Bored Ape Yacht Club – one of the most high profile lines of NFT collectables, much loved by celebs and high-net worth investors – have had their Instagram and Discord hacked in a scam that has relieved some Club members of the contents of their wallets.
And it seems that rather than engaging in any kind of next-level hacking to pull off the feat, the attackers simply social engineered or – worse – simply knew the passwords in place to access the social accounts and wreak havoc.
Once inside they simply posted a message – thereby apparently coming from the Apes themselves – that there would shortly be a new mint of NFTs in a previously unannounced land sale and that – of course – those interested in making new purchases should hit the link, then link their wallets with a ‘safeTransferFrom’ request on the bogus site.
The rest was simple and at the time of writing it’s estimated that – potentially – millions of dollars worth of NFTs have been appropriated along with – potentially – any cryptocurrency assets that may have been residing within that same connected wallet.
Unofficial estimates place losses at between $1m and $3m depending on the rarity (and thereby value) of the apes stolen and the presence of other funds alongside them.
The story of the heist so far
The official state of play – and the best explanation of what has occurred – is the chain of Instagram posts following the scam, posted by the genuine owners of the BAYC Instagram account. They read:
There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links or link your wallet to anything.
This morning the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer’s wallet.
If you were affected by the hack or have information that might be helpful, reach out to [email protected]. You need to contact us first – anybody contacting you first is not us. We will NOT reach out to anyone over email first, and we will NEVER ask you for your seed phrase.
This IG account was hacked earlier today. At the time of the hack, two-factor authentication was enabled and security surrounding this account followed best practices. Yuga’s team has regained control of this account, and we’re investigating how the hacker gained access with IG’s team.
And in a piece of advice that perhaps should have been shared/known earlier, BAYC state that:
We will also NEVER announce mints on the BAYC or Otherside Instagram accounts first, ever. Only obtain information from our official twitter accounts: @BoredApeYC, @yugalabs, and @OthersideMeta. These will be crossposted on the #announcement channel of BAYC Discord.
For the safety of our community, we will not be posting anything on this account or @OthersideMeta IG until the investigation is complete and we’ve decided on next steps. Only obtain info from our official Twitter accounts: @BoredApeYC, @yugalabs and @OthersideMeta.
So if it’s on Twitter it’s all legit… Because no-one ever gets their Twitter hacked…
We’ll update this story with any progress the Apes make in tracking down the theft’s perpetrators and reuniting their art with their owners.