Image: BAYC

A widely-reported phishing attack on OpenSea that reportedly cost users of the marketplace millions of dollars in stolen non-fungible tokens (“NFTs”) has led to a $1 million-plus lawsuit, which was filed by the former owner of a Bored Ape NFT that was allegedly stolen in the headline-making hack. According to the complaint that he filed in a federal court in Texas on February 18, Timothy McKimmy claims that his Bored Ape Yacht Club NFT – Bored Ape #3475 – was stolen when OpenSea was hacked this month, and then listed on the NFT marketplace and sold to another party for 0.01 ETH ($2.66), “a literal fraction” of what it was worth. 

In the complaint, as first reported by TFL, McKimmy sets out claims of negligence and breach of fiduciary duty, trust, contract and implied contract, and asserts that on or about February 7, 2022, his Bored Ape NFT was stolen due to a “security vulnerability” on OpenSea that enabled “an outside party to illegally enter through OpenSea’s code and access [his] NFT wallet,” in order to list and swiftly sell the coveted ape NFT. Essentially, McKimmy claims that “OpenSea’s vulnerabilities allowed others to enter through its code and force the listing of an NFT,” and that this was “through no fault of the [NFT] owner.”  

(In terms of fault on the part of the hacked OpenSea users, it has been reported that the hacker(s) tricked victims into signing a partial digital contract for the NFT trade by way of a phishing email, which gave the attacker general authorization to make the trades before completing the contract and transferring the victims’ NFTs to an address controlled controlled by the hacker. Markets Insider likened the traction to getting the victims to “sign a blank check.”)

The alleged vulnerability that led to the “phishing attack” was not unknown to OpenSea, McKimmy claims, arguing that OpenSea “was aware of security vulnerabilities in its platform,” and that despite having “full knowledge of these security issues, [the popular platform] did not properly inform its users and did not timely put adequate safety measures in place.” Instead of shutting down its platform “to address and rectify these security issues,” McKimmy alleges that OpenSea “continued to operate.” In doing so, OpenSea – which maintains the title of the biggest marketplace for NFTs with its $13 billion valuation and roster of more than 80 million NFTs, per BlockWorks – “risked the security of its users’ NFTs and digital vaults [in order] to continue collecting 2.5 percent of every transaction uninterrupted.” 

OpenSea Lawsuit

In doing so, and ultimately, serving as the target of the alleged hack, McKimmy contends that OpenSea breached the fiduciary duty it owed to him “by failing to implement policies and procedures to prevent, identify, detect, respond to, mitigate, contain, and/or correct security violations.” Beyond that, OpenSea allegedly “failed to protect the integrity of its systems and to timely notify and/or warn [McKimmy] and other” users of its platform of “the extent and severity of vulnerabilities in its code,” even though such users “expected [OpenSea’s] security practices to comply with laws and regulations” and also expected OpenSea to “reasonably protect wallets which were connected to its platform.” 

McKimmy claims that OpenSea – which has handled “over $11 billion in sales to date, including the sale of a Bored Ape Yacht Club NFT for $3 million” – has also run afoul of the law by engaging in negligence because it “owed a duty of reasonable care of [him],” which it breached by failing to “take proper measures to protect users,” “use reasonable security systems and networks,” and “implement processes by which they could timely detect, address and/or remediate security breaches,” among other things. 

Having unsuccessfully attempted to “resolve the issue numerous times with [OpenSea],” which has “failed to reverse the transaction, return the Bored Ape, and/or provide any adequate remedy,” McKimmy filed the lawsuit, seeking monetary damages from OpenSea to the tune of “the valuation of the Bored Ape, and/or monetary damages over $1,000,000.” (McKimmy claims that he also tried to regain possession of the NFT from the individual who currently possesses it, but that individual allegedly refused to return it.)

As for what the value of the stolen ape NFT might be, the complaint states that it “unquestionably” has “significant value,” noting that Justin Bieber purchased Bored Ape #3001 for 500 ETH, or $1.3 million at the time of the transaction. Bieber’s Bored Ape has a rarity score of only 53.66 and a rarity rank of #9777.” Distinct from Bieber’s ape, McKimmy claims that his ape NFT is actually “significantly rarer than Bieber’s,” putting its value “in the millions of dollars and growing as each day passes.” 

The Bored Ape #3475 NFT is currently priced at 225 ETH ($598,297.50) on the OpenSea platform.

In addition to monetary damages, McKimmy says that he has filed the lawsuit against OpenSea in order to “protect the interests of NFT owners, who reside in countries worldwide and use [OpenSea’s] platform,” and to force OpenSea “to enact sufficient security measures and address the known susceptibilities in its interface.” 

As for how the case will play out, lawyer and intellectual property researcher Mike Dunford stated on Monday that he suspects it will likely end up in arbitration, and “when it does, the claim may turn on how much you can get away with disclaiming under New York contract law,” which is the state that OpenSea lists in the choice of law provision in its terms of service. (Among other things, OpenSea’s terms state, “You agree that any dispute, controversy, or claim relating in any way to your access or use of the Service, to any products sold or distributed through the Service, or to any aspect of your relationship with OpenSea, will be resolved by binding arbitration, rather than in court, including threshold questions of the arbitrability of such dispute, controversy, or claim.”)

A rep for OpenSea was not immediately available for comment in connection with the lawsuit. 

In a statement on February 21, OpenSea revealed that its team “has been working around the clock to investigate the specific details of [the] phishing attack,” and stated that while had “not yet determined the exact source,” it had “narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32.” It is still unclear where the hack originated, but OpenSea founder and CEO Devin Finzer stated over the weekend that the attack “did not originate on,” its listing system from emails sent by the company.

Reflecting on the OpenSea hack and the “high profile” attacks, such as the one on that resulted in a hack of $320 million worth of ETH by way of the Wormhole bridge, Market’s Insider’s Adam Morgan McCarthy states that this type of crime is “becoming more common,” which is further backed up by a recent Chainalysis report that revealed that bad actors stole $14 billion worth of crypto in 2021, an 80 percent year-over-year increase.

The case is Timothy McKimmy v. OpenSea, 4:22-cv-00545 (S.D. Tex.).