Just another day in crypto.
$3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers. On Friday morning, one of the most unusual hacks in NFT history occurred, a front-end vulnerability that resulted in a tense standoff involving miso soup, Kia Sedonas, and threats to bring in the FBI.
However, in the end, a cult non-fungible token (NFT) initiative triumphed, not only recovering the stolen cash but also firmly putting itself in the limelight in a field where mindshare is frequently scarce.
SushiSwap Chief Technology Officer, Joseph Delong, stated on Thursday night that an exploit had stolen 864.8 ETH ($2.93 million) from an NFT drop on the Miso auction platform.
The “Jay Pegs Auto Mart” drop gave out DONA tokens that could be redeemed for Kia Sedona-styled NFTs. The creators’ impersonation of used-car salespeople – an elaborate performance filled with tongue-in-cheek Midwestern flavour – has cultivated a cult following for the drop.
Negotiations with the exploiter, a developer who goes by the moniker “Eratos,” resulted in the cash refund on Friday morning.
Despite Eratos’ odd statement distancing himself from the breach, sources have established that he was the perpetrator.
The discussions were akin to a “financial hostage scenario” from a “disgruntled [Sushi] employee”, according to the team behind the Jay Pegs initiative, NGMI.global (which a team member confusingly referred to as the “evil parent-subsidiary” of Jay Pegs Auto Mart).
CoinDesk contacted the NGMI team in an attempt to make sense of the situation. (NGMI is a popular abbreviation for “not going to make it”).
It was impossible to tell who was saying what during a wide-ranging discussion with BasedMoneyGod, Senior Vice President McGhoul, “Sales Guy #2,” and an unknown fourth team member who arrived and departed the conversation at various times but identified himself as an Amazon Prime subscriber.
Also unclear: whose responses were part of the used-car salesman role-play and which represented the developers’ true sentiments, who sounded incoherent at times following the events of the previous 24 hours.
One NGMI developer remarked, “This has been one of the most bizarre events of my life.” “But it’s also akin to what it’s like to work in this environment”.
The long con
The assault was planned and executed long before the sale began, according to Sales Guy #2, and NGMI “just knew we were f**ked” after the transaction was completed.
Given that the exploit could have been used on any Miso sale, Eratos’ choice of the DONA drop is puzzling. Miso has hosted more than $350 million in sales. The assault was planned and executed long before the sale began, according to Sales Guy #2, and NGMI “just knew we were f**ked” after the transaction was completed.
BasedMoneyGod stated, “He felt the sale would be so fantastic, he thought it would be great, therefore he wanted to exploit that one especially”. “It was likely to be the biggest NFT drop in history, of course, he’ll want to take it”.
In these days of NFT enthusiasm, a decrease of a little over 850 ETH is not unheard of. On the other hand, the exploiter regarded with a combination of respect and contempt by the crew.
“He entered the code into the UI (user interface), and the money transferred to his account. One coder said, “It was actually rather brilliant”.
Given the sophistication of the attack vector, the team voiced regret throughout the interview that the hack was not more effective. They also suggested that syphoning off a little portion of every Miso sale would have made more sense, using a plot from the 1999 cult film “Office Space”.
Following the discovery of the exploiter, the team made contact to establish a dialogue. They ordered meals for their enemy since they knew his address, which is a classic psychological negotiating strategy used to build a relationship with a kidnapper.
NGMI, on the other hand, was attempting to intimidate Eratos in this case. Here’s what the NGMI team had to say about the strange episode:
“We learned his home address pretty quickly.”
“We learned who it was in five minutes! He was playing coy on Google Meets, like he didn’t do it, but we had his phone numbers.”
“We ordered him miso soup on Postmates.”
“We watched the Postmates car arrive in real-time, and we called him right after.”
“And then he blocked our numbers.”
“Five minutes after our calls, his number started saying ‘this number is disconnected.”
Before the talks were cut short, the sales team hired a high-powered attorney to advise them on the legal ramifications if the exploiter refused to comply with the team’s requests.
Again, a transcript:
“This guy killed it. This old-ass white dude got on the call, and this dude was scary as fuck.”
“He was like my grandpa or something.”
“I was scared.”
“He started talking about federal laws, citing these laws, then the dude got scared and hung up.”
“It was sick, dude. My wife was like, ‘This lawyer guy is handsome…”
The team noted that project founder “jaypegs” – a play on a derogatory term for NFTs that refers to a popular image file name that has been lovingly appropriated by the collector community – fell asleep during the negotiations and was unaware of the attacker’s return of the funds at the time of the interview.
This is what the delirious team said to this reporter:
“He’s still sleeping at his sister’s house dude.”
“And the thing is, Jay has a shit heart.”
“He is not, NOT in good health!”
“He’s got to be like 70, 73 or something.”
“And his birthday is in five days.”
The team has been using the hashtag #PRAYFORJAY on social media, and Jay Pegs’ Twitter account released an “official message” from Jay confirming the hack late Friday afternoon.
The team was hesitant about its next step after the first round of talks.
“We talked to him, and then he hung up, and we really didn’t know what to do”.
They warned that if they went to the authorities, they would not be able to retrieve the cash at all, because the agencies would take ETH rather than fiat.
“We decided that the best approach to move ahead would be to frighten the person into sending the money back”.
The Ethereum community, on the other hand, coalesced behind the event. SushiSwap officials went out to centralised exchanges Binance and FTX, both of which Eratos had engaged with. To get his assets blocked, but Delong stated that their attempts on this front were “stonewalled”.
One of the developers stated, “These huge businesses won’t reveal anything or do anything unless the authorities step in”.
Witnessing both their stolen money move and the community rally, according to the NGMI team, was “freakish”.
One stated, “The wonderful thing is that everyone can watch the cash move in real-time”. “That’s the first time I’ve ever seen anything like it”.
Eratos refunded the cash at 6 a.m. Eastern time on Friday. NGMI can now take legal action without fear of losing funding to the court system, but they choose to work outside the law.
A community member even emailed Eratos a usable DONA token for a Kia Sedona NFT as a joke.
Fumbled the bag
The team showed perplexity that Eratos was able to completely mutilate the hack, resulting in the loss of the stolen cash as well as the termination of a promising development career.
Here’s the team’s saying:
“He just couldn’t pull it off.”
“He was building a serious reputation, but I don’t think he’s going to make it.”
“Hey, I just want to stress that that guy is a dweeby NARC, and he failed to execute.”
“The takeaway should be that this guy is a NARC dweeb. A dweeby NARC.”
Other hackers should take note and “keep their opsec clean,” according to the team.
“All script-kiddies in the space need to learn a lesson.”
“He should be ashamed and ostracized. And punished, but not by the FBI.”
DONA tokens and NFTs may now have a shot of enduring cultural influence in the aftermath of the strange occurrences, in a sector where project success is based in part on historical importance.
However, the team claims that the community, which includes about 1,500 Telegram users, were supporters and believers in the main product prior to the attack.
“They understand the value of a Kia Sedona.”
“In your article, can you add a blurb about how the Kia Sedona is among the most reliable in its class?”
“I’m a J.D. Power guy, so I’m going to cite the statistics – it’s a verified 78 out of 100.”
“That’s a strong, high C.”
“You can get behind the wheel, and it will take you where you need to be. It’ll get your loved ones there safe.”
“It’s a four-door, obviously.”
“A 16 in the city and a 23 on the highway.”
“I know the hack is the headline, but the real steal is a Kia Sedona.”