A hacker has stolen millions of dollars worth of NFTs, about $14 million, from the Instagram account of the Bored Ape Yacht Club. After accessing the account, the attacker posted a link that took users to a phishing site.
NFTs Amounting to About $14M Stolen
BAYC disclosed the hack on its Twitter account just before 10 am ET on Monday. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.” According to the Wall Street Journal, the number of crypto-related security breaches has increased significantly in the past couple of years. In 2021, hackers stole around $3 billion worth of digital currencies.
Unfortunately, the warning from the BAYC was not early enough to prevent many of the hack victims from losing their valuable NFTs. A Twitter user posted a link to an OpenSea page that showed the number of NFTs that the hacker could steal from various projects, such as the Bored Ape, Bored Ape Kennel Club, and the Mutant Ape. The estimated amount of the stolen NFTs is around 24 Bored Apes and 30 Mutant Apes.
The profile page of the hacker linked to his wallet address is no longer on OpenSea. According to spokesperson Allie Mack, the account was banned due to the platform’s terms of service, which prohibit unauthorized access to users’ accounts.
Since the nature of NFT is decentralized, users can view the contents of the hacker’s wallet on other platforms. For instance, the contents of his wallet included 134 NFTs. These include various items from projects developed by Yuga Labs, such as the Boredape Kennel Club and the Mutant Apes.
The value of the stolen Apes was computed by taking into account the most recent sale price of the asset. For instance, the lowest price of the stolen Apes, which is #7203, was sold four months ago for 47.9 ETH.
Ape #6778 sold at 88.88 ETH ($256,200), while Ape #6178 sold at 90 ETH($259,400). The highest selling price of the stolen assets was three months ago when investors bought bored Ape #6623 for $354,500. It means that the total value of the four stolen Apes is around $1 million.
How Did the Hack Happen?
It is not clear how the hacker was able to access the account of the project. In a statement sent to The Verge, Yuga Labs explained that the account was secured using two-factor authentication. The company also said it worked with the affected users to establish contact details.
Although cryptocurrencies such as NFTs are commonly bought and sold, users hold them on smartphones instead of in more secure environments. Because of this, the MetaMask app only supports NFT displays on mobile devices.
Instead of relying on a browser extension, MetaMask app users can manage their NFTs through their smartphones. It eliminates the need to visit a website to view and manage their NFTs.
Although security advice for NFT holders states that they should never connect their wallets to an unknown third party, the hacker sent the link through Instagram. Hence, it most likely convinced them that it was legitimate.
One Attack After Another
This Instagram hack came briefly a few weeks after BAYC’s Discord server was hacked. The Bored Ape Yacht Club warned its community members not to mint anything from their Discord servers after a webhook was accidentally compromised. The club said they immediately caught it, but the hacker also attacked other servers.
The link tricked people into purchasing fake NFTs from the Bored Ape collection, which could allow a hacker to steal their wallet’s contents. As of now, the hacker stole only one fake NFT.
The attack affected several popular NFT collections, such as Nyoki, Shamanzs, and Doodles. According to zachxb, the attacker was most likely the same one that targeted these channels.