Bored Ape Yacht Club or BAYC came under attack by a malicious actor who stole NFTs worth millions of dollars after compromising the official Instagram account of the acclaimed NFT collection. Sources revealed that hacker/s employed a phishing link that transferred tokens out of users’ crypto wallets.
Disclosing via Twitter in the early hours of 25th April, the platform announced by saying, “The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safe transfer from’ transaction. This transferred their assets to the scammer’s wallet.”
A screenshot shared by one Twitter user depicted an OpenSea page of the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all likely stolen from users who connected their wallets after clicking on the phishing link.
As of now, the profile page tied to the hacker’s wallet address was no longer visible on OpenSea. Head of communications at OpenSea Allie Mack confirmed that the hacker’s account had been blacklisted from the platform.
BAYC Hack is more complicated than it seems
Due to the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms like in Rarible, the wallet had 134 NFTs, among them four Bored Apes made by Yuga Labs, the creators of BAYC such as Mutant Apes and Bored Ape Kennel Club.
Still, it remains a mystery how the hacker was able to hijack the project’s Instagram account. As per a statement posted on Twitter, Yuga Labs said that two-factor authentication was active at the time of the attack and that the security of the Instagram account followed best practices.
Yuga Labs also said that the team was actively working to establish contact with affected users.
That said, it is generally advised that holders of NFT should never connect their wallets to an unknown or untrusted third party.
Seeing that the phishing link was sent via the official BAYC social media account, made the victims believe that it was legitimate and thus were tricked into clicking the fraudulent link,