Yuga Labs, the multibillion-dollar collective behind the infamous Bored Ape Yacht Club non-fungible tokens, has been targeted by another hacking attack, leading to the theft of millions of dollars worth of the simian NFTs.
BAYC’s series of algorithmically-generated cartoon ape profile pictures is one of the best-known collections of NFTs, a digital asset or artwork whose ownership is stored on a blockchain, a decentralized ledger of transactions like those used by cryptocurrencies.
About the hackers
The attacker seized control of the BAYC Instagram account and sent a phishing post that many followers were fooled into clicking on, connecting their crypto wallets to the hacker’s “smart contract,” a mechanism for implementing a crypto transaction. That enabled the attacker to steal the assets held in the wallets, seizing control of four Bored Apes, as well as a host of other NFTs with an estimated total value of $3m.
The hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab’s Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised after the phishing scam. Some users were duped into believing that if they clicked the link, they would be able to mint a new feature for their NFTs. Instead, it allowed the hacker to access and steal their Ethereum assets.
The digital sleuth known as Zachxbyt examined the addresses that interacted with the phishing site and estimated that about $3 million worth of NFTs were stolen, and the bulk of it, $2.4 million, came from just a handful of rare NFTs.
In early April 2022, for instance, one pseudonymous owner, “s27”, lost a $500,000 ape collection after being tricked into swapping it for, effectively, counterfeits: the scammer created new NFTs that were visually identical to BAYC pictures except they had a green tick over them, mimicking the “verified” icon of the platform used for the trade.
Thieves had hacked his digital wallet and made off with at least 15 artworks, including five from the high-profile Bored Ape Yacht Club collection, worth an estimated $2.2 million. The works were reportedly stolen from Kramer’s “hot wallet,” a tool that is continually connected to the internet, as opposed to the more secure, physical “cold wallet,” which must be plugged in to connect to the web. With the help of community members and online activists, Kramer managed to recover some of the works.
Hacking and theft are rife in the crypto sector. Transactions are irreversible once made, and it can take a high degree of skill to read the contents of a smart contract and determine whether it is malicious or valid before giving it access to an account. Last week, a “stablecoin” project called Beanstalk lost $180m to a “governance” attack, where the attacker used an instant loan to buy control of the project, transfer its reserves to their account, and then repay the loan in just 13 seconds.