“I have been hacked. All my apes gone. This just sold please help me,” wrote gallery owner Todd Kramer, of New York’s Ross + Kramer Gallery, in a since-deleted tweet posted on December 30.
A phishing scam had drained his Ethereum wallet of 15 NFTs valued at a total of $2.2 million, including four apes from the “Bored Ape Yacht Club” collection. The thief seemed to have sold off many of the pieces in Kramer’s collection, and Twitter users jeered at Kramer’s bad luck, pointing out that he had bet on an unregulated, decentralized system that would be unable to help him.
“Man If only there had been some kind of Regulating authority in place that could like Insure your investments against theft and fraud,” wrote one user with the handle @anarchy_shark.
But in the end, an authority did come through. With the help of the buyers and the NFT platform OpenSea, Kramer was able to get back several of his NFTs. Five hours after his original post, he wrote, in a tweet that has also since been deleted, “Update.. All Apes are frozen,,. Waiting for opensea team to get in,,,lessons learned. Use a hard wallet…”
OpenSea’s involvement sparked major controversy, with some alleging that NFTs could not truly be decentralized if it had “frozen” some, rendering them unsellable on the platform. Others pointed out that OpenSea had only frozen user’s ability to interact with the NFT through that one site alone—they could still be bought and sold elsewhere.
Kramer did not respond to requests for comment.
Phishing scams have become more frequent as NFTs have increased in value. However, most savvy users can protect themselves by using hard wallet, also known as a cold wallet, which is physical and only connects to the internet when plugged in and engaged. Kramer had been using a so-called hot wallet, which is continuously connected to the internet and thus more vulnerable.
More common than phishing scams, however, is theft of a different kind. Some people have begun making NFTs of art that they did not create, an issue for which no easy fix has yet been developed.
Update, 1/6/22, 10:40 a.m.: This article has been updated to include a statement from OpenSea.