A hacker stole NFTs worth millions of dollars last week after accessing the official Instagram account of Yuga Labs’ Bored Ape Yacht Club (BAYC) and posting a phishing link that moved tokens out of users’ crypto wallets. According to reports, the BAYC NFTs hack resulted in the theft of NFTs valued between $1 million and $14 million, depending on the source. Using the phishing link, the hacker tricked many followers into linking their crypto wallets to the hacker’s “smart contract” — a method for carrying out a crypto transaction. The attacker was able to take the assets housed in the wallets, gaining control of four Bored Apes including the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects, and a slew of other NFTs like 6 Mutant Apes, and 3 BAKC worth a total of $3 million.
The profile page linked to the hacker’s wallet address is no longer accessible on OpenSea due to the violation of platform OpenSea’s terms of service that forbid fraudulently obtaining items or taking them without consent. However, since NFT is decentralized, the content of the hacker’s wallet can be accessed on other sites. The wallet had 134 NFTs, according to the NFT platform Rarible.
Based on the most recent sale price, each of the stolen BAYC NFTs is valued well into the six figures. The cheapest Ape, #7203, last sold for 47.9 ETH, four months ago. Ape #6778 was most recently sold for 88.88 ETH, while Ape #6178 was finally sold for 90 ETH. The most valuable Ape, Bored Ape #6623, was sold three months ago for 123 ETH, bringing the total worth of the four stolen BAYC NFT Apes to a little over $1 million.
The phishing email was disguised as an airdrop link for the company’s new metaverse project, Otherside (a future Bored Ape-themed online world), which is set to launch later last week. The primary goal of a crypto airdrop is to raise awareness for new initiatives or services. The goal is to transfer tokens or NFTs to thousands of crypto addresses in the hopes that more people would get interested in the project and promote it. Users must link their crypto wallet (here MetaMask) where their NFTs are stored in order to receive an airdrop. Unfortunately, the fake link took the digital assets from the consumers’ wallets and transferred them to the hacker’s wallet.
The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday last week. According to BAYC co-founder, the Gargamel hack occurred even when two-factor authentication was enabled on the account.
The Bored Ape Yacht Club is a 10,000-strong NFT collection of digital artworks launched by Yuga Labs in April 2021. These digital artworks feature images of ‘bored apes’ with a variety of fashionable accessories. Each bored ape is minted with different accessory combinations at random in such a way that each artwork is unique and only one of each exists. These apes were once purchasable for $250 per NFT, but their price (min $300,000) has risen with the NFT boom in 2021.
Meanwhile, scams involving BAYC NFTs are on the rise. Last month, a bored ape holder known as ‘s27’ lost $567k worth of bubble gum ape and matching mutants after trading NFTs via an exchange known as “Swap.kiwi.” This platform enables direct NFT exchanges between collectors with cheap transaction fees. The fraudster had made fresh NFTs that looked exactly like BAYC photos, except they had a green tick over them, which mimicked the platform’s “verified” mark.
Read More: Another Phishing attack on OpenSea: Are Phishing threats on rise in NFT Marketplaces?
Yuga Labs, in other news, has raised $285 million in cryptocurrency by selling tokens that represent land in a virtual world game it claims to be developing. Yuga Labs sold NFTs named “Otherdeeds” in an online sale on April 30, claiming that they could be swapped for plots of virtual property in “Otherside.” The “Otherdeeds” can only be purchased with ApeCoin, the project’s associated cryptocurrency that launched in March.
BAYC is also busy with other ambitious projects to establish itself as a bigger brand. A trilogy of BAYC films named “The Degen Trilogy is on the way, according to cryptocurrency exchange Coinbase. The first will arrive in June, coinciding with Coinbase’s long-awaited NFT marketplace launch.
A “degen” is a phrase used in the crypto community to characterize someone who buys coins or NFTs without performing any substantial investigation into what they’re actually buying. The first part will be unveiled during NFT NYC, a nonfungible tokens event held in New York every year between June 20 and June 23.