08 Aug 2022 7 min read

Bored Ape Yacht Club Report

Bored Ape Yacht Club Report

Introduction

In April 2021, Yuga Labs launched The Bored Apes project. BAYC is considered the most valuable NFT project launched in 2021 in terms of its community and market size. As of 2022, sales of the Bored Ape Yacht Club NFTs have totaled over US $1 billion.

In 2012, Meny Rosenfield released an article introducing the concept of "Colored Coins" for the Bitcoin blockchain. The idea behind Colored Coins was to describe a class of methods for representing and managing real assets on the blockchain in order to prove ownership of those assets. The term was created by eToro CEO, Yoni Assia, along with Vitalik Buterin in a whitepaper called Colored Coins. They proposed an idea of "coloring" a set of Bitcoins to distinguish them from the rest. In that sense, these assets would be non-fungible, so NFT emerged directly from colored coins.

The first known NFT was minted in 2014 by Kevin McCoy and Anil Dash, who put a short video depicting McCoy's wife onto the blockchain. McCoy later sold it to Dash for $4. In October 2015, the first Ethereum NFT project, Etheria, was launched.

In 2017, Larva Labs launched CryptoPunks, an NFT collection that seemingly started the NFT craze of 2021. But right after, the most attention went to another collection, CryptoKitties. Dapper Labs launched it as a blockchain game on Ethereum to allow players to purchase, collect, breed, and sell virtual cats. Each of these cats was represented by an NFT. The game's popularity in December 2017 led to dramatic congestion of the Ethereum network and reached an all-time high in the number of transactions.

Fast forward to 2021, the year of the NFT, and there has been a huge explosion and surge in NFT supply and demand. One of the main factors behind the 2021 boom was the huge changes that took place in the art market and in the industry in general, when prestigious auction houses Christie's and Sotheby's not only moved their auctions to the online world, but also began selling NFT art. This led to a record sale of Beeple's Everydays: the First 5,000 days at Christie's for $69 million. Such a large sale from such a prestigious auction house greatly strengthened the NFT market.

Yuga Labs

Founded in February 2021, Yuga Labs emerged as one of the most dominant and financially successful projects in the NFT ecosystem, and is currently valued at $4 billion. The company is most known for creating the Bored Ape Yacht Club (BAYC), a collection of 10,000 unique Bored Ape NFTs. In light of this success, in June 2021, Yuga Labs launched a spinoff collection for Bored Ape holders called Bored Ape Kennel Club (BAKC), and later in August 2021, the company launched the Mutant Ape Yacht Club (MAYC). The BAKC and MAYC NFTs followed the steps of the BAYC, with both collections quickly starting to sell for tens of thousands of dollars.

After a strong 2021 that brought the company $127 million in net revenue, Yuga started 2022 with a bold move: by acquiring both the popular projects CryptoPunks and Meebits in March.

While Yuga Labs has experienced tremendous growth in the NFT market, the company expanded to the Metaverse and in March, Yuga Labs announced the Otherside, a gamified metaverse in which users can turn their NFTs into playable characters.

Bored Apes Yacht Club

The Bored Ape Yacht Club (BAYC) is an Ethereum-based NFT collection of 10,000 unique Bored Apes. Launched in April 2021 by Yuga Labs, each Bored Ape has been generated by an algorithm combining unique features such as expression, clothing, accessories, and more. It is currently the most expensive NFT collection in the NFT marketplace OpenSea, with a floor price of 82.07 ETH, approximately $133,000.

The BAYC has become a prime example of tapping into a community feeling to drive the success of a project. Bored Apes double as a Yacht Club membership card and grant access to members-only benefits, such as access to an exclusive Discord server and to THE BATHROOM, a collaborative graffiti board, merch drops, and bonus NFTs, private events, and more.

The BAYC has not only captured mainstream attention, but has also been drawing interest from the world's most reputable auction houses. In September 2021, Sotheby's auctioned 101 BAYC NFTs for a staggering $24.4 million. In the same month, Christie's also sold four apes, along with NFTs by CryptoPunks, and Meebits, for a combined total of $12 million.

Along with the most reputable auction houses tapping into the BAYC universe, the list of Bored Ape celebrity owners now runs long. For example, Stephan Curry bought a Bored Ape back in August 2021 for $180,000, which he occasionally uses as his Twitter avatar; Jimmy Fallon purchased the Bored Ape #599 for about $224,000 in early November 2021; Eminem purchased his Bored Ape in December 2021 for about $452,000; Madonna bought her Bored Ape for about $466,000 back in March 2022.

Hacks

In its short history, the BAYC collection has been marked by tremendous success, bringing in considerable amounts of investment. But this success has also drawn negative attention from blackhat hackers and scammers, resulting in millions of dollars of stolen Bored Apes.

The most notorious cases include the compromise of the official Instagram account for the Bored Ape Yacht Club in April 2022, resulting in millions of dollars of stolen NFTs. A hacker posted a phishing link that transferred tokens out of users' crypto wallets. In June 2022, hackers breached the Discord account of BAYC's community manager and posted phishing links in both the official BAYC's and its metaverse project Otherside's Discord channels.

Our Research

The team at Immunefi, the leading bug bounty and security services platform for Web3, which protects over $100 billion in users' funds, has assessed the volume of BAYC NFTs stolen and reported suspicious activity on OpenSea.

Overview

We have collected reports of stolen BAYC NFTs and IDs reported for suspicious activity on OpenSea. We have collected a total of 143 BAYC IDs totaling $13,582,962.08 of which 134 are still Reported for suspicious activity on OpenSea, representing a total of $12,638,406.97.

The most valuable Bored Ape currently reported for suspicious activity was last sold for 194 ETH, equivalent to $267,914.

The banner Reported for suspicious activity on OpenSea represents an item that has been locked, meaning the NFT cannot be bought, sold, or transferred using OpenSea. However, OpenSea doesn't have custody of the NFTs on the platform, which provides sellers the opportunity to use other platforms to transfer or sell stolen NFTs, or sell them directly to users.

In 2021 a Twitter user posted a story on how he exchanged Bored Ape 753 with Ape 9988 using the NFTX liquidity pool. Ape 9988 was stolen earlier and therefore listed as "reported for suspicious activity" on OpenSea, making it impossible for the hackers to sell it there. The user paid 6.13 ETH for the swap in addition to the price of his own NFT, last listed at 63 ETH. Ape 9988 is no longer locked down on OpenSea and is currently listed at 269.69 ETH.

NFT Security Q&A

Recurring hacks, scams, and the possibility of getting your hands on a stolen Bored Ape without realizing it are just some of the reasons it is increasingly important to understand the significance of NFT security. Immunefi's team clarified some of the most important security concerns that users should be aware of.

How do I securely store my NFTs?

The best way to store NFTs is in a hardware wallet or cold wallet. You can also use a smart contract-enabled wallet like Argent.

Storing crypto assets in hot wallets like Metamask, TrustWallet, or other browser-based wallets makes you more vulnerable to phishing attacks, clipper viruses, or other types of malware designed to compromise your system and steal your private keys. Once a hacker has your private keys, it's over. They not only have access to your NFTs, but also any other crypto assets in your wallet.

What are the attack vectors hackers use to steal NFTs?

Phishing, malicious links, malware, viruses, and users being tricked into approving malicious transactions.

What should I look for and do in order to avoid falling victim to phishing attempts?

Be careful of opening files or clicking links from messages that people send you on Discord, Telegram, Twitter DMs, and even LinkedIn. If something looks too good to be true, that's usually a sign of a trap. Don't click on any suspicious links from unknown sources, and be careful which Discord channels you are joining because although they may look legitimate, they may actually be full of scammers.

In some cases, clicking a malicious link is enough for sophisticated hackers to own your machine and transfer out NFTs from a browser wallet. In other cases, they may require you to accept a signed message on MetaMask, which will pop up after you click on a link.

Sometimes project-owned Discord, Telegram, or Twitter accounts can be hacked and send out malicious links or offers. For important announcements, projects usually notify users via all of their social media accounts, or at least more than one. Make sure to check the project's other social media accounts and feel free to ask around via other channels. Also, be aware of messages that have an urgent call to action. Those types of messages are specifically designed to make users put aside all their critical thinking abilities in the hopes of getting a valuable NFT or other assets before time runs out.

How do blackhats profit off of stolen NFTs?

There are several ways. First, blackhats do what's called 'wash trading' – they make so many trades of the stolen NFT through different accounts they control that it's difficult to tell that the NFT was stolen in the first place. This process also has the effect of making it look like there's a lot of demand for the NFT, which drives the price up.

Blackhats can also transfer the NFT out of OpenSea and sell it via a decentralized NFT exchange, such as NFTX, or try to sell it directly to other buyers – this is usually referred to as an OTC (over-the-counter) trade.

What are the key security issues centralized vs decentralized NFT marketplaces face?

If it's a centralized NFT marketplace, then it's possible that if they get hacked, you get hacked. As the saying goes, not your keys, not your crypto. An attack could also come from rogue employees or employees who have been compromised by hackers.

With decentralized marketplaces, individual NFT holders are targeted much more via phishing and malware.

Can I still protect my NFTs if the NFT Marketplace security has been compromised? What steps can I take if I suspect my account has been compromised?

Revoke any access from the NFT itself and move the NFT to a secure wallet like a hardware wallet. If you believe that your machine has been compromised, wipe it and restore it to a previous state. You can never be too careful.

Price Distribution

Download the full report here. Researchers, journalists, and others interested in the underlying data can access the complete dataset here. For questions about this study or Immunefi itself, reach out at press@immunefi.com

About Immunefi

Immunefi is the leading security platform for crypto, protecting more than $180 billion in user funds, and securing protocols across the full development lifecycle, from pre-deployment through production.

Research

You might also like

Hacker Ecosystem Survey Report 2022

Hacker Ecosystem Survey Report 2022

2 min read
Hacker Ecosystem Survey 2024

Hacker Ecosystem Survey 2024

9 min read
Hacks and Token Prices Report 2022

Hacks and Token Prices Report 2022

6 min read