Some of NFT’s biggest names- Bored Ape Yacht Club or BAYC & OtherSide discords servers were compromised, leading to a loss of around 200 ETH or $360000 in total. Yuga Labs, the creator firm behind the projects confirmed the exploit via Twitter adding that it is actively investigating the incident.
It all started when the project’s community manager, Boris Vagner‘s Discord account got hacked. The bad actor took advantage of the breached profile and posted phishing links in both the official BAYC and its related metaverse project called Otherside’s Discord channels.
According to reports, the hacker managed to take away 32 NFTs including one Bored Ape, two Mutant Apes, and five Otherside Deeds.
Hackers have targeted Discord Inc. groups in order to get users to click on malicious links. Previously covered by TronWeekly, on May 25, 2020, a Moonbirds NFT owner lost 29 of these Ethereum-based tokens in phishing fraud.
The stolen NFTs were valued at roughly $1.5 million. But the most recent high-profile case of impersonation fraud has been that of Mike Winkelmann, better known as Beeple, a digital artist and popular NFT developer whose Twitter account was hacked by scammers to post a phishing scam.
BAYC hack detailed analysis
Co-founder of Yuga Labs Gorden Goner tweeted that “We took accountability with our tweet from BAYC. We are directly working with those impacted.” He then blamed instant messaging platform Discord saying it was time for a “better platform that puts security first”.
In response, a user ask him to stop blaming Discord and accused the team of being complacent, as “this could have been prevented”.
Some vented out their frustration by calling the exploit “Ponzi of the century”.
One Twitter user wrote– ” Probably a rogue team member or a team member didn’t have 2FA [ Two-factor authentication] enabled and got phished or hacked individually. the entire team from mods and up should be required 2FA by default though, especially in the BAYC server.”
Another commented in the replies that 2FA can easily be bypassed and is somewhat pointless on Discord. That being said, one can check OxRebels’s post-mortem technical report detailing how the 2FA Discord Announcements Bot might help minimize the repeat of such attacks.