Cyber Incident Victim: Bored Ape Yacht Club
Date:
Apr 2022
Location:
United States of America
Summary
The Bored Ape Yacht Club suffered a compromise of its official Instagram account, which attackers used to promote fraudulent phishing links impersonating an NFT airdrop. Victims connecting their crypto wallets inadvertently authorized transfers of digital assets to the hackers, resulting in thefts including multiple high-value NFTs such as Bored Apes, Mutant Apes, and derivative collections. Loss estimates ranged from $2.8 million to over $13 million based on varying floor valuations. The breach occurred despite enabled two-factor authentication, with prior similar incidents targeting the project’s Discord server. Blockchain analysis indicated partial laundering of stolen assets through cryptocurrency exchanges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 25, 2022, the official Instagram account of Bored Ape Yacht Club (BAYC) was compromised by attackers who used it to distribute phishing links targeting NFT holders. The hackers posted a fraudulent message about a nonexistent LAND airdrop, directing users to a counterfeit BAYC website that prompted them to connect their MetaMask wallets. This action enabled a "safeTransferFrom" attack that transferred victims’ NFTs to the attacker’s Ethereum wallet. BAYC detected the breach and alerted its community via Twitter at 9:53 a.m. ET, instructing users not to interact with links, mint items, or connect wallets. The company removed all Instagram links from its platforms and initiated recovery efforts for the compromised account, which had two-factor authentication enabled at the time of the intrusion. Yuga Labs, BAYC’s parent company, collaborated with Instagram to investigate the breach but could not immediately determine how the attackers bypassed security measures.
The attack resulted in the theft of at least 91 NFTs, including four Bored Apes, six Mutant Apes, three Bored Ape Kennel Club (BAKC) NFTs, and assets from collections like CloneX, EightBit, Toxic Skull Club, and Alien Fren. Blockchain analytics firm Peckshield reported 765.3 ETH and 91 NFTs stolen, with 23 NFTs sold for approximately $2.4 million shortly after the theft. Estimates of total losses varied: BAYC initially cited ~$3 million in losses, while Vice reported $2.7 million and CoinDesk calculated a $13.7 million floor value for stolen Bored Apes and Mutant Apes alone. The attacker’s wallet activity showed a 1.6 ETH donation to Ukraine Crypto Donation. BAYC co-founder Garga clarified that only 10 official Yuga Labs NFTs (four Bored Apes, six Mutant Apes) were stolen, contradicting higher initial reports. Affected users were directed to contact BAYC via a dedicated email, with warnings that the company would not initiate contact or request seed phrases. Blockchain researcher zachxbt traced most laundered funds to KuCoin and Binance. This incident followed an April 1, 2022, compromise of BAYC’s Discord server, where a similar phishing scam stole one Mutant Ape. BAYC reiterated that future minting announcements would only occur via official Twitter and Discord channels.