Now, who would have thought, right? Whilst many BAYC collectors are still recovering from the latest Opensea hack, the weekend attack on the NFT collectible Bored Ape Yacht Club servers results in a loss of another 200 ETH – approximately $360,000.
According to the latest data from blockchain security firm PeckShield, the scam led to a theft of 2 Mutant Ape NFTs and 1 sought after BAYC.
How did BAYC get hacked again?
This is the second time in less than two months that the Bored Ape Yacht Club NFTs have been stolen. The attacker was able to steal the NFTs by abusing the CAPTCHA bot that Yuga Labs uses to prevent spammers on its platform.
In a Twitter post, Bored Ape Yacht Club (BAYC) announced that its Discord servers were hacked using a phishing technique.
The attack started when Boris Vagner, a community manager at Yuga Labs, the company that created the famous Bored Ape Yacht Club NFTs, had his discord account broken into.
When the hacker successfully got into Boris’s account, he impersonated Vagner and ran a phishing scam against Bored Ape collectors. He convinced them to click a malicious link and send their NFTs over.
Yuga Labs is still investigating the attack and has issued a warning to potential users about the contents of the phishing messages: “We do not offer surprise gifts or mints.”
Concerns over the security breach
A number of people are now questioning how Discord was hacked by these hackers, raising security concerns. However, attackers were likely able to bypass security in this case by stealing a Discord ID token from a targeted victim, here Boris Vagner, despite using two-factor authentication.
The only other option of the hack being possible, is if Vagner’s Discord ID token, which was used for logging in numerous times without authenticating the user’s identity, has been compromised or stolen off his computer.
Hacking NFTs
As NFTs are becoming a cultural phenomenon, the creators behind these NFTs constantly remind users to double-check any links before clicking on them, even if it is from a verified account. As hacks like these will become more common, it is crucial to follow all safety guidelines to protect the assets and never connect your wallet without being 100% sure that the source is safe and sound.
