Bored Ape Yacht Club Hacked: Instagram exploit lets thief steal over $13 million in NFTs

Bored Ape Yacht Club (BAYC), a collection of Ethereum-based non-fungible tokens became a victim of their Instagram account hack:

This morning, the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer’s wallet.

— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022

Carga.eth, BAYC Co-founder, stated that — “The security practices surrounding the IG account were tight on Yuga’s end. Nothing important will ever get posted on Instagram again.” However, the fact that the IG account was hacked is true. There are multiple theories on how that became possible. Here are some examples of them:

1. SIM swap scam

The scam takes advantage of a mobile phone service provider’s ability to smoothly transfer a phone number to a device with a new subscriber identity module (SIM). When a phone is lost or stolen, or when a client switches services to a new phone, this mobile number portability function is typically employed.

2. Insider

This case is possible if BAYC has moderators or admins in their Instagram account.

3. Phishing

Enabling 2FA using Authenticator rather than SMS is a safer option. Even so, you may be subjected to phishing assaults.

When you enter into a phishing website/app, hackers will use a script to log in with your password and auth code.

BAYC Instagram post

Consequences of the hack

The hacker posted a fraudulent link to a clone of the BAYC website with a bogus airdrop, prompting users to sign a ‘safeTransferFrom’ transaction. Their assets were moved to the scammer’s wallet as a result of this.

The IG hack resulted in 4 Apes, 6 Mutants, 3 Kennels, and some other assorted valuable NFTs being lost. We will be in contact with the users affected and will post a full post mortem on the attack when we can. For now I would like to stress that 2FA was enabled on the account. https://t.co/bsc3tHt9QG

— Garga.eth (Greg Solano) (@CryptoGarga) April 25, 2022

The scammer’s address:
https://etherscan.io/address/0x8c7934611b6ad70fbea13a1593de167a4689b9a9

Based on the most recent sale price, each of the stolen Apes is valued well into the six figures. The cheapest Ape, #7203, was sold four months ago for 47.9 ETH, which is approximately $138,000 at the current market rate. Ape #6778 was most recently sold for 88.88 ETH ($256,200), while Ape #6178 was sold for 90 ETH ($259,400). And Bored Ape #6623 was the most valuable of them, selling for 123 ETH ($354,500) three months ago, bringing the total worth of the four stolen Apes to well over $1 million.

The scammer sold NFTs mostly on LooksRare and get a total net worth of 765 ETH which were transferred to the external wallet:
https://etherscan.io/tx/0x5ab817dec198c39c7e1813c1b0ab3d87bf473a1af0938f082b86213a10f338ad

While crypto security experts advise NFT holders to never connect their wallets to an unknown or untrustworthy third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where the fault lies.

Note, that trusted and respectable NFT projects do not use their social media accounts like Instagram to share the link to the minting event or ‘free airdrop’. They are Discord focused and the official information with the verified links is posted there. In addition, a lot of scammers use Facebook ads aimed at Instagram to involve crypto interested people to participate in the fraud minting events or presales, embedding the links to the fake dApps.

As always, stay safe and DYOR!

For more De.Fi updates you can visit us at:

🌐 Website | 📱 Telegram | 🐦Twitter