Hackers made away with about $3 million worth of some of the world's most popular nonfungible tokens after gaining access to the Instagram account belonging to the Bored Ape Yacht Club (BAYC) collection.
Once in, the hackers uploaded a post that linked to a cloned version of BAYC's official website and included an offer of free crypto tokens. Anyone who tried to claim the free tokens by authenticating and connecting their digital wallets to the fraudulent site instead gave the hackers free rein to access and transfer their NFTs and other cryptoassets.
"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We're still investigating," BAYC owners Yuga Labs said in a statement. The Instagram account was protected with two-factor authentication, the company said. Instagram did not return a request for comment.
Hacked owners cumulatively lost four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs - together worth roughly $3 million, Yuga said. The average price of a Bored Ape, which rank among the most popular and sought-after, is currently more than $430,000, per tracker DappRadar.
It's not the first time scammers have targeted affluent crypto owners, nor is it the first hack targeting BAYC. Earlier this year, 17 users of NFT marketplace OpenSea lost a slew of tokens to a phishing attack. Other people have been fooled by hackers selling them NFTs that turned out to be unauthorized fakes.
"In this case we saw a hacker hack an Instagram account in order to set up an elaborate fraud," said Ari Redbord, a former federal prosecutor who is now the head of legal and government affairs at TRM Labs, a blockchain intelligence company. "We are seeing more and more hacks and scams perpetrated on crypto businesses - from exchanges to Axie Infinity to NFTs. One thing that many of these hacks have in common is social engineering and some degree of human error."
Ronghui Gu, CEO of blockchain security firm CertiK, said that since the BAYC Instagram account used two-factor authentication, it's likely that hackers gained access to the account by tricking an administrator through social engineering. This practice involves using personal or professional information to gain someone's trust, enabling a scammer to then elicit additional data or credentials for a sensitive or valuable account.