On Apr. 25, a hacker took control of Bored Ape Yacht Club's (BAYC) Instagram, posted a link to a fake Yuga Labs land airdrop website, and stole more than $2 million from unsuspecting victims who connected their wallets to the site.
"Welcome to the land airdrop," the fake website reads. "You need to connect your MetaMask wallet before you can claim LAND."
The hacker's wallet address has been identified as "0x8c7934611b6ad70fbea13a1593de167a4689b9a9." It currently holds 14 total BAYC ecosystem assets worth at least 833 ETH, or rough $2.4 million. Of those 14 NFTs, seven are Mutant Apes, three are Kennel Club companions, and four are Bored Apes.
The most recent transfer of Mutant Ape Yacht Club NFT #3491 was only 20 minutes ago as of the time of this writing.
The hack also included CloneX and 76 other NFTs (91 NFTs in total), according to zachxbt.
The NFT community justifiably questioned the project's social media security practices, but BAYC co-founder Garga insisted on Twitter that security precautions were taken.
"We have two full-time security experts," he tweeted. "And the account practices on [Instagram] were tight."
We have two full time security experts, and the account practices on IG were tight.— Garga.eth (@CryptoGarga) April 25, 2022
What happens next is unclear.
"We will be in contact with the users affected and will post a full post mortem on the attack when we can," Garga said. "For now, I would like to stress that [two-factor authentication] was enabled on the [Instagram] account."
The official Bored Ape Yacht Club Twitter spoke about the incident, explaining that the hacker used a "safeTransferFrom" transaction to transfer the NFTs to their wallet. The team has regained control over the Instagram account and is investigating the issue.
If your account was compromised, BAYC asks that you reach out to them directly via email at firstname.lastname@example.org. They will NOT email you first.
The team also made clear that Instagram will never be their first form of communication for mints and announcements.
"We will also NEVER announce mints on the BAYC or Otherside Instagram accounts first, ever," the official BAYC Twitter account reads. "Only obtain information from our official Twitter accounts. These will be crossposted on the #announcements channel of BAYC Discord."
This morning, the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer's wallet.— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
This concerning hack comes during the height of anticipation for Yuga Labs's upcoming land sale for its newly announced metaverse, The Otherside. And it serves as a reminder to always be wary of suspicious links and FOMO-driven mints and purchases.
This is a developing story. Lucky Trader will update as information is released.