Cyber Incident Victim: Taiwanese singer and actor Jay Chou

On April 14, 2022, Taiwanese singer and actor Jay Chou fell victim to a theft of a non-fungible token (NFT) valued at approximately $500,000 due to an exploitation of a design flaw in the Rarible NFT marketplace. Attackers leveraged the Ethereum Improvement Proposal 721 (EIP-721) standard’s **setApprovalForAll** function to deceive users into clicking malicious NFT links, granting full control over victims’ cryptocurrency accounts and digital assets. The attackers created a deceptive Scalable Vector Graphics (SVG) file containing embedded JavaScript payloads that executed automatically upon opening, bypassing user consent mechanisms. This method enabled unauthorized access to Chou’s NFT holdings, leading to the immediate transfer and sale of the stolen asset on secondary markets. The incident highlighted the technical vulnerability of NFT platforms to social engineering tactics combined with code-level exploits.

Check Point researchers identified and disclosed the flaw, prompting Rarible to implement a patch to prevent further exploitation. The cybersecurity firm publicly warned NFT users to scrutinize transaction approvals and avoid interacting with suspicious links. They recommended utilizing blockchain tools like token approval checkers to audit and revoke unnecessary permissions granted to third-party applications. The theft underscored systemic security risks in rapidly evolving NFT ecosystems, where platform design choices and user behavior gaps created exploitable attack surfaces. Financial losses were confined to the stolen asset’s market value, with no broader disruption to Rarible’s operations reported following the mitigation. Industry analysts cited the event as a cautionary example of security challenges inherent in nascent Web3 technologies.