Detailed analysis of how a hacker stole 14 BAYC NFTs worth over 852 ETH
A Web3 Security Analyst, Serpent, presented a detailed analysis of how a hacker stole 14 BAYC NFTs worth over 852 ETH or about $1.07m through a month-long social engineering.
The scammer contacted the victim and asked to license IP rights for BAYC #2060. The scammer claimed he was a casting director working for "Forte Pictures," an LA-based Emmy award-winning company with offices at Sony Pictures Studio.
Scammer's alias "Jason Brubeck" is fake and does not exist; however, Forte Pictures and Marcus Mizelle (the alleged CEO of the company) are both real and legitimate. However, the real Forte Pictures did not own the domain forte.рictures, but operated under Mizelle's website, marcusmizelle.сom.
The scammer registered forte.рictures domain and posed as the Emmy award-winning company and pretended they were creating an NFT-related film called "The Return of Time" in collaboration with "Unemployd," an "AI-powered social IP platform for NFTs," which was also a scam.
As a part of the "Unemployd" project scam, they spent many hours on calls, talked with victims for weeks, created fake pitches and partnerships, formed fake legal contracts, and hosted frequent Twitter spaces.
Also, scammers created fake BAYC/MAYC Twitter accounts that tweeted and interacted with people daily and pretended to have signed licensing deals for their NFTs with Unemployd.
After going through contracts and discussing the terms, they emailed the victim, stating they "sent a bid" through Unemployd. The scammer told him to visit Unemployd to "sign the contract."
The scam website displayed a gas-less Seaport signature, which they claimed he needed to sign for the license. However, the signature created a private bundle listing of all of the victim's BAYCs to the scammer for 0.00000001 ETH.
The scammer's wallet ran the matchOrders function to complete the private sale, and then he accepted the highest WETH offers on all of the NFTs, which allowed him to convert 852.86 WETH to 1.07m DAI.
The scammer then sent the funds to a new wallet, where the funds are currently sitting dormant.