They appear to have authorized a malicious DApp to transfer their tokens, leading the assets to be drained immediately.
Nonfungible token (NFT) influencer CryptoNovo announced on Jan. 4 that he fell victim to a cyberattack and lost two CryptoPunks. He wrote on Twitter, “I just got hacked!!! Are you kidding me!?!” and included a screenshot from OpenSea showing two CryptoPunks being transferred to another address.
I just got hacked!!!
— CryptoNovo (@CryptoNovo311) January 4, 2023
Are you kidding me!?! pic.twitter.com/r1xS0mhD6P
The two CryptoPunks were immediately sold by the attacker, one for 70 Ether (ETH) (worth $88,434 at the time of publication) and the other for 199 ETH (worth $251,404). This implies that CryptoNovo lost over $300,000 worth of CryptoPunks in the attack.
Numerous other nonfungible tokens were apparently also taken from the influencer, including Meebits, CloneX, Mutant Ape Yacht Club and Bored Ape Yacht Club NFTs.
CryptoNovo’s iconic green-beanie-wearing Punk, #3706, appears to have been saved from the attack, although the owner also appears to have sold the item. While the previously mentioned NFTs went to a known phishing address, CryptoPunk #3706 was sent to a completely different address and sold for 75 ETH (worth $94,751). This address has also received items from Thenovoverse.eth, an ENS domain that has itself received items from CryptoNovo’s official wallet address in the past. These facts may imply that the sale of this particular item was done by the owner rather than an attacker.
CryptoNovo has over 18,000 Twitter followers and is known for wearing masks that make him look like the green-beanie-wearing CryptoPunk he first purchased in 2020.
Although CryptoNovo claimed the attack was a “hack,” Twitter user Proper pointed out that the more likely cause was phishing. Just after the green-beanie CryptoPunk was transferred to a safe address, CryptoNovo made several token authorizations to an unknown smart contract. It is this contract that subsequently used the “transferFrom” function on various NFTs to move them from the influencer’s wallet. This implies that someone may have tricked him into authorizing a malicious DApp to move his tokens.
Really sorry this happened and I hope you're able to get the pieces back. If it's any help, it looks like you may have a signed a txn granting an allowance to https://t.co/8Lpr10A3sz pic.twitter.com/pNMt5xrN0F
— proper (@__proper) January 4, 2023
Related: Magic Eden NFT service hacked, shows porn instead of correct images
Someone also appears to be impersonating CryptoNovo on Discord. Nine hours after the attack occurred, he posted an image of a Discord account that claims to be him, but which he says is a fake account.
I have not asked anyone for anything. DO NOT send anything to anyone using my name and account number! The discord you see below is a fake account. A couple other CryptoPunks owners have scammers acting as them as well. pic.twitter.com/9YWcTLYAJd
— CryptoNovo (@CryptoNovo311) January 4, 2023
CryptoPunks was one of the first “generative digital art” NFT collections, or collections of art objects generated by an algorithm. It was released in June 2017, and its individual units were given away to anyone who could pay the gas fees to mint them. Today, CryptoPunks sell for an average price of over $100,000.
The collection has inspired thousands of other generative NFT collections, including Bored Ape Yacht Club, Mutant Ape Yacht Club, Meebits and others.