On April 1, Taiwanese pop star Jay Chou announced on Instagram that one of his Bored Ape Yacht Club NFTs had been stolen from his OpenSea account.
According to a report by the South China Morning Post (SCMP), Chou found out about the incident from a friend and initially thought it was an April Fool’s Day joke. He later confirmed that the NFT was “stolen by a phishing website”.
He reminded his followers to be careful and that NFT theft is no joke.
Chou received the Bored Ape Yacht Club NFT as a gift from friend Jeffrey Hwang, a member of hip hop group Machi. The stolen NFT was then listed on LooksRare platform and has been sold for 130 Ether, which is equivalent to US$459,522 (RM1.9mil) as of press time.
Oded Vanunu, head of products vulnerability at Check Point Software Technologies, said in a statement that Chou may have been tricked into submitting a SetApprovalForAll request. The approval granted the attacker full access to Chou’s NFT and the action can be seen on ethereum analytics platform Etherscan.
Vanunu added that after Chou or the person handling his account submitted the request and granted the attacker access, the attacker transferred the NFT to another wallet and then listed it for sale on LooksRare.
He explained that NFT users should be aware that there are various wallet requests, with some of them used just to connect the wallet, whilst others may provide full access to their NFTs and crypto funds.
SCMP reported that OpenSea has marked Chou's account on the platform as compromised. The address linked to the stolen NFT has also been marked with a warning sign on Etherscan informing users that there were reports that it has been used in a phishing scam. Users were reminded to exercise caution when interacting with the address.
Last month, Singaporean rapper Yung Raja took to Instagram to share that he was the victim of a phishing scam that resulted in his NFT collection being transferred out of his account. His collection was valued at 20 ETH, roughly US$70,500 (RM296,910).
He explained that he had clicked on a link without realising that it was not an official link. He said he had fallen for the scam as the hackers used compromised Twitter accounts with the verified checkmark. Users were tricked into clicking on various links on these profiles, thinking it could lead them into minting a new NFT.
NFTs or non-fungible tokens are described as digital assets such as images, videos and even tweets, where its record of transactions are kept on blockchain.
The blockchain serves as a public ledger to verify the authenticity of the NFT and the owner.