Hackers have made off with NFTs worth millions of dollars from the Bored Ape Yacht Club collection. They also compromised BAYC’s Instagram account and Discord server. The latest in a string of hacks targeting NFT projects.
Hackers Hit the Apes
On April 25th, a fraudulent “mint” link was posted on the Bored Ape Yacht Club’s official Instagram account on Monday morning, which several unsuspecting followers were too eager to check out. Unfortunately, many of the BAYC collectible owners who clicked on the link subsequently got duped and lost some of their assets.
The Bored Yacht Club announced the news of the breach on Monday afternoon via their Twitter account. They disclosed that the hacker uploaded a phoney link on the breached Instagram account. The link led anyone who clicked it to a cloned version of the BAYC website, where they were prompted to conduct a ‘safeTransferFrom’ transaction. The transaction effectively transferred the tokens from the holders’ accounts into the scammer’s wallet.” The users were lured into the scam with promises that they’d be able to mint “land” in the upcoming OthersideMeta project.
Popular crypto sleuth Zachxbyt investigated the phishing website and the addresses that interacted with it and estimated that the hackers stole around 91 NFTs worth about $3 million. He tweeted that the “hacker stole 4 BAYCs, 3 BAKCs, 1 Clone & more. As he explained, most of the stolen assets were rare BAYC and Mutant Ape NFTs.
However, a different estimate insinuated that close to 54 Bored and Mutant Apes worth $13.7million were stolen based on the recent volume of transfers on the Opensea marketplace. Although, the bulk of the transfer may have been holders moving their assets for better security.
Bored Apes’ Response to The Situation
Yuga Labs debunked the speculations that the assets lost to the heist were up to $13.7 million. They stated that the scope was much smaller, hinting that Zachxbyt’s report was more accurate. The spokesperson for the BAYC project told coindesk via email that they alerted the BAYC community about the breach at 9:53 am ET, after which they removed all Instagram links on their website and other social media platforms.
BAYC also announced that investors shouldn’t mint, click links or link their wallets to anything until they resolve the issue. BAYC has since regained access to the account, and they’re currently investigating how the hacker was able to perpetrate the heist. They also advised all who were affected or anyone who may have relevant, helpful information to contact them by mail.
BAYC’s Future Plans for Fans and System Security
Yuga labs are currently trying to contact the hackers with hopes of striking an agreement that’ll see the stolen assets returned to the original owners.
Yuga Labs is expected to review its security policies and put in measures to mitigate future phishing attempts on its platforms. It already had the two-factor authentication enabled for the BYAC Instagram account during the period of the hack. So, we can assume that its security has been anything but lax. Nonetheless, let’s see what new strategies they employ to buff up security on their platforms.