Cyber Incident Victim: Yuga Labs

On April 25, 2022, attackers compromised the official Instagram account of Bored Ape Yacht Club (BAYC), a prominent NFT collection developed by Yuga Labs. The hackers posted a fraudulent link to a counterfeit version of the BAYC website, falsely advertising an exclusive "LAND airdrop" tied to BAYC's planned metaverse game. This phishing scheme instructed users to connect their MetaMask cryptocurrency wallets to claim the airdrop, but instead initiated a "safeTransferFrom" attack that transferred victims' NFTs to the attacker's Ethereum wallet. Yuga Labs detected the breach by 9:53 AM ET, alerted its community via Twitter, removed all Instagram links from its platforms, and began efforts to recover the compromised account. The company confirmed two-factor authentication was active on the Instagram account and described its security practices as "tight," but acknowledged the attackers possessed more than just the account password. Initial estimates indicated losses of four Bored Ape NFTs, six Mutant Ape NFTs, three Bored Ape Kennel Club (BAKC) NFTs, and miscellaneous NFTs from collections including CloneX, EightBit, Alien Fren, and Toxic Skull Club. Blockchain analytics firm Peckshield identified 91 stolen NFTs and 765.3 ETH (approximately $2.4 million at the time) transferred to the attacker's wallet, with 23 NFTs quickly sold. BAYC co-founder "Garga" publicly contradicted higher theft estimates, clarifying only 10 official Yuga Labs NFTs (four Bored Apes and six Mutant Apes) were taken, while other stolen assets belonged to third-party projects.

The incident resulted in conflicting loss valuations, with Yuga Labs estimating $3 million in damages, Vice reporting $2.7 million, and CoinDesk calculating a $13.7 million floor price for the stolen NFTs. Attackers diverted 1.6 ETH to a Ukrainian crypto donation address before transferring most proceeds to Binance and KuCoin exchanges, as tracked by researcher zachxbt. Yuga Labs regained Instagram control, established a dedicated email ([email protected]) for victim reporting, and reiterated that official communications would only originate from its Twitter and Discord channels. This marked the second security breach in April 2022, following an April 1 Discord server compromise that led to one Mutant Ape theft via similar phishing tactics. The Instagram attack exacerbated concerns about NFT ecosystem vulnerabilities, with Peckshield documenting rising phishing incidents targeting digital asset holders. Yuga Labs and Instagram jointly investigated the intrusion vector but did not publicize conclusive findings within the immediate aftermath. Affected users were advised to initiate contact with Yuga Labs directly, with the company emphasizing it would never proactively solicit wallet credentials or seed phrases.