On Monday, the Bored Ape Yacht Club NFT project announced that its Instagram account had been hacked in a tweet.
“There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,” the group wrote.
On its official Discord channel, a moderator warned users: “THERE IS A FAKE LAND MINT WEBSITE BEING SHARED BY THE BAYC IG. DO NOT MINT ANYTHING.”
The hackers advertised a fake distribution of NFTs, known as an airdrop in the web3 world, which tricked users into clicking on a malicious link. Once people clicked on it, they gave control of their wallets to the hackers, according to CoinDesk.
In a tweet, independent blockchain sleuth Zachxbt shared a link to the hacker's Ethereum address, which is currently labeled as being a phishing address on Etherscan. Blockchain records show that the address received 134 NFTs within the space of a few hours on Monday morning. The stolen assets include numerous NFTs from Yuga Labs, the firm behind BAYC, including Bored Ape, Mutant Ape, and Kennel Club NFTs. The value of those NFTs before they were stolen was $2.7 million.
It’s unclear at this point how the hackers compromised the Instagram account.
A spokesperson for Yuga Labs, the company that created Bored Ape Yacht Club, said in a statement that “the hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake Airdrop. At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account.”
“Two-factor authentication was enabled and the security practices surrounding the IG account were tight. Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating. Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m. We are actively working to establish contact with affected users,” read the statement sent via email.
Do you have more information this hack? Or other web3 and crypto hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Earlier this month, the official Discord channel of Bored Ape Yacht Club, along with several other NFTs Discords were hacked as part of a phishing scam. The hack tricked users into clicking on a link to “mint” a fake NFT by sending ETH and in some cases an NFT to wrap into a token.
In the Discord channel, several people complained about being victims of today’s scam.
“They stole a bunch of shit. I had a rare king mutant and a bunny ear mutant. stuff that would sell above floor. I just lost over 100 ether on this. Fucking unacceptable. From official ig, the website looked real,” one user wrote. “I’m at the point where I have to sue yugo over this hack. Im not walking away from $300k because their shit was hacked.”
Another user wrote in solidarity for the people who lost their precious JPGs: “RIP to the apes that got tricked on IG today.”
Others blamed the victims.
“It’s like watching a bunch of people run into a burning building with free money spray painted on it,” wrote one user.
UPDATE, April 25, 12:42 p.m. ET: this story was updated to include Yuga Lab’s statement.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.