Yuga Labs, the multibillion-dollar collective behind the infamous Bored Ape Yacht Club non-fungible tokens, has been targeted by another hacking attack, leading to the theft of millions of dollars worth of the simian NFTs.
BAYC’s series of algorithmically generated cartoon ape profile pictures is one of the best-known collections of NFTs – a digital asset or artwork whose ownership is stored on a blockchain, a decentralised ledger of transactions like those used by cryptocurrencies.
The attacker seized control of the BAYC Instagram account and sent a phishing post that many followers were fooled into clicking on, connecting their crypto wallets to the hacker’s “smart contract” – a mechanism for implementing a crypto transaction. That enabled the attacker to steal the assets held in the wallets, seizing control of four Bored Apes, as well as a host of other NFTs with an estimated total value of $3m.
“Instagram attacks are nothing new but often take an element of social engineering,” said Jake Moore, global cybersecurity adviser at the security firm ESET. “Unfortunately, however, this takeover has had a huge consequence and resulted in a mass robbery of digital assets. Similar to when physical art is stolen, there will be questions over how they would now be able to sell on these assets, but the problems in NFTs still prevail and users must remain extremely cautious of this still very new technology.”
As one of the most prominent NFT collections, with celebrity owners including Eminem, Gwyneth Paltrow and Madonna, BAYC holders are often targeted for attacks, with greater or lesser technical significance.
In early April, for instance, one pseudonymous owner, “s27”, lost a $500,000 ape collection after being tricked into swapping it for, effectively, counterfeits: the scammer created new NFTs that were visually identical to BAYC pictures except they had a green tick over them – mimicking the “verified” icon of the platform used for the trade.
In December, another Ape holder, the New York art dealer Todd Kramer, disclosed his own $2.2m loss with the tweet, “I been hacked. All my apes gone. This just sold please help me.” Kramer, who had fallen prey to a similar phishing scam, managed to recover a portion of his stolen Apes with the help of the NFT trading platform OpenSea – but not before the phrase “all my apes gone” was widely mocked online among those who doubt the substance of the NFT fad.
The BAYC creators said in a statement: “Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. Two-factor authentication was enabled and the security practices surrounding the IG account were tight.”
Hacking and theft are rife in the crypto sector. Transactions are irreversible once made, and it can take a high degree of skill to read the contents of a smart contract and determine whether it is malicious or valid before giving it access to an account. Last week, a “stablecoin” project called Beanstalk lost $180m to a “governance” attack, where the attacker used an instant loan to buy control of the project, transfer its reserves to their account, and then repay the loan in just 13 seconds.
And earlier this month, a North Korean hacking outfit named Lazarus stole more than half a billion dollars-worth of crypto tokens from the video game Axie Infinity. Despite the hack being recorded on the blockchain, which keeps all transactions public, the state-sponsored hackers appear to have successfully laundered nearly $100m of the stolen funds already, largely by using a decentralised money-laundering service called Tornado Cash.