs to purchase and ‘flip’ an NFT for profit. As seen below, the bad actor had purchased AZUKI #9180 with sale proceeds transferred to Storage/Laundering wallet (SL #6) 0x53023b, and subsequently sold it a few days later for a profit of around 16 Ether.
Possible Binance Withdrawal made by a bad actor?
It was also noted that wallet M #4 had received a small amount of Ether originating from NT #6, passing through M #3. This wallet was observed to have received a small withdrawal of 0.072672 Ether from Binance Exchange. Due to the flow of funds originating from NT #6, it could be possible that M #4 belongs to the campaign too, and that the Binance withdrawal might have been carried out by the bad actor.
Staying Safe in the Crypto/NFT Space
With the growing public interest in NFTs, it is inevitable that bad actors will be attracted to this booming market. This has been apparent in the spike in the number of phishing sites related to fake NFT projects that have surfaced recently.
Participants in the Crypto/NFT space should stay vigilant when making transactions and steer clear of websites which they might have doubts about. At Uppsala Security, we believe that protecting the crypto space should be a collective and community wide effort. If you come across any suspicious or phishing sites, please do not hesitate to report them to our team. We will carry out the necessary investigations and help prevent other members of the community from falling to these scams.
Reporting can be done through UPPward, our browser extension which aims to create a safer browsing experience for users, as they traverse the web and crypto space. Through UPPward, users can also check if a certain domain or crypto address has been identified by our team to be malicious. To find out more about UPPward, please visit: https://uppward.sentinelprotocol.io/
Victims requiring digital asset tracking services and investigations can also engage the Digital Asset Tracking Service offered by our team. More on this service can be found at https://uppsalasecurity.com/trackingsvc.
About Uppsala Security
Uppsala Security built Sentinel Protocol, the first crowdsourced Threat Intelligence Platform powered by artificial intelligence, blockchain technology, and machine learning. Supporting the framework is a team of experienced cyber security professionals who have developed an award-winning suite of advanced tools and services for Crypto AML/CFT, Transaction Risk Management (KYC/KYT), Transaction Tracking, Regulatory Compliance, and Cybersecurity enabling organizations of every type and size to protect their crypto assets from malicious attacks and scams while meeting stringent regulatory compliance standards. Today Uppsala Security has over two thousand (2K+) users including government agencies, financial institutions and leading enterprises providing crypto exchanges, payment services, wallets, custodial services, gaming, and fintech solutions.
