Phishing for Green Apes

On May 17, 2022, actor Seth Green announced to the world that he got “phished and had 4NFT stolen”. Apparently, he clicked on a link that led him to a website that requested and obtained access to his wallet – a wallet containing four high-profile collectible NFTs. After he provided the necessary consent, a scammer promptly emptied his wallet of these four expensive collectible NFTs.

Green purportedly knows how to navigate Web 3.0 but does a really bad job of justifying his lack of security hygiene:  “Scam GutterCats clone site. I’m crazy careful with separate wallets and security but still got got. Luckily it’s art not crypto so they can be traced. For anyone that bought them, we can work something out.”

Disregarding whether what was lost was actually “art” in the sense of fine art – they are likely more properly described as innovative collectible NFTs with significant speculative value based on community growth, utility, endorphins, and numerous other intangible measures, Green’s loss presents a valuable security lesson for all NFT collectors and raises issues that will not go away anytime soon. All of this is now ripe for discussion.

Green asked OpenSea not to allow trades in his four missing collectibles.  It is doubtful any marketplace will affirmatively identify, tag, and refuse to trade in Green’s four NFTs. As it stands, there are huge numbers of fake collectible NFTs sold on marketplaces – especially on OpenSea. Despite recent OpenSea changes aimed at addressing “copymints” – fake listings using copies of actual collectibles, the collectible fraud problem will not subside any time soon given this sort of fakery does not require much effort and can be very lucrative for scammers – as well as the marketplaces that thrive on trading fees.  More to the point, even the upgraded OpenSea controls do little to address the core issue of compliance.

To its credit, there are no current OpenSea listings tied to Green’s collectible NFTs but that might change at any time given at least one marketplace has them listed.  As of May 19, 2022, Rarible has MAYC # 19182 listed by public wallet address # 0xae7f30d77b367afe64f04dfd94e95f71f8e4ae66.

And, Rarible apparently also has BAYC # 8398 listed by public wallet address # 0xaf20e2e1dca5dffd0efa1a8055099a947beec8be.

These are not Green’s collectible NFTs simply because they reference the correct collections, point to the right image files, describe the correct collectible rarity properties, and use the right numbering scheme.  On the other hand, both have sold – perhaps in wash trades or maybe not, for significant amounts – 106.5 ETH on May 8, 2022 or $268,912 for BAYC # 8398 right around the time it was purportedly removed from Green’s wallet and 31.5 ETH on March 17, 2022 or $87,129 for MAYC # 19182.  Without a way to provide a universal and easily accepted means of verifying the authenticity of these collectibles, collectors will need to be part detective and part forensic investigator and use ETH explorers to track the relevant wallet addresses. 

Assuming someone did the legwork to confirm these are the actual pilfered collectibles, Mr. Green has several options.  He can continue pressuring marketplaces to refrain from listing them.  That would not get them back, but it might prevent further monetization and may cause the current owners to cut a deal with Green for their return given this lack of monetization.

As with many film actors, Seth Green lives in California where knowingly receiving actual stolen property is a criminal offense punishable for up to a year in prison.  See Cal. Penal Code § 496(a) (“Every person who buys or receives any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, selling, or withholding any property from the owner, knowing the property to be so stolen or obtained, shall be punished by imprisonment in a county jail for not more than one year, or imprisonment pursuant to subdivision (h) of Section 1170.”).  Almost all NFT marketplaces are non-custodial – which means this statute would not really apply to them under any reading of the law.

Given this lack of custody, a marketplace would also not likely be liable for conversion. “The tort of conversion is established when one who owns and has the right to possession of personal property proves that the property is in the unauthorized possession of another who has acted to exclude the rights of the owner.” Angiolillo v. Christie’s, Inc., 103 N.Y.S.3d 244, 260-61 (N.Y. Sup. Ct. 2019).  Similarly, a cause of action of replevin requires that the defendant actually possess the property in question before its return can be obtained in court.  All of this assumes ownership of the constituent parts of an NFT, namely private keys, smart contract software code, IPFS content, etc., constitutes personal property in the first place.

Green’s likely best avenue for redress would be going after current holders of his lost NFTs who might be considered bona fide purchasers or good faith purchasers for value not having knowledge of the tainted title. Mr. Green lives in California and the “stolen” property could be in wallets belonging to persons anywhere in the world.  Assuming he knows the public wallet addresses of the current owners, Green would still not know the country of origin let alone name and address.  If the purchaser is identified, however, negotiating a deal or filing suit will be viable options.

Knowing the applicable law for a claim is significant given in some jurisdictions such as New York the law favors rightful owners seeking their stolen personal property.  See e.g., Solomon R. Guggenheim Found. v. Lubell, 77 N.Y.2d 311, 320, 567 N.Y.S.2d 623 (1991) (“To place the burden of locating stolen artwork on the true owner and to foreclose the rights of that owner to recover its property if the burden is not met would, we believe, encourage illicit trafficking in stolen art.”); Barnard v Campbell, 55 N.Y. 456, 461 (1874) (“The general rule of law is undoubted that no one can transfer a better title than he himself possesses.”); DeWeerth v Baldinger, 38 F3d 1266, 1278 (2d Cir. 1994) (“New York case law has long protected the right of the owner whose property has been stolen to recover that property, even if it is in the possession of a good-faith purchaser for value.”).

In some states and countries, however, it is quite different.  For example, under Swiss law, a bona fide purchaser becomes the owner even if the chattel was stolen or otherwise transferred without the authorization of its owner.

On the other hand, even New York law distinguishes between fraud and theft because the owner who is defrauded acted affirmatively and could have protected herself by due diligence, “whereas the owner from whom property is stolen has not acted affirmatively, and, in many instances, could not have protected herself. The [bona fide purchaser] may be equally innocent in both cases, but the original owner from whom property is obtained by fraud is more blameworthy than the original owner from whom property is stolen, and the former is entitled to less legal protection than the latter.”  Shubert Org., Inc. v. Partridge, 2020 NY Slip Op 32748 (N.Y. Sup. Ct. 2020).

This legal distinction raises an interesting point regarding Green’s “stolen” NFTs.  After all, Mr. Green was led to a website by way of a fraudulent email in the hope of minting himself some Gutter Cat Gang NFTs but instead connected his wallet to an imposter website.  All the while, he would have consented to everything done, including his wallet connection and any subsequent activity.  In other words, he was defrauded.  No one went to his home or computer, stole his private key, went into his wallet, and transferred his collectibles to another wallet.  If Green could bring to court a bona fide purchaser of his quartet of valuable NFT collectibles such a buyer could certainly raise all of this as a defense.

Beyond the security hygiene lessons and potential difficulties in retrieving lost collectibles, Green’s mishap also shines a light on the need for due diligence when using a marketplace.  In sharp contrast to collectible NFTs such as BAYC NFTs, purchasing fine art NFTs from a reliable source such as an established art gallery provides justifiable trading confidence.

UPDATE: June 7, 2022

On May 30, 2022, Seth Green announced he had struck a deal with the buyer of his Bored Ape #8398.

He also mentioned he was “working together to prosecute the original thieves” so presumably law enforcement is involved. The following day, Green made a somewhat cryptic statement: “Had to track the NFT to the current holders & make a deal between us to get them back- although we get to prove the friendship & community we all are building around these artists & collections. Plus now we work together to prosecute the original thief who scammed us both”.

In other words, Green was able to convince the buyer to send Green’s Ape back home for an unknown price. For all we know, it may be what the buyer paid or even a premium on that price. What will be of most interest to the ending of this story is what sort of prosecution takes place against Green’s scammers.