Bored Ape Yacht Club NFT theft shows the ease of hacking crypto

The blockchain puts power in the hands of individual crypto owners — which also makes them targets for criminals.

A bitcoin design

Bitcoin users are vulnerable.

Photo: NisonCo PR and SEO/Unsplash

The story of an art gallery owner who had $2.2 million worth of Bored Ape Yacht Club and other NFTs stolen is just the latest example of crypto theft, illustrating the vulnerability of buyers as a broader set of consumers venture into the field.

With NFTs, the issue has grown in importance as the market has transformed from a niche hobby to an active market filled with speculators and investors.

Todd Kramer of New York’s Ross+Kramer gallery fell victim to a phishing scam in late December, according to a now-deleted tweet. He stored his NFTs using an internet-connected hot wallet — a less secure method — and a thief made off with 15 digital tokens worth $2.2 million.

Hot or cold

Phishing scams are common in the crypto world. While these are also common across the internet, targeting everything from work credentials to credit-card numbers, in crypto they are especially popular because once a user's crypto is stolen, transactions are nearly impossible to reverse.

OpenSea, the most popular NFT marketplace by far, doesn’t keep custody of tokens for users. Consumers are responsible for storing their own NFTs.

Many crypto developers and enthusiasts see self-custody as part of the technology’s ethos. A crypto buyer has total control of their assets. That also makes them easier to steal.

After a user clicks on a phishing link, how NFTs are stored becomes a critical question. If they’re kept in an internet-connected hot wallet, an option many prefer for its simplicity and the ease of trading assets kept online, the hacker can easily get access. Hot wallets can be standalone software applications, online accounts maintained by an exchange or even simple browser extensions like the popular MetaMask.

There are typically few ways to remedy a breach or insure against losses, though Lloyd’s offers a crypto wallet policy. Coinbase insures its accounts for up to $250,000, but it doesn’t cover a breach of users’ account credentials. OpenSea blocked the sale of the stolen NFTs, but acknowledged that it couldn’t prevent the NFTs from being transferred off of its marketplace.

Phishing the crypto sea

There are many variations on the phishing scam. One used Google Ads to get access to people’s crypto through Metamask. In May, MetaMask warned of a phishing scam that looks like a Google Docs form from MetaMask support that asks for a user’s wallet recovery phrase, which can grant a hacker access.

Hardware wallets, also known as cold storage, are one way that crypto holders attempt to protect themselves from hackers. These involve a hardware device that holds the user’s private key offline so that it can’t be accessed even if a hacker gets access to a browser or other device.

But as the Kramer case shows, many users, even those with millions of dollars worth of NFTs, don’t bother with hardware wallets. They’re more complicated and can slow things down when trading.

Discord in the ranks

An emerging vector for crypto attacks is through the Discord app. Many crypto projects use Discord for discussion and organizing work, and some are designed to build community among owners of NFTs. These groups are often open for anyone to join.

Hackers often go into these Discord groups trying to get people to click links or give up private keys or other information. Justin Kan’s new project Fractal was the victim of this kind of attack, in which almost 400 people were scammed.

The growth in the NFT market seems to guarantee more incidents of theft and scams. A recent report from Chainalysis found $14 billion in criminal crypto transactions in 2021, up from $7.8 billion in 2020. That’s a very small slice of the overall market, which saw $15.8 trillion in crypto transactions last year, Chainalysis researchers pointed out, but it’s still a huge opportunity for hackers.

Besides better insurance policies and improved security, one market opportunity that’s emerging is hardware wallets. Ledger, a maker of hardware wallets, raised $380 million in June, valuing the company at $1.5 billion. And Block, Square’s parent company, has announced plans to make hardware wallets among its other crypto initiatives.


You need a healthy ‘debate culture’

From their first day, employees at Appian are encouraged to disagree with anyone at the company — including the CEO. Here’s how it works.

Appian co-founder and CEO Matt Calkins wants his employees to disagree with him.

Photo: Appian

Matt Calkins often hears that he’s polite, even deferential. But as CEO of Appian, he tells employees to challenge each other — especially their bosses — early and often.

“I love arguments. I love ideas clashing,” Calkins said. “I regard it as a personal compliment when someone respectfully dissents.”

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

Some of the most astounding tech-enabled advances of the next decade, from cutting-edge medical research to urban traffic control and factory floor optimization, will be enabled by a device often smaller than a thumbnail: the memory chip.

While vast amounts of data are created, stored and processed every moment — by some estimates, 2.5 quintillion bytes daily — the insights in that code are unlocked by the memory chips that hold it and transfer it. “Memory will propel the next 10 years into the most transformative years in human history,” said Sanjay Mehrotra, president and CEO of Micron Technology.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Gopuff says it will make it through the fast-delivery slump

Maria Renz on her new role, the state of fast delivery and Gopuff’s goals for the coming year.

Gopuff has raised $4 billion at a $15 billion valuation.

Photo: Gopuff

The fast-delivery boom sent startups soaring during the pandemic, only for them to come crashing down in recent months. But Maria Renz said Gopuff is prepared to get through the slump.

“Gopuff is really well-positioned to weather through those challenges that we expect in the next year or so,” Renz told Protocol. “We're first party, we control elements of our mix, like price, very directly. And again, we have nine years of experience.”

Keep Reading Show less
Sarah Roach

Sarah (Sarahroach_) writes for Source Code at Protocol. She's a recent graduate of The George Washington University, where she studied journalism and criminal justice. She served for two years as editor-in-chief of GW's independent newspaper, The GW Hatchet. Sarah is based in New York, and can be reached at


AT&T CTO: Challenges of the cloud transition are interpersonal

Jeremy Legg sat down with Protocol to discuss the race to 5G, the challenges of the cloud transition and nabbing tech talent.

AT&T CTO Jeremy Legg spoke with Protocol about the company's cloud transition and more.

Photo: AT&T

Jeremy Legg is two months into his role as CTO of AT&T, and he has been tasked with a big mandate: transforming the company into a software-driven business, with 5G and fiber as core growth areas.

This isn’t Legg’s first CTO gig, just his biggest one. He’s an entertainment biz guy who’s now at the center of the much bigger, albeit less glamorous, telecom business. Prior to joining AT&T in 2020, Legg was the CTO of WarnerMedia, where he was the technical architect behind HBO Max.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at


How Canva uses Canva

Design tips and tricks from the ultimate Canva pros: Canva employees themselves.

Employees use Canva to build the internal weekly “Canvazine,” product vision decks, team swag and more.

Illustration: Christopher T. Fong/Protocol

Ever wondered how the companies behind your favorite tech use their own products? We’ve told you how Spotify uses Spotify, How Slack uses Slack and how Meta uses its workplace tools. We talked to Canva employees about the creative ways they use the design tool.

The thing about Canva is that it's ridiculously easy to use. Anyone, regardless of skill level, can open up the app and produce a visually appealing presentation, infographic or video. The 10-year-old company has become synonymous with DIY design, serving as the preferred Instagram infographic app for the social justice “girlies.” Still, the app has plenty of overlooked features that Canvanauts (Canva’s word for its employees) use every day.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at

Latest Stories