Cyber Incident Victim: Bored Ape Yacht Club
Date:
Jun 2022
Location:
United States of America
Summary
The Bored Ape Yacht Club's Discord server was compromised through a community manager's hacked account, enabling attackers to distribute phishing links that stole approximately $360,000 worth of NFTs from users across multiple affiliated channels. This incident represented the third security breach targeting the organization's platforms in a short timeframe, prompting internal investigations and public disputes over accountability—with critics citing Discord's infrastructure vulnerabilities while others emphasized user responsibility for approving unauthorized transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 4, 2022, the Bored Ape Yacht Club (BAYC) Discord server was compromised, resulting in the theft of approximately 200 ETH ($360,000) worth of NFTs. The attack originated from the compromised Discord account of Boris Vagner, a community manager for BAYC and its metaverse project Otherside. Attackers used Vagner's account to post phishing links in both the official BAYC and Otherside Discord channels. The breach was first publicly reported by Twitter user NFTherder, who identified stolen funds distributed across four separate wallets and estimated additional losses of approximately 145 ETH ($260,000) beyond the NFT theft. Yuga Labs, BAYC's parent company, confirmed the incident via Twitter eleven hours after NFTherder's initial alert but provided no immediate details about mitigation measures or victim compensation.
The attackers also targeted the Discord server of Spoiled Banana Society (SPS), an NFT fantasy football project co-founded by Boris Vagner and his brother Richard Vagner. Richard regained control of the SPS server and his brother's compromised account, preventing further deletions or disruptions. He alerted SPS members via Discord at 09:00 UTC, warning them not to interact with malicious links and requesting information about potential impacts. This marked the third security breach affecting Yuga Labs communities in 2022, following phishing attacks via Discord on April 1 (resulting in the theft of Mutant Ape Yacht Club #8662) and April 25 (involving fake minting links posted on compromised BAYC Instagram and Discord accounts). The incident occurred one week after actor Seth Green lost his Bored Ape NFT in a separate phishing scheme. Yuga Labs co-founder Gordon Goner criticized Discord's security infrastructure as inadequate for Web3 communities, while crypto entrepreneur Steve Fink countered that users bore responsibility for approving malicious transactions with their private keys. No restitution timeline or revised security protocols were disclosed by Yuga Labs following the attack.