The collection of the Bored Ape Yacht Club was hacked, and 91 non-fungible tokens (NFT) were stolen. The loot is thought to be worth roughly $3 million. To deceive investors, the attacker used Instagram’s 2-factor authentication to gain control of the project’s official account.
One of the most popular non-fungible token (NFT) collections on the market, the Bored Ape Yacht Club (BAYC), has recently been hacked. Yuga Labs, the project’s creator, reveals how an attacker stole a total of 133 NFTs, including numerous monkeys from the Bored Ape collection, in a thread posted on Twitter on Monday, April 25, 2022.
The perpetrator seized control of the project’s official Instagram account initially. “The hacker provided a bogus link to a duplicate of the BAYC website with a fake Airdrop” as a second step.
Internet users would be given virtual land in the metaverse, according to the attacker. To assuage his targets’ worries, the hacker used the true roadmap revealed by Yuga Labs. In a new virtual environment dubbed MetaRPG, the designers of the Bored Ape plan to offer 200,000 plots of property.
The link encouraged Internet users to connect their Metamask digital wallets and validate a transaction. By signing this transaction, the victims gave permission to the hacker to seize their non-fungible tokens. The stolen NFTs were transferred to the scammer’s wallet.
Among the Bored Ape stolen during the hack are 4 Bored Ape, six Mutant Ape, one CloneX, and three Bored Ape Kennel Club NFT. The value of the stolen non-fungible tokens is estimated at around $3 million, Yuga Labs announced in a press release relayed by several media, including ZDNet.
According to Molly White, software engineer responsible for the Web3 is Going Great project, 44 Internet users have fallen into the trap. The creators of the Bored Ape Yacht Club collection ask aggrieved users to contact them:
“If you have been affected by the hack or have information that might be helpful, contact ighack@yugalabs.io. You have to contact us first, we are not going to initiate the contact”.
Once Yuga Labs became aware of the hack, the action was taken. The start-up quickly alerted its community, removed the links relaying to the Instagram account, and did everything to regain control of the account. The creators of the Bored Ape claim that two-factor authentication was enabled on the account:
“At the time of the hack, two-factor authentication was enabled […]. We have regained control of the account and are investigating how the hacker gained access.”
According to Paul Walsh, computer security expert, and CEO of cybersecurity firm MetaCert, the hacker relied on “a reverse proxy phishing attack”. In a post on Medium, the expert explains that this type of attack makes it possible to obtain both identification information, such as name and password, and the authentication code sent by Instagram by email or by text message. He specifies :
I suspect that’s what happened to a member of the Bored Ape Yacht Club crew. This attack is impossible to prevent because the traditional network, cloud, and endpoint security rely on the impossible task of detecting millions of new malicious URLs created by criminals every month.
