I created a private drop for a group of 36 people for participating in a performance at the Queen’s Platinum Jubilee celebrations in London. The event ID is 46808. POAP Gallery I received 36 mint links, and I have not shared the list of links with anyone. I have only shared each individual link / 6 digit code with each of the 36 individual people in our group. The POAPs are meant specifically for the 36 people who participated in the performance, and we are planning to use the POAPs to provide them with additional benefits and special access to other events in the future. They are not meant to be given to anyone else.
I noticed that someone else had somehow managed to claim one of the POAPs even though they were not part of our group. (This is the collection address: 0x5f27df8de30ac770ffc21d9ec97a89a703bbadf0) I could tell it was not someone in our group because they have over 200 POAPs in their collection, whereas most of the people in our group are not very familiar with POAPs at all and for most of them this is their first time receiving one. A few days later I noticed that another person outside of our group had managed to claim one of the POAPs, and they also have over 200 in their collection. (This is the collection address: 0x19e69b4c0ccaa86b9c40151a9bb9ca85f3a3fc35)
I was able to figure out which links/6 digit codes they used by visiting each link myself and checking which ones said “Congratulations, this POAP was minted”.
It turns out that two people in our group had actually claimed their POAP as expected, but then later noticed that it was gone from their POAP app. Both of these people used their email address since they don’t have an Ethereum wallet address.
So it seems that some people have somehow figured out a way to steal POAPs from accounts that have used an email address instead of an Ethereum wallet address.
I’m concerned that this may happen to others in our group as well, since the majority of them don’t have Ethereum wallet addresses either.
I spoke to the customer support team and they advised me to share this information here to get it escalated and investigated further.