$3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers
One of the most elegant hacks in recent history is also one of the strangest.
Just another day in crypto.
One of the most bizarre hacks in NFT history played out on Friday morning, a front-end exploit that led to a tense standoff featuring miso soup, Kia Sedonas and threats to call in the FBI.
In the end, however, a cult non-fungible token (NFT) project has prevailed, having not just retrieved the stolen funds but also firmly establishing itself in the limelight in a space that’s often short on mindshare.
On Thursday night, SushiSwap Chief Technology Officer Joseph Delong revealed that the 864.8 ETH ($2.93 million) proceeds from an NFT drop on the Miso auction platform had been stolen in an exploit.
The drop, “Jay Pegs Auto Mart,” distributed DONA tokens redeemable for Kia Sedona-styled NFTs. The drop has a cult following driven by the developers pretending to be used-car dealers – an elaborate performance laced with tongue-in-cheek, Midwestern flavor.
The funds were returned on Friday morning after negotiations with the exploiter, a developer who works under the pseudonym “Eratos.”
Although Eratos has since posted a puzzling tweet in which he appears to be distancing himself from the hack, sources close to the Jay Pegs team have confirmed that the team has determined that he is responsible.
The team behind the Jay Pegs project, NGMI.global (which a team member confusingly referred to as the “evil parent subsidiary” of Jay Pegs Auto Mart) told CoinDesk that the negotiations were equivalent to a “financial hostage situation” from a “disgruntled [Sushi] employee.”
Meanwhile, Sushi team representatives told CoinDesk in a statement that while a forthcoming incident report found that “Eratos had a first degree funding relation to the exploit address” and that “Eratos purportedly held a lead position over this separate actor,” there is no definitive proof that Eratos and the attacker were the same entity.
In an effort to make sense of the events, CoinDesk reached out to the NGMI team. (NGMI is a popular shorthand for “not gonna make it.”)
However, during a wide-ranging interview with self-described “middle management representative” BasedMoneyGod, Senior Vice President McGhoul, “Sales Guy #2” and an unnamed fourth team member who joined and left the interview at various points throughout but who identified himself as an Amazon Prime member, it was difficult to discern who was saying what.
Also unclear: Which answers were part of the used-car-salesman role-play and which reflected the actual feelings of the developers, who at times sounded borderline delirious after the events of the last 24 hours.
“This has been one of the most surreal moments of my life,” said one NGMI developer. “But it’s also just kind of like what it’s like working in this space.”
The long con
Sales Guy #2 noted that the attack was planned and implemented well before the launch of the sale and that NGMI “only realized we were f**ked” after the sale concluded.
Given that the exploit could have applied to any Miso sale, it is unclear why Eratos chose the DONA drop. Miso has hosted sales worth upward of $350 million.
“He thought that the sale was going to be so awesome, he thought it was going to be great, so he wanted to exploit that one specifically,” claimed BasedMoneyGod. “It was going to be ‘the greatest NFT drop in the history of NFTs’ – of course, he’s gonna want to steal it.”
The drop raised just over 850 ETH, a not-unusual sum in these times of NFT euphoria.
The team spoke of the exploiter with a mixture of admiration and disdain.
“He put the code in the UI (user interface), and it redirected the funds into his address. It was actually kind of clever,” said one developer. This reporter was not able to discern which.
The team continually expressed disappointment throughout the interview that the hack was not more successful, given the elegance of the attack vector. They also said it would have made more sense to siphon off a small amount from every Miso sale, referencing a scheme from the 1999 cult classic “Office Space.”
After identifying the exploiter, the team reached out to establish communications. Knowing his address, they ordered food for their foe, a common psychological negotiation tactic used to establish a bond with an abductor.
In this instance, however, NGMI sought to intimidate Eratos. Here’s a transcript of the bizarre episode as told by the NGMI team:
Before the negotiations were cut short, the sales team brought on a high-powered attorney to weigh in on the possible legal consequences if the exploiter didn’t yield to the team’s demands.
Again, a transcript:
The team noted that project founder “jaypegs” – a play on a derogatory term for NFTs referring to a popular image file name that has been lovingly reappropriated by the collector community – fell asleep during the negotiations, and that at the time of the interview he remained unaware that the attacker had returned the funds.
The delirious team told this reporter:
The team has been promoting the hashtag #PRAYFORJAY on social media, and late in the afternoon on Friday the Jay Pegs Twitter account posted an “official statement” from Jay acknowledging the hack.
After the first round of negotiations, the team was unsure of its next move.
“We talked to him, and then he hung up, and we really didn’t know what to do.”
They noted that if they moved to involve authorities, it would be possible that they would never recover the funds at all, as the agencies would seize ETH, not fiat.
“We thought the best way to move forward would just be to scare the guy, just get him to send the funds back.”
The Ethereum community rallied around the event, however. Blockchain data site Etherscan quickly labeled Eratos’ address as an exploiter, and SushiSwap representatives reached out to centralized exchanges Binance and FTX, both of which Eratos had interacted with, to have his funds frozen, though Delong reported their efforts on this front were “stonewalled.”
“These big companies won’t release, or do anything, before authorities are involved,” said one of the developers.
The NGMI team said witnessing both their stolen money move and the community rally was “surreal.”
“The cool thing is that everyone can watch the funds moving in real-time,” said one. “I’ve never seen anything like that.”
Added another: “People from the community were just chiming in, reporting things and finding things about the attacker. It was really interesting to see the community come together.”
At roughly 6 a.m. Eastern time on Friday, Eratos returned the funds. While NGMI can now pursue legal action without the risk of losing the funds to the justice system, they’re opting to work outside of the law.
In a show of cheek, a community member even sent Eratos’ address a DONA token, redeemable for a Kia Sedona NFT.
“We prefer to settle things on the dartboard,” said one developer.
Fumbled the bag
The team repeatedly expressed befuddlement that Eratos could mangle the hack so thoroughly, both losing the stolen funds and ending what was a promising development career.
Here’s the team’s telling:
The team recommended that other hackers learn from this and “keep their opsec clean.”
In a space where the success of a project hinges in part on historical significance, DONA tokens and NFTs may now have a chance at lasting cultural impact in the wake of the bizarre events.
However, the team says the community, including some 1,500 Telegram followers, were supporters before the attack and believers in the core product.
They pointed to the 1-689-JAY-PEGS hotline for further information, as well as their Pinterest account that they say reflects their “values.”
UPDATED (Sept. 18, 14:04 UTC): Updates to include statement from the Sushi team.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.