Bored Ape Yacht Club (BAYC) has reportedly been compromised for the third time this year, with a hacker able “to steal and sell NFTs, making away with 142 ETH, equivalent to over $250,000.”
The hacker conducted a phishing attack, “whereby they shared a fake phishing site that impersonated the official BAYC site,” the CertiK team noted in an update shared with CI.
This malicious site then “promised claimed that BAYC, MAYC and OthersideMeta holders were able to claim a free NFT,” the CertiK team wrote.
They added:
“Shockingly, the fake site was shared over the official BAYC Discord after a community manager’s account was compromised. CertiK analysis reveals that this community manager, account –@BorisVagner (“BorisVagner | SBS” on Discord)– posted a message to BAYC’s.”
They also mentioned that the discord server “with a phishing link that led to the fake site.” This then “granted the scam the appearance of authenticity and made it easier to dupe the NFT holders.”
After selling off the stolen NFTs, the hacker then “moved the funds to the obfuscation platform Tornado Cash, making it impossible to trace the flow of funds and connect them to the hacker’s identity.”
This attack “marks the third time the BAYC social media servers have been compromised this year.”
On April 1st a hacker was able “to access the BAYC discord server, causing BAYC to issue a warning to its community.”
Then later in the same month on April 25th, BAYC was “hit with another phishing attack on its Instagram account, this time leading to the theft of 91 NFTs, equivalent to $1,345,472.34.”
Whilst many crypto and NFT users are aware of such phishing attacks, “by releasing fraudulent giveaways over official social media accounts, hackers can be far more convincing.”
In this case, “the promise of free NFTs and the appearance of legitimacy were too enticing for the victims.”
Whilst all projects have a responsibility to their communities to keep their social media platforms secure, NFT holders “should also be highly suspicious of anyone claiming to offer free assets, as these can often be phishing attacks.”
The CertiK team further noted that “in the case of the June 4th attack, the malicious site had some small differences.”
They added:
“Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled “claim free land” and specifically targeted popular NFT projects. Whilst subtle, these differences should alert any user to the malicious activity. At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site, by comparing it with a known and confirmed site, and looking for any discrepancies.”
In a comprehensive report shared with CI, the CertiK team revealed:
On 04 June 2022, Bored Ape Yacht Club (BAYC) was compromised for the second time this year, with the hacker specifically targeting BAYC, MAYC and OthersideMeta holders. In total, 32 NFTs were stolen from a variety of projects which included 2 MAYC, 1 BAYC, 1 BAKC and 5 Otherdeed. Overall, ~142 ETH was deposited to Tornado Cash through associated EOA’s.”
The phishing site posted on the BAYC Discord was “a carbon copy of the official projects website, yet with subtle differences.”
Firstly, there were ‘no links to social media accounts on the phishing site.”
There was also “an added tab titled ‘claim free land’ that specifically advertised to holders of popular NFT projects.”
You may access the full incident report here.