A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.
The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”
Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.
Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.
The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.
But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.
Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.
It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.
Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.
While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.
Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.