The Instagram page of Bored Ape Yacht Club (BAYC) was hacked on Monday, leading to several users falling victim to a phishing scam. The company revealed the hack via an official tweet, consequently warning its followers to not click on links posted by its Instagram account, mint new tokens, or give away their seed phrase.
Specifically, the compromised account sent a fraudulent link for a fake airdrop to its followers, which led to a copycat website offering free land in Otherside, BAYC’s upcoming metaverse. From there, unsuspecting users were prompted to click a link that contained a safeTransferFrom attack, which connected their MetaMask wallet to the scammer’s wallet – transferring the victims’ assets.
This morning, the official BAYC Instagram account was hacked. The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a ‘safeTransferFrom’ transaction. This transferred their assets to the scammer's wallet.
— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
According to an estimate from CoinDesk, the hacker got away with a haul of 54 Bored Ape and Mutant Ape NFTs worth about US$13.7 million (~RM59.5 million). Meanwhile, a separate discovery by crypto scam researcher zachxbt found that a total of 91 NFTs had been transferred to the scammer’s account.
Damn the BAYC Instagram hacker stole 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, & more ( 91 NFTs in total)
— zachxbt (@zachxbt) April 25, 2022
NFT phishing scams aren’t anything new, but this is one of the biggest attacks this year directly involving users. Back in February, 32 OpenSea users lost several Bored Ape Yacht Club and other NFTs valued at 641 Ethereum (~RM7.3 million) to a phishing attack, which now seems small in comparison to this latest crypto caper.