Less than 1 month until TNW Conference 2022 in Amsterdam – get your tickets now! →

Crypto & fintech

A bunch of Bored Apes were stolen again, but don’t blame Web3 for it

Scammers took over BAYC's Instagram to post a fake airdrop

A bunch of Bored Apes were stolen again, but don’t blame Web3 for it
Ivan Mehta
Story by

Ivan Mehta

Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh." Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh."

It’s happened again. Scammers struck the Bored Ape Yacht Club (BAYC) universe and stole some tokens. But, don’t worry, you can’t blame web3 for it. Nope. Not at all.

Hackers used good old web 2.0’s trick of hacking the project’s Instagram, and luring people to click on unsolicited links.

Here’s what happened: after BAYC’s account was hacked, attackers posted a message about claiming land on the project’s metaverse through an airdrop. It asked people to connect their MetaMask (or any other equivalent cryptocurrency wallet), to claim the land.

However, it was just a trick to steal NFTs. The BAYC twitter account posted a warning about this, but, by that time, there hackers were successfully able to siphon off a number of NFTs.

Although tough to verify, some posts on Twitter claimed the attacker was able to steal hundreds of NFTs.

Later, a BAYC co-founder clarified that four Bored Ape, six Mutant Ape, and three Bored Ape Kennel NFTs were stolen in the phishing scam. The combined value of all of these? Well, that was estimated to be $2.4 million.

He also mentioned that the Instagram account was protected by two-factor authentication, but didn’t post details about the compromise.

The hacker’s wallet activity suggests that they’ve been moving some of the stolen NFTs around. Meanwhile, we’ve asked Yuga Labs, BAYC’s owner, if they are compensating holders for stolen assets. We’ll update the story if we hear back.

Jake Moore, Global Cyber Security Advisor at ESET, said such Instagram attacks are not new, but the value of digital assets can have big repercussions for victims:

“The world seems to be entering a very strange dynamic where NFTs are now worth [an] extortionate amount of money, but with this increase in value, there are inevitably cybercriminals lurking not too far behind.

“Instagram attacks are nothing new, but often take an element of social engineering in targeted human development in the request for codes or manipulating and intercepting messages. Unfortunately, however, this takeover has had a huge consequence and resulted in a mass robbery of digital assets.”

One of web3’s most prestigious projects has now been the target of several phishing attacks. Earlier this month, the project’s Discord was compromised.

When Yuga Labs launched ApeCoin in March, scammers took advantage of that, hacking verified Twitter profiles, and stealing assets worth nearly a million dollars from various victims.

This goes to show that cybercriminals just need to use proven methods like phishing to lure people into connecting their cryptocurrency wallets — they don’t have to use any sophisticated system to break web3 tech.

So high-value NFT projects like BAYC need to take extra steps to ensure their holders are protected. If they have fallen victim to an unsolicited phishing link, the team can give generic advice like, “Don’t click on suspicious links,” but you can’t do that when your own Instagram is putting out fake links.

Cryptocurrency investor Jordan Fish — who goes by Cobie on Twitter — suggested Yuga Labs should consider providing a custody service that would require holders to provide proof when they actually want to withdraw their NFT.

It’s important to note that if you use Metamask or any self-custodial wallet, the onus of security falls on you. And people who might not want to miss out on airdrops could overlook security at those moments.

Cobie pointed out that we need to teach better practices for self-custody, as all users might not be sophisticated enough to pay attention all the time. But, of course, achieving this is far easier said than done.