A hacker managed to steal 91 non-fungible tokens (NFT) from the Bored Ape Yacht Club collection. The loot is estimated to be worth around $3 million. To trick investors, the attacker took control of the project’s official Instagram account by bypassing the social network’s 2-factor authentication.
The official Instagram account of the Bored Ape Yacht Club was hacked
Bored Ape Yacht Club (BAYC), one of the most popular non-fungible token (NFT) collections on the market, has just been the victim of a large-scale hack. In a thread posted on Twitter this Monday, April 25, 2022, Yuga Labs, the company behind the project, explains how an attacker managed to steal a total of 133 NFTs, including several monkeys from the Bored Ape collection.
The hacker behind the attack first took control of the project’s official Instagram account. In a second step, “the hacker posted a fraudulent link to a copy of the BAYC website with a fake Airdrop.
The attacker promised to offer virtual land in the metaverse to Internet users. To lull the suspicions of his targets, the hacker relied on the real roadmap revealed by Yuga Labs. The creators of Bored Ape are planning to sell 200,000 plots of land in a new virtual world called MetaRPG.
The link encouraged Internet users to connect their Metamask digital wallet and validate a transaction. By signing the transaction, the victims gave the hacker permission to take their non-fungible tokens. The stolen NFTs were transferred to the scammer’s wallet.
Among the Bored Ape stolen in the hack were four Bored Ape, six Mutant Ape, one CloneX and three Bored Ape Kennel Club NFTs. The value of the stolen non-fungible tokens is estimated to be around 3 million dollars, Yuga Labs announced in a statement relayed by several media, including ZDNet.
According to Molly White, software engineer in charge of the Web3 is Going Great project, 44 Internet users fell into the trap. The creators of the Bored Ape Yacht Club collection ask aggrieved users to contact them:
“If you have been affected by the hack or have information that could be useful, contact ighack@yugalabs.io. You need to contact us first, we will not initiate the contact”.
The hacker exploited a Web2 security hole
Once Yuga Labs became aware of the hack, action was taken. The startup quickly alerted its community, removed the links relaying to the Instagram account and did everything in its power to regain control of the account. The Bored Ape creators claim that two-factor authentication was enabled on the account:
“At the time of the hack, two-factor authentication was enabled […]. We have regained control of the account and are investigating how the hacker gained access.
According to Paul Walsh, computer security expert and CEO of cybersecurity firm MetaCert, the hacker relied on “a reverse proxy phishing attack.” In a post on Medium, the expert explains that this type of attack allows both the credentials, such as name and password, and the authentication code sent by Instagram via email or SMS. He states:
“I suspect that this is what happened to a member of the Bored Ape Yacht Club team. This attack is impossible to prevent because traditional network, cloud and endpoint security relies on the impossible task of detecting millions of new malicious URLs created by criminals every month.”
De facto, the hacker exploited a security hole in the Web2 infrastructure to take over Web3 digital assets. Blockchain and NFT technology are not responsible for the theft of digital assets. In this case, the breach has nothing to do with Web3.
It is not uncommon for Web2 services to put Web3 users at risk. At the beginning of April, the Discord server of the Bored Ape Yacht Club was hacked. The attacker deployed a phishing link before Yuga Labs took over the server. Only one NFT was stolen in the operation.