They appear to have authorized a malicious DApp to transfer their tokens, resulting in the assets being immediately drained.
CryptoNovo, a nonfungible token (NFT) influencer, announced on January 4 that he was the victim of a cyberattack and lost two CryptoPunks. “I just got hacked!!!” he tweeted. “Are you kidding me?!?” he exclaimed, along with a screenshot from OpenSea of two CryptoPunks being transferred to another address.
The attacker immediately sold the two CryptoPunks, one for 70 Ether (worth $88,434 at the time of publication) and the other for 199 Ether (worth $251,404). This means that CryptoNovo lost over $300,000 in CryptoPunks during the attack.
Several other nonfungible tokens, including Meebits, CloneX, Mutant Ape Yacht Club, and Bored Ape Yacht Club NFTs, were allegedly taken from the influencer.
#3706, CryptoNovo’s iconic green-beanie-wearing Punk, appears to have escaped the attack, though the owner appears to have sold the item. Unlike the previously mentioned NFTs, CryptoPunk #3706 was sent to a completely different address and sold for 75 ETH (worth $94,751). This address has previously received items from Thenovoverse.eth, an ENS domain that has previously received items from CryptoNovo’s official wallet address. These facts may indicate that the item was sold by the owner rather than an attacker.
CryptoNovo has over 18,000 Twitter followers and is known for wearing masks that make him appear to be the green-beanie-wearing CryptoPunk he first bought in 2020.
Although CryptoNovo claimed the attack was a “hack,” Twitter user Proper pointed out that phishing was more likely. CryptoNovo made several token authorizations to an unknown smart contract shortly after the green-beanie CryptoPunk was transferred to a safe address. This contract then used the “transferFrom” function on various NFTs to remove them from the influencer’s wallet. This suggests that he was duped into authorizing a malicious DApp to move his tokens.