An Instagram phishing attack has resulted in the theft of 91 Bored Ape Yacht Club NFTs, worth around $2.8 million.
BAYC, as its known in NFT circles, is run by Yuga Labs, one of the most mysterious NFT collectives in the space, which recently raised $450 million at a $4.5 billion valuation.
🚨There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.April 25, 2022
The exploit allowed the attackers to steal BAYC NFTs from wallets that were fooled into accepting a fake airdrop, which is usually a method for distributing free NFTs or other digital assets.
BAYC’s Instagram account was used to promote the LAND fake airdrop, according to The Block, which ties into the organization’s broader plans to release NFT-based games.
The attackers’ wallet received 91 NFTs from the saga, including four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs, according to BAYC co-founder Garga. The attacker also stole various other digital assets.
The IG hack resulted in 4 Apes, 6 Mutants, 3 Kennels, and some other assorted valuable NFTs being lost. We will be in contact with the users affected and will post a full post mortem on the attack when we can. For now I would like to stress that 2FA was enabled on the account. https://t.co/bsc3tHt9QGApril 25, 2022
Garga said the security practices on BAYC’s Instagram were “tight” and “nothing important will ever get posted on Instagram again.”
Another worrying Web3 exploit
Whether you think Web3 is the future or not, one thing everyone can agree on is there are a lot of scams in the nascent space. Nearly every week people lose crypto assets worth something, from the recent $600 million Axie Infinity hack on downwards.
This is predominantly down to the extremely everyone-for-themselves nature of Web3 as it stands, often sitting outside any clear oversight. NFT owners must take extreme measures to protect their assets, including casting a sceptical eye over real-seeming airdrops.
Even a well-funded and notable institution like BAYC isn’t immune, as the latest example proves. Back on April 1, BAYC also suffered a hack to its Discord server, for similar purposes.
STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.April 1, 2022
The fact that a startup with $450 million – plus the proceeds from selling its NFTs – can’t keep itself safe from hacks shows how far the Web3 industry has to go.