The Ethereum wallet tied to actor and comedian Bill Murray—which is being used to sell official NFTs inspired by his life—was attacked last night following the completion of a charity auction this week, Murray’s partners at The Chive and Project Venkman tell Decrypt.
Ultimately, nearly 110 Wrapped Ethereum (WETH) was stolen from the wallet, worth about $174,000 at the time of the attack. The funds were stolen from the wallet following the auction of an exclusive, single-edition NFT this week on Coinbase NFT, which raised 119.2 WETH, or about $185,000 at the time of sale. All funds were intended for charitable purposes.
Gavin Gillas of blockchain startup Project Venkman, which Murray co-owns, told Decrypt that he first noticed an unauthorized transaction removing 108.03 WETH (about $171,500) from the wallet last night, followed by another transaction for 1.73 WETH (about $2,750). Those were the only transactions in which WETH was stolen, Gillis confirmed.
The wallet also held the nearly 800 Ethereum NFTs from the Bill Murray 1,000 project that are set to be sold next week, along with other NFTs that Murray owns through his business partners—including CryptoPunks, VeeFriends, and Damien Hirst artwork.
None of the NFTs were stolen, and all remaining Bill Murray 1,000 NFTs—along with those from other projects—were moved into other wallets in the hours that followed.
Gillas and John Resig, CEO of comedy and entertainment website The Chive (which Murray backed), told Decrypt that they filed a police report following the attack, and quickly engaged the services of blockchain forensics and security firm, Chainalysis. They also communicated with Coinbase NFT regarding the theft.
“We engaged Chainalysis within 10 minutes of learning of the attack last night,” Gillas told Decrypt, “They’ll have a bigger report on that, and they're still investigating all of the threads.”
The Chainalysis investigation remains ongoing, but Gillas believes that the attackers gained unauthorized access through a wallet-draining exploit. Such attacks typically occur after the wallet holder inadvertently interacts with a link that is used to perpetrate scams.
In many cases, the wallet holder signs a transaction that they believe to be for a legitimate purpose—like minting an NFT or receiving tokens—but it actually provides broad access rights to the wallet’s tokens, and can be used to steal those assets. A wave of similar scams erupted over the spring and summer using hijacked Twitter accounts, among other means.
The attacker might have had a different entry point in this case, however. Gillas said that a Project Venkman employee had his wallet drained yesterday, as well, which Gillas theorized could tie the exploit to a hijacked work computer.
The Bill Murray NFT auction, completed on Wednesday, was created to raise funds for the Chive Charities initiative. The money was earmarked to support the care of a three-year-old girl named Evelyn, who Resig said is contending with the effects of a rare CLDN5 gene mutation, along with intractable epilepsy.
“Some bad actors stole money out of Bill Murray's wallet—money intended for a three-year-old with a life-threatening condition,” Resig told Decrypt.
While the ETH funds paid by auction winner Brant Boersma were stolen, someone has already stepped up to replace the donation. Resig said that the runner-up bidder, who goes by the pseudonym mishap72, donated 120 ETH to replace the funds intended for the child’s medical care. If the hacked funds are recovered, they will also be donated for Evelyn’s care.
And in the hopes of turning a bad situation into an even more positive situation than before, Resig said, The Chive has launched a GoFundMe page to crowdfund additional donations to help Evelyn, with an initial goal set of $25,000.
“When you're faced with adversity, you can you can take [it] standing up or lying down,” Resig told Decrypt. “Given the nature of this theft, we decided not to sweep this under the rug. We need to be as transparent as possible about what happened.”
Editor's note: This article was updated after publication to include additional comments from Gavin Gillas and John Resig.