Another day, another crypto scam. This time, however, the targets were the US$5 billion-valued Bored Ape Yacht Club (BAYC) and holders of its NFT apes. A hacker has stolen 91 NFTs worth at least $2.8 million through a phishing attack targeting Bored Ape Yacht Club owners today. It was carried out through the official Bored Ape Instagram account.
On Monday, the Bored Ape Yacht Club’s official Twitter account announced that the company’s Instagram account was hacked. “There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,” tweeted Bored Ape Yacht Club.
However, the warning seems to have come too late. Whoever hacked the BAYC Instagram had quickly used the access to their advantage. The BAYC Instagram shared a link directing Bored Ape investors to a link where they could ostensibly connect their crypto wallet and collect an exclusive freebie for BAYC holders only.
When the Instagram account was accessed, it was used to post a fake update claiming there was a LAND airdrop and users had to connect their wallets to claim the airdrop. This was taking advantage of the Bored Ape roadmap, which includes a metaverse game that will contain virtual land. When users connected to their wallets — and likely approved a transaction — the website stole their NFTs.
According to blockchain data, the hacker’s wallet — which has been identified with this phishing attack — holds 91 NFTs. According to data from Zerion, the NFTs are worth at least $2.8 million based on the floor prices of the respective collections.
In reality, that link sucked their ape-NFT-holding-wallets dry. According to Web3 Is Going Great creator Molly White, approximately 44 people fell for the scam, resulting in 133 NFTs being stolen from their owners.
Among the stolen items are four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs (the latter two being official derivative projects). The hacker also stole one CloneX and items from other up-and-coming collections like EightBit, Alien Fren, and Toxic Skull Club among others.
“We will be in contact with the users affected and will post a full post mortem on the attack when we can. For now I would like to stress that 2FA was enabled on the account,” tweeted Bored Ape co-founder Garga.
It appears that the thief is already selling the stolen non-fungible tokens on the NFT aftermarket as well. According to Molly White, 23 of the stolen NFTs have sold so far for a total of around US$2.4 million.
Despite reports and tweets that there were more than 50 Bored Apes and Mutant Apes stolen, Garga said that it was just 10.
Today’s incident is the latest high-profile NFT theft to occur following the hacking of a BAYC-related platform. Earlier in April, Bored Ape’s Discord server was hacked and a similar phishing attempt was made but the hacker only succeeded in stealing one Mutant Ape. Although many Bored Ape holders have lost their NFTs due to a variety of other phishing attacks and NFT marketplace issues.