Bored Ape Yacht Club says its Instagram was hacked to funnel users to NFT phishing sites
Popular NFT company Bored Ape Yacht Club (BAYC) said Monday that cybercriminals hacked its Instagram account and used the access to share fraudulent phishing sites that allowed the theft of dozens of NFTs worth millions of dollars.
BAYC said it was unsure of how the hackers gained access to the Instagram account but are working with the platform to investigate the incident.
Yuga Labs, the company behind BAYC and other NFTs, told The Record in a statement that the hackers "posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake Airdrop."
“This transferred their assets to the scammer's wallet. At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account,” the company explained.
"Two-factor authentication was enabled and the security practices surrounding the IG account were tight. Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating. Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m. We are actively working to establish contact with affected users."
There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
The hackers' ethereum address shows they may have stolen at least 135 NFTs. A BAYC co-founder who goes by the alias Garga said on Twitter that Bored Ape, Mutant Ape, and Kennel Club NFTs were stolen alongside a range of other NFTs including Toxic Skull Club, EightBit, CloneX and Alien Fren.
Blockchain security firm Peckshield said 765.3 ETH and about 91 NFTs were stolen in the BAYC Instagram attack. According to that data, the hackers have already sold 23 of the NFTs — including four Bored Apes, six Mutant Apes and two CloneX NFTs – for about $2.4 million.
The intruders allegedly donated 1.6 ETH to Ukraine Crypto Donation, according to Peckshield.
Estimates vary for the value of the stolen NFTs. Vice reported the value of the NFTs was about $2.7 million, while CoinDesk estimated that the floor price of the 24 Bored Apes and 30 Mutant Apes stolen was $13.7 million.
The attackers knew more than just the password to the Instagram account, BAYC added, noting that they have since regained control of the account.
The company urged anyone affected to contact it, noting that it will not be contacting customers directly about the issue.
If you were affected by the hack or have information that might be helpful, reach out to [email protected] You need to contact us first - anybody contacting you first is not us. We will NOT reach out to anyone over email first, and we will NEVER ask for your seed phrase.— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
BAYC reiterated that no NFT minting news will ever be shared on Instagram and will only come through its official Twitter and Discord accounts.
Blockchain security researcher zachxbt tracked the stolen funds, noting on Twitter that most of them were sent to crypto exchanges KuCoin and Binance.
On April 1, hackers were able to compromise BAYC’s Discord as well, running a similar kind of phishing scam that would have given them access to victims’ wallets. One Mutant Ape NFT was stolen in the attack.
In recent weeks, Peckshield has tracked dozens of NFT-related phishing scams by hackers attempting to trick users into giving over access to their wallets holding NFTs and cryptocurrency.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.