It appears that NBA player Cole Anthony has joined the many victims whose wallets were compromised and items stolen. There is a running joke on Twitter, that the only thing Bored Ape owners love more than talking about themselves, is giving away their seed phrases. Criticism earned by how often Bored Apes are stolen in these NFT scams. While this is a terrible situation, there is a certain humor in the fact that one of the last purchases Cole’s account made was a Mutant Ape, which very well may have been why his account was targeted. (While this post was sitting in my drafts, the scammers hit Waka too. This is a bridge too far. Nobody hits the mastermind behind No Hands and gets away with it).
So what do you do now? While the unfortunate reality is that your stolen crypto and NFTs are likely gone forever, there are steps you should be taking to protect yourself legally and to potentially recover some of those funds or NFTs later. If your stuff hasn’t been stolen, please come back to this article later, and follow the steps laid out by Punk 6529 in his twitter thread on wallet security. If you have something which is of a high value (like a Mutant Ape), put it on a cold storage device. Don’t keep anything in a hot wallet which you cannot financially recover from losing.
Obviously, if you notice the theft in real time, do what you can to transfer any remaining assets to a secondary or friend’s wallet for safe keeping. As soon as the initial damage control is done, while you are likely reeling from your losses, you need to document everything you can.
Sometimes, its obvious where the breach was. If you gave your seed phrase to somebody claiming to be MetaMask support on twitter or in your discord DMs, that almost certainly was the culprit. Sometimes, it is less obvious and happened through a maliciously airdropped token that you unknowingly authorized to access your wallet when you sold it, or some malicious link which downloaded spyware on your computer. The key is to document everything, in real time, before your memory fades and/or internet history data is lost.
If you can, hire a digital forensic investigator to copy any devices’ hard drives from which you accessed the breached wallet (phone, laptop, desktop, etc.). If you are tech savvy, you can do this yourself, but hiring a third-party expert is useful to prevent later allegations of data fabrication. Retrace your steps: Where was your wallet information stored at the time of the theft? Who had access to it? What were you doing online before the theft? Were there similar thefts at the same time? Who were those other victims? It may be years before cyber crime departments, or law firms, have the necessary blockchain investigators to actually catch the person that stole your stuff, so preserve as much as you can for if/when that day comes.
The Computer Fraud and Abuse Act of 1986 (“CFAA”) makes it a crime to access a computer or database without permission, or exceeding any permission given. While often these scams involve people signing over permission from their wallet, any malicious use of that permission would almost certainly fall under the CFAA. The act provides both criminal and civil remedies, meaning if you are a victim of scamming you can bring an independent civil complaint against the scammer to recover your stolen property or monetary equivalent.
The problem is, your scammer is most likely located outside of the United States (which makes prosecuting them near impossible) or is diligent in using anonymous exchanges in converting his/her crypto to fiat. Or both. However, more and more jurisdictions are requiring cryptocurrency exchanges to collect Know Your Customer (“KYC”) information in the same way that other financial institutions collect that information. An account which is anonymous today may well be linked to an individual tomorrow. Or there may be enough evidence to lead back to somebody after five scams that would not have been possible with just one.
Do not hesitate to work with an attorney, and contact your local and federal cyber crimes departments. While the chances of catching the person in the near future are slim, your cooperation with law enforcement may prevent some other person from being victimized by the same scammer 3 years down the road. The beauty of the blockchain is the information will be there forever. It will just be a matter of finding people who understand blockchain forensics enough to trace that information back to the perpetrator(s).
Buyers of Stolen Goods
Unfortunately, one of the most common moves of a scammer is accepting lowball offers on the NFTs in the wallet, and immediately transfer the crypto from those sales to a separate account. When a person unknowingly purchases stolen property in a jurisdiction where equity principles apply, that innocent purchaser is often allowed to retain legal title on that property. The thought is, as much as we don’t like to victim blame, the person who unknowingly purchased the property is probably less at fault than the person who allowed the property to be stolen in the first place. In other jurisdictions, the buyer may be required to return the property to its rightful owner and seek restitution of the purchase price from the thief. This leaves the victim of the theft made whole, but the buyer SOL. You should immediately contact an attorney to assist you with this determination.
But what about the knowing purchase of stolen property? Most states have laws which make it a crime to purchase, obtain, receive, or possess any property which is known to be (or should be known to be) stolen. Exactly what constitutes when somebody knows (or should know) an item is stolen is a separate matter. Again, you should work with an attorney, but immediately contacting marketplaces (like OpenSea or Rarible) to let them know your account was compromised is a good first step. Your second step should be letting any buyer know the item is stolen to put that buyer on notice. If you can find that buyer’s information on their OpenSea or other marketplace account, you should reach out as soon as possible (in a polite way). If you cannot find that buyer’s information, you may consider airdropping notice in their account.
Note that everything you say and do could be in front of a judge or jury some day. I know tensions are high, but be respectful, choose your words carefully, and work with an attorney when possible. These buyers are most likely victims just like you are. Karma is real in the NFT space, so try to work out a solution which is as fair as possible under the circumstances.
If you are the purchaser of items which you later learn may have been stolen, contact an attorney to determine your next steps. If you believe an account may have been compromised, do not buy items from that account. And if you buy things (or set up a bot to buy things) at prices too good to be true, know you are at risk of having that item returned to its rightful owner leaving you stuck to seek restitution from the (likely impossible to locate) scammer.
Getting scammed or hacked sucks. Sadly, if you are in this space long enough, you will likely be the victim of a scam or personally know somebody who is. There is nothing you can do to go back in time to prevent the scam, but your next steps could be the difference between getting at least some of your items returned/the scammer being someday caught, and walking away empty handed with no justice against the thief. If you have been scammed and need help navigating your local law, please do not hesitate to contact me. I would be happy to assist or refer you to somebody in your jurisdiction that can help.
If you have any questions, or would like me to cover anything in particular, reach out to me on either of my twitter pages. As always, I am an attorney, I am not your attorney. For legal advice, you should always consult (and pay for) an attorney.