P2P platform NFT Trader loses $3 million in assets due to an exploit
The tokens were purchased from an unknown user by Boring Security for 10% of the value
18.12.2023 - 10:00
472
3 min
0
What’s new? On December 16, unknown people exploited old smart contracts of the P2P platform for trading non-fungible tokens, NFT Trader, and withdrew assets worth $3 million. After that, an anonymous user, who denied involvement in the hack, offered to return the tokens for a reward of 10% of their value. The assets were bought by the decentralized autonomous organization (DAO) Boring Security, which promised to return NFTs to the owners for free.
What else is known? The NFT Trader team explained that malicious code was injected into two of the platform’s older smart contracts. It recommended that for security purposes, always use Revoke Cash or similar tools to revoke permissions for wallets to interact with smart contracts after making deals.
The developers assured that they have “implemented all necessary measures to prevent any such incidents in the future,” and the platform itself is secure. In addition, for more than a year, NFT Trader has been using OpenSea’s NFT marketplace protocol for exchanging ERC-721 and ERC-1155 standard tokens called Seaport, which enhances its security.
According to Revoke Cash experts, NFT Trader’s losses amounted to about $3 million, and the stolen assets belong to the collections authored by Yuga Labs: Bored Ape Yacht Club (BAYC) and Mutant Ape Yacht Club (MAYC). These are some of the most well-known and expensive collections in the crypto space, with the minimum price for the tokens as of December 18 being 26 ETH ($56 230) and 5,1 ETH ($11 000) for BAYC and MAYC, respectively, according to aggregator CoinGecko.
After the hack, an unknown user contacted NFT Trader and offered to return all tokens for 10% of their minimum value. At the time, it amounted to 30 ETH for BAYC and 6 ETH for MAYC. He also provided the hacker’s address and stated that he was not his accomplice.
The user was rewarded by DAO Boring Security, receiving 36 BAYC and 18 MAYC. At the exchange rate at the time, the ransom amount exceeded $268 000. Members of the organization urged those affected to leave requests for asset recovery in the project’s Discord channel and to “be patient.” The assets will be returned to the owners at no cost.
Useful material?
Telegram 
Twitter Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Cryptocurrency rates
-
Bitcoin
$62 493
BTC
-2.95%
-
Ethereum
$2 551.16
ETH
+3.56%
-
BNB Smart Chain
$579.4
BSC
+1.23%
-
Ripple
$1.1
XRP
-2.95%
-
TRON
$0.160134
TRX
-1.59%
-
Dogecoin
$0.078868
DOGE
-5.02%
-
Zcash
$415.5
ZEC
-8.02%
-
Stellar XLM
$0.193232
XLM
-6.3%
-
Cardano
$0.150691
ADA
-5.11%
-
Polkadot
$3.32
DOT
+5.27%