User sues OpenSea for $1M+ after losing his Bored Ape NFT in phishing attack
The plaintiff has accused the NFT marketplace of "negligence" and "breach of fiduciary duty."
Texas resident Timothy McKimmy has officially filed a lawsuit for at least $1 million against non-fungible token (NFT) marketplace OpenSea. In the complaint, he accused the platform of “negligence” that resulted in him losing an “unquestionably” valuable Bored Ape Yacht Club NFT.
According to the lawsuit filed on February 18 in the Southern District of Texas, McKimmy allegedly was one of the victims in the recent series of phishing attacks. As CryptoSlate reported, some OpenSea users have recently lost millions of dollars worth of NFTs to unknown malicious actor(s).
Namely, the attacker launched a special smart contract on Ethereum over a month prior to the actual theft and then sent several users emails urging them to move their NFTs from an old OpenSea smart contract to a new one. This new false contract, in turn, initiated signing of open sell orders which the attacker collected.
As a victim of this scheme, McKimmy lost his Bored Ape #3475 NFT, the complaint alleged, which is currently being auctioned off for at least 225 Ethereum (roughly $568,000) by an unknown owner.
Phishing in OpenSea
In his complaint, McKimmy alleged that OpenSea has breached the fiduciary duty it owed to him “by failing to implement policies and procedures to prevent, identify, detect, respond to, mitigate, contain, and/or correct security violations.”
Because of this, the plaintiff claimed that on or around February 7 his Bored Ape NFT was stolen due to a “security vulnerability” on OpenSea, allowing “an outside party to illegally enter through OpenSea’s code and access [McKimmy’s] NFT wallet” to list and sell the token.
Ultimately, “OpenSea’s vulnerabilities allowed others to enter through its code and force the listing of an NFT” and that was “through no fault of the [NFT] owner,” McKimmy claimed.
He added that attempts to “resolve the issue numerous times with” OpenSea remained unsuccessful as the platform “failed to reverse the transaction, return the Bored Ape, and/or provide any adequate remedy,” which led to him filing the lawsuit.
Now, the plaintiff wants OpenSea to reimburse him “the valuation of the Bored Ape, and/or monetary damages over $1,000,000,” the complaint stated.
“Plaintiff’s Bored Ape has significant value; this is unquestionable. For example, Justin Bieber purchased Bored Ape #3001 for 500 ETH, or $1.3 million at the time of the transaction. Bieber’s Bored Ape has a rarity score of only 53.66 and a rarity rank of #9777,” according to the complaint.
Meanwhile, “Plaintiff’s Bored Ape has a rarity score of 138.52 and a rarity rank of #1392. It is in the top 14% rarity, and it is significantly rarer than Bieber’s. Thus, Plaintiff’s Bored Ape’s value is arguably in the millions of dollars and growing as each day passes,” the document claimed.
The attack no longer seems to be active, but we are continuing to monitor. We have not seen activity from the attacker’s wallet in >36 hours. We’re continuing to investigate.
— OpenSea (@opensea) February 22, 2022
In its turn, OpenSea today reported that “the attack no longer seems to be active” but the platform is still “continuing to monitor” and “it is safe to migrate your listings” now.