spinner

BAYC Insta Hack

$3 Million in Bored Ape NFTs Stolen After Instagram Hack

Sun 1st May 2022

//images.ctfassets.net/znxnw90vc5ew/7urBcKVA0jznQqTv1jsgzO/874cd6ae6b94e3b1593ef4a3f068c721/BAYC.jpg

BAYC is again targeted by hackers

Success is a double-edged sword: you make some money and gain some fame, but now you’ve got a target on your back. BAYC, one of the most successful and valuable NFT collections, has once again become such a target. On Monday, hackers stole more than $3 million worth of Bored Ape NFTs after accessing the BAYC Instagram account.

How did it happen?

According to BAYC’s official Twitter account, the hacker posted a fraudulent link to a copycat BAYC website on Instagram, promoting a fake Airdrop. To receive this Airdrop, users were prompted to sign a “safeTransferFrom” transaction, which connected their wallet to the site and transferred their assets to the hacker’s wallet.

The hack appears to have taken advantage of rumors about a planned Land air drop. Otherside, the site on which BAYC land resides, has begun minting as of April 27 and does in fact have a planned air drop for the 30th. 

To nab the Apes, the fake website ran scripts scanning for the top NFTs, then wrote a script authorizing their transfer, and all the victim had to do was sign, oblivious to the fact that they were losing Apes rather than gaining Land.

BAYC acted swiftly, alerting the community to the hack, removing the post and malicious links, and regaining control of the account before the day was done. BAYC also reminded followers that mints and air drops would only be announced on their official Twitter accounts and cross-posted on Discord.

NFT owners who fell victim to the hack altogether lost four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFTs, collectively worth $3 million (or about 1060 ETH at time of writing). Currently, the floor price of a Bored Ape is more than 150 ETH.

Not a security issue — or is it?

According to BAYC, at the time of the hack, two-factor authentication was enabled and Yuga Labs followed best security practices. They also announced that they would conduct an investigation as to the cause and perpetrator of the hack. They also requested that anyone who has been affected by or has information on the hack to contact them at ighack@yugalabs.io. As of press time the hack is still under investigation.

While details of how the hack worked have been shared by BAYC, it’s still not clear how their Instagram account got hacked in the first place. So, naturally, theories shared on Twitter abound. 

The most popular theory is the SIM swap, in which a person’s phone SIM card is duplicated and thus enables the thief to impersonate that person. Another theory is hat the Instagram account manager was phished (hey, it can happen to any of us). Or was it an inside job? For now, we can only speculate.

This is not BAYC’s first hack (like I said, target on the back). Earlier in April, their Discord was briefly compromised, and phishing messages advertising a fake mint were sent out to members. Yuga Labs quickly caught on to the hack and tweeted to all BAYC holders warning not to mint. A single ape is known to have been stolen as a result of this hack.

Market effects

ApeCoin, BAYC’s token, suffered a small dip on Monday after the news broke, but it has been steadily rising and reached a peak on April 28th at a value of $25.91 USD. Its land rollout so far has gone without a hitch. For BAYC, this hack will be a minor setback in the long run. Unfortunately for the affected owners, their Bored Apes — and the value they held for them — are gone.

Stay safe out there

While it has been said again and again, it bears repeating: always check the urls before clicking on any links. So many fake websites are just a bit off in the spelling or have a different top-level domain (e.g., .com or .xyz) than the legitimate one. And even if it looks legit, cross-check any notifications of mints or air drops on all of a project’s platform to ensure that it’s for real. A lot of these hacks seem to get in on one platform at a time, such as this recent hack, which was only on Instagram.

And, as always, if it sounds too good to be true, it probably is. Scams abound in the cryptosphere, and projects like BAYC are sure to be targeted. If you are a BAYC holder or a holder of some other high-value NFT project, move them to a cold wallet that almost never gets connected to the internet. It may be a hassle, especially when these assets are your ticket to special features and perks. But with so many scammers sniffing around, you’ll be glad you kept your assets safe.