Popular NFT company Bored Ape Yacht Club (BAYC) said Monday that cybercriminals hacked its Instagram account and used the access to share fraudulent phishing sites that allowed the theft of dozens of NFTs worth millions of dollars.
BAYC said it was unsure of how the hackers gained access to the Instagram account but are working with the platform to investigate the incident.
In several tweets, BAYC explained that the hackers posted a fraudulent link to a copycat of the BAYC website prompting users to sign a ‘safeTransferFrom’ transaction.
“This transferred their assets to the scammer’s wallet,” the company explained.
The hackers’ ethereum address shows they may have stolen at least 135 NFTs. A BAYC co-founder who goes by the alias Garga said on Twitter that Bored Ape, Mutant Ape, and Kennel Club NFTs were stolen alongside a range of other NFTs including Toxic Skull Club, EightBit, CloneX and Alien Fren.
Blockchain security firm Peckshield said 765.3 ETH and about 91 NFTs were stolen in the BAYC Instagram attack. According to that data, the hackers have already sold 23 of the NFTs — including four Bored Apes, six Mutant Apes and two CloneX NFTs – for about $2.4 million.
The intruders allegedly donated 1.6 ETH to Ukraine Crypto Donation, according to Peckshield.
Estimates vary for the value of the stolen NFTs. Vice reported the value of the NFTs was about $2.7 million, while CoinDesk estimated that the floor price of the 24 Bored Apes and 30 Mutant Apes stolen was $13.7 million.
Yuga Labs, the company behind BAYC and other NFTs, did not respond to requests for comment about the hack or the value of the stolen NFTs but told other publications that the value hovered around $3 million.
“Immediately upon discovering the hack, we alerted our community, removed links to the compromised IG account from our platforms and attempted to recover the account,” BAYC said on Twitter.
The attackers knew more than just the password to the Instagram account, BAYC added.
“At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices. We’ve regained control of the account, and are investigating how the hacker gained access with IG’s team,” the company said.
The company urged anyone affected to contact it, noting that it will not be contacting customers directly about the issue.
BAYC reiterated that no NFT minting news will ever be shared on Instagram and will only come through its official Twitter and Discord accounts.
Blockchain security researcher zachxbt tracked the stolen funds, noting on Twitter that most of them were sent to crypto exchanges KuCoin and Binance.
On April 1, hackers were able to compromise BAYC’s Discord as well, running a similar kind of phishing scam that would have given them access to victims’ wallets. One Mutant Ape NFT was stolen in the attack.
In recent weeks, Peckshield has tracked dozens of NFT-related phishing scams by hackers attempting to trick users into giving over access to their wallets holding NFTs and cryptocurrency.
This news is republished from another source. You can check the original article here.
Be the first to comment