A hacker took control of the Instagram account of the NFT platform, Bored Ape Yacht Club (BAYC) on Monday, April 25. The hacker stole NFTs worth approximately 765 ether through a phishing link posted on the BAYC official Instagram account.
According to an update from Peckshield Alert, the hacker sold 23 of the stolen NFTs, making a profit of $2.4 million. The report shows that the hacker also sent a donation of 1.6 ETH in support of the Ukrainian military. They then proceeded to send more of the realized funds to centralized exchanges.
A day after the exploit (April 26), the hacker has moved 65% of the funds from their Ronin wallet. 22% of the stolen funds which is approximately 39,700 ETH had been laundered through Tornadocash while 41% has been moved to new wallets.
#PeckShieldAlert #phishing ~765.3 $ETH & ~91 NFTs were stolen in BAYC Instagram exploit. Exploiters already sold ~23 NFTs (including 4 $BAYC, 6 $MAYC, 2 $CloneX) and gained ~$2.4m. They donated ~1.6 $ETH to Ukraine Crypto Donation and began transferring stolen $ETH to CEXs. https://t.co/TOeg4wg36i pic.twitter.com/57ULC7luDc
— PeckShieldAlert (@PeckShieldAlert) April 26, 2022
A Phishing Link
An April 25 post by the BAYC team stated that the platform’s official Instagram account was hacked. According to the release, the hacker posted a phishing link that promoted an airdrop which some users fell for. Apparently, the link led users to a phishing site that imitated the original BAYC website. In a twitter post, the platform stated that those that clicked on the phishing link were led to the site and prompted to sign a ‘safeTransferFrom’ transaction, and consequently lost their NFTs to the hacker.
Hacked Despite 2FA
The BAYC team reported that they attempted to warn users when they discovered that the social media account had been hacked. They also attempted to recover the Instagram account which was backed by a 2FA. The team said that they’re investigating how the hacker gained access to the account which was operated by the company using best practices.
If you were affected by the hack or have information that might be helpful, reach out to firstname.lastname@example.org. You need to contact us first – anybody contacting you first is not us. We will NOT reach out to anyone over email first, and we will NEVER ask for your seed phrase.
— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
According to an update, customers who lost their tokens through the compromised Instagram account that resulted in the phishing scam to reach out to the team. They maintained that they wouldn’t be reaching out first to those that lost their NFTs first. The release also stated that the team will not announce subsequent minting via its Instagram channel but via Twitter.