Bored Ape Yacht Club’s Instagram compromised in $2.4 million NFT phishing scam

Bored Ape Yacht Club creator Yuga Labs is investigating a phishing attack after a hacker stole nearly $2.5 million worth of NFTs through the official Bored Ape Instagram account. The company disclosed the hack on Monday morning in a tweet warning followers not to click on links or mint new tokens.

Per a screenshot shared by The Block, the hacker behind the attack stole 133 NFTs after using BAYC’s Instagram account to promote a fake “airdrop.” Essentially, the scam promised people free tokens if they connected their MetaMask wallets to the site linked through the post. It’s unclear how the hacker accessed BAYC’s Instagram account, and Yuga Labs has yet to announce whether it will compensate those affected by the scam.

“At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices,” the company said. “We’ve regained control of the account, and are investigating how the hacker gained access with IG’s team.”

Among the stolen NFTs are four Bored Apes. As noted by The Verge, the most expensive token in the trove, Bored Ape 6623 (pictured above), recently sold for 123 Ethereum, making it worth approximately $354,500 at the current exchange rate. The four apes together are worth more than $1 million. One estimate by Molly White, the creator of Web3 is Going Great, puts the value of the entire theft at approximately $2.4 million.

Monday’s incident is the latest NFT theft to involve a high-profile phishing attack. More than two dozen OpenSea users lost access to about 250 tokens worth an estimated $1.4 million in February. As The Verge points out, what likely made this most recent scam particularly effective is that it not only came from the official Bored Ape Instagram account but that MetaMask currently only allows users to visually see their NFTs within its mobile app.