The total value of transactions involving these assets since then exceeds $140 million, according to Hoptrail data and information available on Dune Analytics.
We dig into the data to assess the nexus of accounts apparently central in trading stolen or suspicious items. Lets first look at the collection details:
Mutant Ape Yacht Club: 706 (ETH 16,611)
Azuki: 525 (ETH 8,666)
Doodles: 250 (ETH 3,088)
OpenSea has been marking NFTs as suspicious or stolen since mid-2022. These flags are based on reports filed by previous owners. Buying and selling of those assets is then halted on the platform.
More importantly, sales of marked assets continue to occur on other platforms, most notably LooksRare. LooksRare, the world’s second largest NFT marketplace, does not have a red flag mechanism like OpenSea or its rival X2Y2, which does flag and embargo assets when listed by OpenSea.
Big Whales
For this analysis, we have removed accounts which are tied to exchanges and other marketplaces. In some isolated cases we see prominent collectors or creators in the list. For instance, Pranksy, a well-known NFT investor, appears 18 times as a seller of suspicious/stolen goods, most likely due to the volume and breadth of their activity.
Top sellers of NFTs listed as stolen/suspicious by OpenSea
The top account in the list goes by the moniker ‘CheaperOnX2Y2’ on OpenSea. Or at least it used to. It’s OpenSea account has now been deleted or removed, last trading a marked NFT almost six months ago.
Its biggest seller, BAYC #8166, was offloaded (flipped for a sizeable profit) in April 2022, around the time when the asset was flagged by OpenSea.
A third, BAYC #5171, followed a similar pattern. A sudden transfer from the original owner to a new address is the first indicator of unusual activity. Then followed a series of additional transfers and sales on OpenSea and LooksRare.
While it is possible that CheaperOnX2Y2 unwittingly handled stolen NFTs, the patterns raise alarms. We also know it has links to other - more concerning - addresses in the list.
The second address in the list is more popularly known as the Arthur0x Hacker. In March 2022, the wallet of crypto personality Arthur0x was hacked, resulting in the theft of Clonex and Azuki NFTs. These assets were immediately sold, resulting in a windfall of ETH 200 for the hacker.
Lets take Azuki #6637 as an example. That asset was stolen by the Arthur0x Hacker on 22 March 2022. It was then sold to the intermediary - at below floor prices - and then transferred immediately to CheaperOnX2Y2, which sold the asset for a profit. All on the same day.
The same goes for #8659, #7322, #4759, and #7569, as well as Clonex 9233. The same addresses, the same pattern, the same prices. The same outcome.
Moonbirds Hacker
Major destinations of funds from volvo_cars_lover are Tornado Cash or Tornado Cash depositors. Funds to the mixer total over ETH 300, more than covering the ETH 252 revenues from the stolen assets. These addresses are likely controlled by the same person.
Red flag tags on the Moonbirds Hacker
0xfb9 (alias Common Ground Liquidity), which is third in our list. It also comes fourth in our top buyers list of stolen assets, with 17.
0xfb9 has, on at least three occasions, received or sold MAYCs below the floor price. The pattern could simply be that of an unwitting opportunist - picking up stolen assets at lower prices as part of a fire sale.
BAYC Instagram Hack Connections
So, links are evident among prolific sellers in the NFT space. Many have ties (direct or indirect) to phishing scams and hacks, whilst others appear to serve as intermediaries or unwitting buyers of stolen goods.
For now, several outlets remain for hackers even if assets have been frozen on OpenSea.