Bored Ape Yacht Club NFTs worth millions got stolen after the hack

Instagram account hack leads to the loss of 134 NFTs

Popular NFT tokens stolen due to the phishing link distributed via hacked Instagram account

A phishing link was sent from the official Instagram account for the Bored Ape Yacht Club, and attackers managed to transfer the NFTs to their wallets from unsuspected users' accounts. Holders clicked on the link that supposedly promised them free land tokens in the upcoming metaverse, and their NFTs disappeared after that.^[1]

Another day another NFT scam^[2]. Hackers tricked people into giving control of their funds and wallet contents with fake advertisements.^[3] These projects gain popularity due to the demand for these platforms and new NFT bundles. The incident was reported by the officials via Twitter:

There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anythink, click links, or link your wallet to anything.

Admins then warned users and holders in various forums and platforms, including Discord channels. However, many users have already clicked those links and became victims of this scam by believing that the airdrop of the NFT will happen. This way users allowed attackers to access their wallets and control what happened to those funds and tokens.

Around 134 lost NFTs

Researchers managed to find the particular wallet belonging to the attacker responsible for the phishing campaign. The records show that the particular wallet recently received particular 134 NFTs over the span of a few hours on Monday morning.^[4] These tokens include tokens from various projects belonging to the firm Yuga Labs that is behind these popular Bored Ape Yacht Club project NFTs.

Holders of Bored Ape, Mutant Ape, and Kennel Club NFTs suffered huge losses. The value of these stolen tokens can be counted up to $3 million.^[5] The hacker posted the particular fraudulent links and copied a particular look for the official website, so users believed the scam and clicked on the deceptive link resulting in the complete control of the account.

We’re still investigating. Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m. We are actively working to establish contact with affected users.

However, it is not clear how the attacker managed to get access to the Instagram account in the first place. Officials state that two-factor authentication was enabled and that particular security practices surrounding the social media account were tight. It is believed that further investigation will reveal how the IG account got hacked in the future, so particular measures can be implemented to secure the accounts and crypto-wallets.

Another phishing scam targeting the Bored Ape Yacht Club NFTs

The Discord channel for the project and other channels of NFT projects got hacked this month too.^[6] This campaign was also a phishing scam that tricked users into clicking a link that offered to mint the fake NFT by sending the ETH and NFTs to wrap into the token. During this campaign, some of the NFTs were also stolen. One of the Mutant Ape Yacht Club NFT was immediately sold.

People have already complained about this Monday scam on Discord too. Some of the affected holders have been blamed for their lack of attentiveness when the free NFT is offered. However, this is how and why scam campaigns like this always work on some level because there always are people who believe fake claims and fall for the scams no matter how bizarre those look to others.