Yuga Labs is holding 60+ rescued Ethereum NFTs after a reported exploit

Yuga Labs, the creator behind Bored Ape Yacht Club, says it has rescued dozens of Ethereum NFTs from an exploit. The company now holds more than 60 of those NFTs while it works to return them to their rightful owners.

That sentence is the only confirmed piece of detail in the Decrypt report. It confirms custody and the basic outcome of the incident. It does not spell out how the exploit worked, which collections were targeted beyond “Bored Ape Yacht Club” being the best-known umbrella, or what the attacker’s path looked like.

Custody shifts, not just headlines

In NFT security incidents, “rescued” usually means someone moves assets away from the compromised wallet flow and into a controlled address or custody arrangement. Decrypt’s report frames Yuga Labs as taking that role, with “more than 60 rescued NFTs” in its custody.

For affected owners, that matters more than the attacker narrative. Custody is what enables recovery. It also reduces the odds that the same tokens move again while the case is still being pieced together.

What is still missing

Decrypt does not provide a timeline, the affected smart contracts, or an account-level explanation for the exploit. It also does not list token IDs, the block range, or whether any losses were permanent.

That leaves the practical questions unresolved:

• Which wallets were compromised.
• Whether the exploit targeted NFTs directly, approvals, or a marketplace pathway.
• Whether stolen NFTs were later located and gathered back, or if “rescued” reflects a preventive custody action.

Without those specifics, readers should treat the event as an incident in progress, not a completed recovery with a fully documented root cause.

Why “60+” is the key number

The report’s only concrete figure is the custody count: “more than 60 rescued NFTs.” That suggests the incident hit enough assets to trigger a dedicated recovery workflow.

In security terms, larger counts usually mean one of two things. Either the attacker had enough reach to affect many owners, or the recovery required repeated sweeps to aggregate NFTs scattered across addresses. Decrypt’s report does not say which.

Either way, the more assets in custody, the more carefully Yuga Labs will need to match them to “rightful owners.” That implies a manual or semi-manual verification step, particularly if token metadata or ownership history must be reconstructed from on-chain records.

The mitigation angle

Decrypt does not detail what mitigations Yuga Labs used during the response. Still, the act of holding rescued NFTs points to a basic operational requirement for NFT recovery work:

• identify the compromised assets and stop further movement.
• isolate tokens in custody.
• coordinate with owners on return.

Even when the underlying exploit remains opaque in the report, the recovery workflow itself is the most actionable part for victims. Custody plus a return plan is the bridge between “it happened” and “you can get your assets back.”

What to watch next

This story is likely to get clearer once Yuga Labs and any relevant investigators share more incident specifics. Until then, Decrypt’s update gives the only firm milestone available: Yuga Labs currently holds more than 60 rescued Ethereum NFTs and is working on owner returns.

If you are an owner with exposure to the affected period, the next meaningful signals will be owner-specific communications from Yuga Labs and any public incident summary that names the exploited vector.

For now, this looks less like a marketing win and more like a careful recovery operation where the critical data is still locked in internal verification and incident response timelines.