Reading Time: 2 minutes
- A hacker has managed to steal $2.5 million worth of Bored Ape NFTs
- The hacker compromised the Bored Ape Instagram account and posted an airdrop invitation
- The post linked to a phishing site where wallet contents were drained
A hacker yesterday managed to hoodwink 134 NFT holders into giving up access to their wallets after tricking them into applying for a fake Bored Ape airdrop. The hacker gained access to the Bored Ape Instagram account and took advantage of the hype surrounding the forthcoming Otherside project from Bored Ape owners Yuga Labs to convince holders of items in valuable NFT collections to hook up their wallets, whereupon the contents were stolen. Yuga Labs took swift action once the ploy was discovered, but not before $2.5 million worth of NFTs were lost to the hackers.
This morning, the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer’s wallet.
— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
Hackers Played on Otherside Hype
Yuga Labs has been promoting Otherside, its metaverse that will bring together the various NFT collections in its stable, including Bored Ape Yacht Club, Bored Ape Kennel Club, and Mutant Apes, since mid-March. It recently revealed that the Bored Ape metaverse would launch on April 30, and it was this information and hype that the hackers played on – they somehow gained access to the Bored Ape Instagram account and created a fake post offering an Otherside land airdrop for holders of Yuga Labs NFTs.
Unfortunately the web address included in the link was a phishing site, with Yuga Labs explaining after the event how the hack took place:
…the hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake Airdrop. At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account.
This was too late for holders of the valuable items however, with victims parting with four Bored Ape Yacht Club, six Mutant Ape Yacht Club, and three Bored Ape Kennel Club NFTs.
Hack Extends Beyond Bored Ape Community
It wasn’t just Bored Ape holders that fell victim however – for some reason, potentially in an attempt to game the system, a Clone X NFT holder lost his NFT too, worth roughly $54,000.
One of Yuga Labs’ founders, Gargamel, tweeted that “the security practices surrounding the IG account were tight on Yuga’s end” and “2FA was enabled on the account”. The community, and in particular those who lost their six-figure NFTs, will therefore be extremely keen to know how the hacker was able to access the account and make off with their haul.