Beeple’s latest everyday tweet includes a cryptic message and if you dig a little deeper you find a story involving Sotheby’s, Beeple, TheArtchitech and stolen art!
Follow my on-chain investigation into how the art was stolen, how it was washed on it’s way to Sotheby’s wallet and where it is now!
https://x.com/beeple/status/1796232883084083705
I take a keen interest in all things Beeple and I’ve been lucky enough to win a number of prizes solving his puzzles. So when I saw a Beeple 1/1 and 2 x 1/3s leave a single wallet and get sold into bids I followed the trail that ultimately ended at Sotheby.
https://x.com/RadicalnotionsE/status/1603136825685864449
The three Beeples stolen were 30K #1/1, DEAD #3/3 and [ALIVE #3/3](https://ALIVE #3/3), the same three pieces that feature in Beeple’s everyday above. They were stolen after a re-entrancy vulnerability was discovered in NFTTrader. This vulnerability allowed anyone to steal assets that were approved for NFTTrader. The TheArtchitech was exploited for his three Beeples in this transaction.
For a deeper dive of the exploit itself check out @cygaar’s detailed writeup.
https://x.com/0xCygaar/status/1736056050816876626
Unfortunately, almost a year before the exploit, TheArtchitech had approved NFTTrader to transfer any of their Beeple assets via setApprovalForAll() (see this transaction). With this approval and the re-entrancy exploit the attacker was able to transfer all three of the Beeples from TheArtchitech to their own attack contract.
Approvals are a normal part of buying, selling and trading NFTs however it’s important to always revoke permissions if you don’t intend to sell the assets as approvals don’t expire. They are reset when assets are transferred between wallets and this is why a lot of collectors have multiple wallets or a vault to transfer assets to, resetting their approvals.
After exploits like this the valuable NFTs are generally sold into WETH bids and I always found it strange (or lucky) that these three high value Beeples were all sold to the same account Doge_Doge. All three pieces were sold for approximately 9 WETH or 27.21 WETH in total. See the sale transaction.
Looking at the sale transaction the attacker 0x0000000000000F25a072EFA232D8EFc0b5CE2436 bundled 3 bids from Doge_Doge and submitted them to Seaport’s fulfillAvailableAdvancedOrders().
Diving deeper into the offers and considerations you can see that Doge_Doge was very specific with their offers. They made offers for the BEEPLE - SPRING/SUMMER COLLECTION 2021 contract 0xdd012153e008346591153fff28b0dd6724f0c256 and tokens 100110003 ALIVE #3/3, 100100001 30K #1/1 and 100120003 DEAD #3/3.

It’s also interesting to look at the time windows these three offers were available to be fulfilled by the attacker;
1702755279 to 1702757078 for token 100100001
Sat Dec 16 2023 19:34:39 to Sat Dec 16 2023 20:04:38 ~ 30 mins
1702755404 to 1703014603 for token 100110003
Sat Dec 16 2023 19:36:44 to Tue Dec 19 2023 19:36:43 ~ 3 days
1702755381 to 1703014579 for 100120003
Sat Dec 16 2023 19:36:21 to Tue Dec 19 2023 19:36:19 ~ 3 days
It’s same to assume that Doge_Doge made the three offers for ~9 WETH between 19:34 and 19:36 on Sat Dec 16. The exploit occurred approximately 3 hours earlier that day at 16:26. The timeline leading up to the sale is interesting;
The hack of TheArtchitech happens at 16:26 UTC December 16th in this transaction. After the hack the Beeples reside in the attacker’s smart contract 0x000000000000c35e4364deffa9059dbadaefd4f8.
At 14:29 December 16th in this transaction the Beeples are moved from the attacker’s smart contract to another smart contract presumably owned by the attacker 0x0000000000000f25a072efa232d8efc0b5ce2436.
At 17:38 December 16th Doge_Doge swaps 10ETH for WETH in this transaction. They will ultimately need around 27 WETH to bid 9 WETH on each of the Beeples.
At 19:27 December 16th Doge_Doge removes 17.95 ETH from Blur Pool in this transaction.
At 19:31 December 16th Doge_Doge wraps 18 ETH to 18 WETH in this transaction.
From 19:34 to 19:46 December 16th Doge_Doge makes 3 offers all at ~9WETH for the three Beeples.
At 19:40 the attacker bundles all three offers and sells the Beeples to Doge_Doge for 27.21 WETH in this transaction.
As I alluded to earlier Doge_Doge was lucky to be in the right spot at the right time with the right WETH, receiving all three Beeples for 27.21 WETH. Their actions after the sale suggest they knew the Beeples were stolen and they should attempt to hide the part they played in moving the goods to their final sale. This sale was likely to be at none other then a Sotheby’s auction.

After the sale from the attacker to Doge_Doge there are some strange zero value swaps on X2Y2 and asset transfers that move the stolen assets between a series of wallets, some of these wallets are linked via direct ETH transfers;
08:05 December 17 the Beeples are transferred from Doge_Doge address 0x2e95e1cd077f29733c65d885ce7afe278d0726a6 to 0x59b15a752c0176f60b8c3ccea68de9f0c0930879 in this transaction. This is a zero value swap on X2Y2. Note that there’s no value transferred to Doge_Doge. All assets are transferred to 0x59b15a752c0176f60b8c3ccea68de9f0c0930879 and Doge_Doge receives no value in return (see the graph below).

In three separate transactions on January 6th 2024 the Beeples are moved from 0x59b15a752c0176f60b8c3ccea68de9f0c0930879 to 0x3e4a162dc103d4357c0204b37ccc5168dfca0d97, at 08:07, 08:08 and 08:09.
At 08:23 the same day another zero value swap occurs on X2Y2 transferring the assets from 0x3e4a162dc103d4357c0204b37ccc5168dfca0d97 to 0x1fd10b2f9f58702fbe6845131efe67ff3e28f5ff in this transaction. Note similar to the swap above 0x3e4a162dc103d4357c0204b37ccc5168dfca0d97 receives no value in return.

At 08:24 in a separate transaction 0x3e4a162dc103d4357c0204b37ccc5168dfca0d97 sends 0x1fd10b2f9f58702fbe6845131efe67ff3e28f5ff 0.0332 ETH in this transaction. This is presumably for gas and links these two wallets beyond just the swapping of assets for zero value.
At 10:48 on January 6th (same day) the Beeples move between wallets again via another zero value swap on X2Y2. The assets move from 0x1fd10b2f9f58702fbe6845131efe67ff3e28f5ff to 0xeafdb3519a43578c08f17583cb862739c3deab27 in this transaction.

Around 10 days later on January 16th 2024 at 16:22 the wallet that is currently holding the stolen Beeples 0xeafdb3519a43578c08f17583cb862739c3deab27 transfers 2.1 ETH to Doge_Doge. This links 0xeafdb3519a43578c08f17583cb862739c3deab27 to the Doge_Doge wallet 0x2e95e1cd077f29733c65d885ce7afe278d0726a6. It may be coincidence or it may be that all of these transfers and wallets were controlled by Doge_Doge. See the wallet graph below;

Finally on the 21st Feb 2024 the Beeples are transferred from 0xeafdb3519a43578c08f17583cb862739c3deab27 to Sothebys-Auction wallet 0x55eca4d1c9ea7021509a7cd88c68c279dabdd37d in this transaction.
In the graph above you can see a ring of wallets that transfer the Beeples via zero-value X2Y2 swaps or direct NFT transfers. Multiple wallets are also directly linked via ETH transfers (of 2.1 and 0.03 ETH). It’s a closed loop from the Beeples being purchased by Doge_Doge moving through a series of wallets that are linked to each other via direct transfers and ultimately arriving in Sotheby’s wallet.
The recovery of the assets I can’t comment on as it happens off-chain. However TheArtchitech was likely fortunate the stolen Beeples ended up in Sotheby’s auction wallet rather than being sold.
https://x.com/beeple/status/1796234140708192641
When you look at the people the TheArtchitech thanked there’s some clues to what might have happened off-chain.
https://x.com/ARTMAN141/status/1796238278598754462
On May 29th 2024 (5 months after the attack) all three of the stolen Beeples were transferred from the Sotheby’s auction wallet 0x55eca4d1c9ea7021509a7cd88c68c279dabdd37d to TheArtchitech’s new wallet 0x0c260590C474D8D7A9b1D911454E30BFeAFb4eA7 in this transaction.
I suppose whatever happens off-chain stays off-chain….

