On Monday, unknown hackers stole what will amount to millions of dollars worth of NFTs from Bored Ape Yacht Club (BAYC), one of the most popular NFT projects.
As seems to be the case in recent hacks though, the hackers didn’t target the project directly, but rather targeted peripheral services in order to trick users into giving up their holdings. This time, the target was Instagram.
By the end of the hack, more than 90 NFTs were stolen, representing more than $3 million in value. Although it was a small amount compared to some of the more recent hacks we’ve recently discussed, we felt it was worth covering as the hack is an important representation of why it’s important to not get caught up in crypto hype and rather do research before making any moves.
Here’s How It Worked
What is clear is that the hackers spent a lot of time preparing for the hack. Not only did they gain control of BAYC’s instagram account, but they also created a fake website that looked very much real.
It started when the hackers advertised a fake airdrop on instagram, which tricked users into clicking on a malicious link. Once the user landed on the website, they gave control of their wallets to the hackers, where their valuable NFTs were drained.
Users thought they were claiming a LAND airdrop, thus taking advantage of the Bored Ape roadmap, which includes a metaverse game that will contain virtual land.
Yuga Labs, the maker of BAYC, stated that “two-factor authentication was enabled and the security practices surrounding the IG account were tight. Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account.”
Not The First Time…
And it’s not only the projects directly, as earlier this year a disgruntled user decided to sue NFT exchange OpenSea for $1 million after one of his BAYC NFTs was sold without his permission.
Overall, as these NFT projects continue to hype up these “act now before it’s all gone” airdrops such as ApeCoin that are limited in nature, we only expect for more individuals to get caught up in the moment, giving hackers a perfect attack vector. Be safe out there.