The Lessons of the Bored Ape Heist

digital design

The Weird Saga of Seth Green’s Stolen NFT

Four Responses to the Case of the Bored, Abducted Ape

June 3, 2022
by Ken Gordon
dylan-calluy-E4TBps9k Po-unsplash

Is your business going to wade into the world of NFTs? If so, don’t proceed casually. A stolen NFT can imperil your digital plans—just ask actor-writer-director-producer Seth Green. He recently had his NFT, Bored Ape #8398, phished away, halting White Horse Tavern, the series he’s been developing around the character also known as Fred Simian. Below, four of our colleagues consider The Green Affair—Ward De Kruiff, Senior Director, Business Consulting, Head of Web3 and Metaverse Practice for EMEA, EPAM Continuum; Érica Moreti, Head of Strategy & Innovation and Physical Experience for EMEA, EPAM Continuum; Sasha Pitkevitch, Blockchain Lead, EPAM; and Adam Bishop, Director of Information Security, EPAM—each with a specialized take on the case of Green’s erstwhile digital asset. We suspect you’ll find this quartet of Ape takes the opposite of boring.

Embedded content:

Ward De Kruiff, Senior Director, Business Consulting, Head of Web3 and Metaverse Practice for EMEA, EPAM Continuum

One of the perks of owning a Bored Ape NFT (non-fungible token) is possessing full commercial rights to it. Web3 gives people property rights—the ability to own a piece of the internet. A growing number of NFT projects are granting owners the right to adapt their works commercially across digital, metaverse, and in real life (IRL). This introduces the term “phygital,” a blend seen as the future of retail.

This has been a useful strategy for unlocking whitespace opportunities, increasing brand visibility, growing brand equity, and transforming loyalty and community management. But it has also introduced a host of legal disputes, hence the reason why NFT copyright law has begun to be tested in court. For buyers of stolen NFTs, the blockchain, which records a chain of ownership, could make it tricky for them to plead ignorance. Hackers follow the money and Bored Ape Yacht Club is one of the best-in-class ecosystems in the NFT space—with high floor prices and tremendous market value.

Phishing attacks have been on the rise during Covid, due to remote working, as hackers still depend very much on human error by impersonating trusted senders (spear-phishing) or trusted businesses. You can prevent phishing attacks in several ways:

Regulatory: Trademark filings and the extension of regulatory authorities for virtual assets in an open technological expanse will help shape the future of technology and government.

NFT diversification: Use Soulbound Tokens (SBT’s, a term popularized by the game World of Warcraft), which cannot be transferred after they are received. Once they enter your soul wallet, you cannot sell them or transfer them. They are bound to the owner, who holds them forever.

Technology: Use cloud email security solutions powered by ML and AI, website filtering, web and email isolation. The latter isolates a phishing page fully and puts it into a read-only mode, preventing further harm.

A ledger doesn’t automatically remove all risk from your assets. You put them at risk anytime you sign a transaction. The best thing to do is never sign anything with your cold wallet, unless you completely trust the source.

In the case of Seth Green, it’s great that he will work with @DarkWing84, the buyer of the BAYC NFT artwork. Together they will prosecute the thieves with the aim of making the space safer and creating legislation around NFTs. Interesting to note that BAYC has selected tokenproof.xyc to prove ownership of NFTs, which gives access to Apefest'22. It’s a good step in fostering safety in the emerging space of Web3 and the metaverse.

Érica Moreti, Head of Strategy & Innovation and Physical Experience for EMEA, EPAM Continuum

Seth Green’s case raises a number of philosophical questions. It touches the old-as-humanity concept of ownership, of applied moral and ethics, but also intellectual property (IP) and copyright. It re-opens a discussion that has been around since ancient Greece.

Aristotle defined ownership as a moral right. It is about the individual’s right to control something. Similarly, IP rights talk about the ability and freedom to explore a creative property and receive the rights for any utilization of that.

The key question: Is the person who bought the stolen Ape require to give it back if that transaction was recorded on the blockchain and they are the new owner? Should this person pay the rights to Green? In terms of process, this person is the new owner. In terms of morality, this person is not.

The initial experimentation regarding the idea of digital ownership and crypto art started with Larva Labs and the CryptoPunks in 2017. The goal was to decentralize and investigate this concept: “Could a few lines of code translate to a feeling of meaningful ownership?”

The irony of this is that IP ownership and data security are the basis for a decentralized web.

However, this case shows the gaps, implications, and needs for new security standards and regulatory models that are created for the digital and virtual worlds, especially due to the ease of replicability and falsification of digital assets.

What would happen if your ID or passport number were stolen in a decentralized environment?

We’ve been seeing many examples of IRL behaviors, spaces, and experiences being replicated in the virtual world, where technically one would have the ability to decentralize, explore, share and re-invent what has been applied to physical.

The risk I envision in trying to regulate a decentralized environment lies in applying an “offline-like” regulatory process—and that takes us back to centralization.

We still have a long way to go towards virtual and tech ethics, and we do have the opportunity to re-think security and regulatory process in a different way.

Should we start designing and developing ethics-driven systems and environments even if virtual? Or should we explore instead Plato’s theory of reality and his model of joint ownership?

Adam Bishop, Director of Information Security, EPAM

There's a regulatory aspect to NFTs, which I think can either save or kill it. And I don't know which direction it will go. On one hand, if crypto is completely deregulated and incidents like the Seth Green Case continue to happen, with zero ability from a central authority to fix it, it's never going to go mainstream. For NFTs to go mainstream, you need at least some level of regulation so people who are making policy can say, “OK, this looks and feels familiar so we can have some level of control over it.” But of course, that flies in the face of true transactional autonomy, and all these things that blockchain and Web3 are pushing for.

So it's an interesting dynamic. I do know that I can't just stay the way it is—it's got to evolve somehow, and it's going to get there with time.

What’s the real lesson for organizations looking to get into NFTs? I think it's kind of like launching a satellite. Sure, there are companies doing this, but this is not one of those things you just do on your own. We gotta do blockchain, so let's just figure out how to do it. Companies need guidance on how to do this stuff. There's a right and wrong way to implement it and I think that's the takeaway.

There are some fundamental practices that we've established as a security body. We know that there can be vulnerabilities in ways that you implement these blockchains and the associated transactions. They can be done in a secure manner. Nothing's 100% secure, of course, but if you look at the Seth Green incident, you know what was the root cause of the whole problem, right? It was a phishing attack. It was social engineering. So this goes back to the old fundamentals that we've known about for years.

It used to be that if you had the little green lock icon in your Internet Explorer address bar, that meant you could trust it. But nowadays, we know that every site on the internet, malicious or not, is signed with aa certificate, right? So you can't just inherently trust that anymore. It really goes back to the whole idea of zero trust, you know. Don't worry about what you can trust; rather go off the premise that you can’t trust anything.

We’re talking about the importance of security hygiene, the stuff that security practitioners have known for decades. Yes, this is a new spin on it, but if you don't have that foundation, you're never gonna build the new capabilities, the modern capabilities to secure the modernized environment.

This story is grabbing attention because of its high-profile, celebrity-focused headline, but it represents an asset of interest that caught the attention of the attacker community. They were able to execute on it using rather unsophisticated means. At the end of the day, social engineering is not a reversing of the encryption algorithm. It wasn't a breaking of the hashing and the blockchain. It was just, hey, let's trick this guy into giving us trusted access to his wallet and then boom. Yes, it involved NFTs, but this is nothing new. This is the same stuff that was happening, decades ago.

In short: NFT-buyer beware!

Sasha Pitkevitch, Blockchain Lead, EPAM

Seth Green bought a Bored Ape NFT named Fred, and he built a TV series, White Horse Tavern, around it. The trailer was screened at the NFT conference VeeCon and was generally well received. Then, just before the series premiere, Green lost his NFT in a phishing incident. A Twitter user named @DarkWing84 now owns Fred.

Go and look at the trailer. It’s an important artifact because it shows what the near future will look like. In it you’ll see NFT characters, like Fred, who are living in a world together with people and other NFTs. The series represents the metaverse!

Besides the quarrel about IP rights, the series itself is the next step in understanding what NFTs are. The trailer did much to bring the understanding of the topic to the next level.

From the legal point of view, the case is important for all of us. From a purely technical perspective, I'm on the side of the person who has the Ape right now, because that's how blockchain should work.

This was a phishing incident, which means that Seth Green went to a website where he left his credentials, which allowed the robber to steal the NFT. Very unwise behavior.

The case might actually make the public more aware about securing their devices. It suggests that we need to educate users, educate kids, because now there are a lot of kids, including my 12-year-old, who own NFTs.

We discussed the case at home and my son immediately said: “What a stupid guy.” My son was genuinely surprised that Green was a phishing victim. I thought: “Thank God my boy is well educated.”

We clearly need to do some educational initiatives, probably targeting teenagers. After all, White Horse Tavern was definitely targeting young people.

The reality is that many teens have NFTs, and we need to teach them how to behave so they can enjoy their ownership. We’re planning to start a podcast this summer to teach people how to use wallets. We’ll talk, for instance, about proper behaviors when you have crypto. The basic knowledge everybody needs to know.

Actually, maybe The Case of Seth Green suggests not the future of the metaverse… but the fact that we’re in the metaverse right now.

Photo by Dylan Calluy on Unsplash

filed in: digital design, financial services, complex systems, business model innovation

About the Author