The Instagram account of the popular Bored Ape Yacht Club (BAYC) collection of NFTs was hacked on Monday and the attackers managed to steal 91 NFTs from unsuspecting users through a phishing attack.
More precisely, the hacker sent a fraudulent “mint” – minting token – link to followers. Whoever plugged in their wallet thinking they would participate in a BAYC airdrop actually had their NFTs stolen.
The link in question has been identified as a landing page for minting land in NFTs for the Otherside project from the BAYC collection, which will be released this week.
According to the decentralized finance (DeFi) investigator known as zachxbt, the hackers stole 4 BAYC, 7 Mutant Ape Yacht Club (MAYC), 3 BAKC, 1 CloneX and dozens of other NFTs.
Damn the BAYC Instagram hacker stole 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, & more (91 NFTs in total)
— zachxbt (@zachxbt) April 25, 2022
A spokesperson for Yuga Labs, which is responsible for BAYC, said the losses are estimated at a total value of approximately $3 million.
“We are actively working to establish contact with affected users,” the spokesperson told CoinDesk.
Despite that, there are projections indicating that the hack resulted in losses in excess of $13.7 million.
NFT theft via Instagram
The project’s official account confirmed the hack on Twitter and detailed how it all came about:
“This morning, the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer’s wallet.”
According to the BAYC team, immediately after discovering the hack, the community was alerted and the malicious links removed.
Then control of the account was regained, but at least 91 non-fungible tokens were stolen.
“We are investigating how the hacker gained access with the Instagram team,” he said the BAYC team. “If you were affected by the hack or have information that might be helpful, please contact [email protected] (…) We will NOT contact anyone via email first and will NEVER ask for their opening sentence,” they concluded.
It is worth noting that this is not the first time that a hack of this type has happened with BAYC. In early April, Bored Ape’s Discord server was also hacked and a similar phishing attempt was made, but the hacker only managed to steal a Mutant Ape.