$3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers

One of the most elegant hacks in recent history is also one of the strangest.

AccessTimeIconSep 17, 2021 at 8:19 p.m. UTC
Updated May 11, 2023 at 5:10 p.m. UTC

Just another day in crypto.

One of the most bizarre hacks in NFT history played out on Friday morning, a front-end exploit that led to a tense standoff featuring miso soup, Kia Sedonas and threats to call in the FBI.

In the end, however, a cult non-fungible token (NFT) project has prevailed, having not just retrieved the stolen funds but also firmly establishing itself in the limelight in a space that’s often short on mindshare.

On Thursday night, SushiSwap Chief Technology Officer Joseph Delong revealed that the 864.8 ETH ($2.93 million) proceeds from an NFT drop on the Miso auction platform had been stolen in an exploit.

The drop, “Jay Pegs Auto Mart,” distributed DONA tokens redeemable for Kia Sedona-styled NFTs. The drop has a cult following driven by the developers pretending to be used-car dealers – an elaborate performance laced with tongue-in-cheek, Midwestern flavor.

The funds were returned on Friday morning after negotiations with the exploiter, a developer who works under the pseudonym “Eratos.”

Although Eratos has since posted a puzzling tweet in which he appears to be distancing himself from the hack, sources close to the Jay Pegs team have confirmed that the team has determined that he is responsible.

The team behind the Jay Pegs project, NGMI.global (which a team member confusingly referred to as the “evil parent subsidiary” of Jay Pegs Auto Mart) told CoinDesk that the negotiations were equivalent to a “financial hostage situation” from a “disgruntled [Sushi] employee.”

Meanwhile, Sushi team representatives told CoinDesk in a statement that while a forthcoming incident report found that “Eratos had a first degree funding relation to the exploit address” and that “Eratos purportedly held a lead position over this separate actor,” there is no definitive proof that Eratos and the attacker were the same entity.

In an effort to make sense of the events, CoinDesk reached out to the NGMI team. (NGMI is a popular shorthand for “not gonna make it.”)

However, during a wide-ranging interview with self-described “middle management representative” BasedMoneyGod, Senior Vice President McGhoul, “Sales Guy #2” and an unnamed fourth team member who joined and left the interview at various points throughout but who identified himself as an Amazon Prime member, it was difficult to discern who was saying what.

Also unclear: Which answers were part of the used-car-salesman role-play and which reflected the actual feelings of the developers, who at times sounded borderline delirious after the events of the last 24 hours.

“This has been one of the most surreal moments of my life,” said one NGMI developer. “But it’s also just kind of like what it’s like working in this space.”

The long con

Sales Guy #2 noted that the attack was planned and implemented well before the launch of the sale and that NGMI “only realized we were f**ked” after the sale concluded.

Given that the exploit could have applied to any Miso sale, it is unclear why Eratos chose the DONA drop. Miso has hosted sales worth upward of $350 million.

“He thought that the sale was going to be so awesome, he thought it was going to be great, so he wanted to exploit that one specifically,” claimed BasedMoneyGod. “It was going to be ‘the greatest NFT drop in the history of NFTs’ – of course, he’s gonna want to steal it.”

The drop raised just over 850 ETH, a not-unusual sum in these times of NFT euphoria.

The team spoke of the exploiter with a mixture of admiration and disdain.

“He put the code in the UI (user interface), and it redirected the funds into his address. It was actually kind of clever,” said one developer. This reporter was not able to discern which.

The team continually expressed disappointment throughout the interview that the hack was not more successful, given the elegance of the attack vector. They also said it would have made more sense to siphon off a small amount from every Miso sale, referencing a scheme from the 1999 cult classic “Office Space.”

However, Eratos, whose GitHubhttps://github.com/eratos1122 profile is highly self-promotional and contains easily identifiable information, was “sloppy” with his operational security, and the team “doxxed” him in short order – terms referring to how individuals maintain their anonymity online and for uncovering the real-life information behind an online persona, respectively,

Soup tactics

After identifying the exploiter, the team reached out to establish communications. Knowing his address, they ordered food for their foe, a common psychological negotiation tactic used to establish a bond with an abductor.

In this instance, however, NGMI sought to intimidate Eratos. Here’s a transcript of the bizarre episode as told by the NGMI team:

“We learned his home address pretty quickly.”
“We learned who it was in five minutes! He was playing coy on Google Meets, like he didn’t do it, but we had his phone numbers.”
“We ordered him miso soup on Postmates.”
“We watched the Postmates car arrive in real time, and we called him right after.”
“And then he blocked our numbers.”
“Five minutes after our calls, his number started saying ‘this number is disconnected.’”

Legal action

Before the negotiations were cut short, the sales team brought on a high-powered attorney to weigh in on the possible legal consequences if the exploiter didn’t yield to the team’s demands.

Again, a transcript:

“This guy killed it. This old-ass white dude got on the call, and this dude was scary as fuck.”
“He was like my grandpa or something.”
“I was scared.”
“He started talking about federal laws, citing these laws, then the dude got scared and hung up.”
“It was sick, dude. My wife was like, ‘This lawyer guy is handsome...’”

Jay’s heart

The team noted that project founder “jaypegs” – a play on a derogatory term for NFTs referring to a popular image file name that has been lovingly reappropriated by the collector community – fell asleep during the negotiations, and that at the time of the interview he remained unaware that the attacker had returned the funds.

The delirious team told this reporter:

“He’s still sleeping at his sister’s house dude.”
“And the thing is, Jay has a shit heart.”
“He is not, NOT in good health!”
“He’s got to be like 70, 73 or something.”
“And his birthday is in five days.”

The team has been promoting the hashtag #PRAYFORJAY on social media, and late in the afternoon on Friday the Jay Pegs Twitter account posted an “official statement” from Jay acknowledging the hack.

Waiting game

After the first round of negotiations, the team was unsure of its next move.

“We talked to him, and then he hung up, and we really didn’t know what to do.”

They noted that if they moved to involve authorities, it would be possible that they would never recover the funds at all, as the agencies would seize ETH, not fiat.

“We thought the best way to move forward would just be to scare the guy, just get him to send the funds back.”

The Ethereum community rallied around the event, however. Blockchain data site Etherscan quickly labeled Eratos’ address as an exploiter, and SushiSwap representatives reached out to centralized exchanges Binance and FTX, both of which Eratos had interacted with, to have his funds frozen, though Delong reported their efforts on this front were “stonewalled.”

“These big companies won’t release, or do anything, before authorities are involved,” said one of the developers.

The NGMI team said witnessing both their stolen money move and the community rally was “surreal.”

“The cool thing is that everyone can watch the funds moving in real-time,” said one. “I’ve never seen anything like that.”

Added another: “People from the community were just chiming in, reporting things and finding things about the attacker. It was really interesting to see the community come together.”


At roughly 6 a.m. Eastern time on Friday, Eratos returned the funds. While NGMI can now pursue legal action without the risk of losing the funds to the justice system, they’re opting to work outside of the law.

“We settled it amongst ourselves, we’re not NARCs.”
“Crypto-anarchists don’t involve the FBI.”

In a show of cheek, a community member even sent Eratos’ address a DONA token, redeemable for a Kia Sedona NFT.

“We prefer to settle things on the dartboard,” said one developer.

Fumbled the bag

The team repeatedly expressed befuddlement that Eratos could mangle the hack so thoroughly, both losing the stolen funds and ending what was a promising development career.

Here’s the team’s telling:

“He just couldn’t pull it off.”
“He was building a serious reputation, but I don’t think he’s going to make it.”
“Hey, I just want to stress that that guy is a dweeby NARC, and he failed to execute.”
“The takeaway should be that this guy is a NARC dweeb. A dweeby NARC.”

The team recommended that other hackers learn from this and “keep their opsec clean.”

“All scriptkiddies in the space need to learn a lesson.”
“He should be ashamed and ostracized. And punished, but not by the FBI.”

Cultural value

In a space where the success of a project hinges in part on historical significance, DONA tokens and NFTs may now have a chance at lasting cultural impact in the wake of the bizarre events.

However, the team says the community, including some 1,500 Telegram followers, were supporters before the attack and believers in the core product.

“They understand the value of a Kia Sedona.”
“In your article, can you add a blurb about how the Kia Sedona is among the most reliable in its class?”
“I’m a J.D. Power guy, so I’m going to cite the statistics – it’s a verified 78 out of 100.”
“That’s a strong, high C.”
“You can get behind the wheel, and it will take you where you need to be. It’ll get your loved ones there safe.”
“It’s a four-door, obviously.”
“Six-seat adjustment.”
“A 16 in the city and a 23 on the highway.”
“I know the hack is the headline, but the real steal is a Kia Sedona.”

They pointed to the 1-689-JAY-PEGS hotline for further information, as well as their Pinterest account that they say reflects their “values.”

UPDATED (Sept. 18, 14:04 UTC): Updates to include statement from the Sushi team.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Read more about