NFT and crypto thefts are becoming serious business
On Saturday June 4th, Bored Ape Yacht Club fell victim to another NFT hack, this time through a flaw in its Discord security. The scam comes in the wake of a string of similar misadventures and security mishaps from Yuga Labs and their social media teams.
- Hackers breached BAYC Community Manager Boris Vagner’s security and took control of his Discord account. They then posted about a fake airdrop and posted a link to a malicious phishing site.
- One Bored Ape, two Mutant Apes and cryptocurrency were stolen.
- This scam follows in the wake of a string of similar incidents that have recharged the debate around online security in an internet that straddles the centralized and decentralized spaces.
Yuga Labs, the company behind CryptoPunks, Mutant Ape Yacht Club, Bored Ape Kennel Club, Meebits and more, announced over the week that hackers exploited its Discord server to steal NFTs and ETH.
This scam is the latest in a lengthening list as the expensive thefts begin to look less like isolated misfortunes and more like a pattern of negligence.
The story behind the hack
Twitter user NFTherder took to the platform on Saturday to reveal that hackers breached Bored Ape’s Community Manager Boris Vagner’s security. They then took control of both the Bored Ape and Otherside Discord servers, announced an exclusive giveaway and posted a link to a malicious phishing site.
Unfortunate community members eager to take advantage of this surprise airdrop rushed to the site. Before anyone realized what was happening, the scammers reportedly made off with 200 ETH ($360,000) worth of NFTs, in the form of one Bored Ape and two Mutant Apes. The attackers also stole 145 ETH ($260,000) worth of cryptocurrency.
11 hours after NFTherder’s revelation, Yuga Labs confirmed the exploit on their own Twitter feed.
NFTherder, also known as OKHotShot, is an NFT on-chain analyst and security expert who we’ve interviewed at DappRadar. They identified the wallet involved in the scam and traced the route of the stolen assets to four further wallets.
‘Proper permissions could prevent this,’ wrote NFTherder, echoing the sentiments of many others who are beginning to wonder what can be done to combat these thefts. These hacks are now becoming commonplace and with the amount of money and value moving around across various blockchains, it’s no longer enough to chalk them up to misfortune and encourage people to be more vigilant.
This isn’t the first attack on the Bored Ape community
In only the past two months, we’ve reported on three major scams that have afflicted the Bored Ape community. In early April, hackers used a UI exploit and OpenSea bug to launch a fake Otherside account on the secondary marketplace in the run up to the highly-anticipated land sale.
Later in April, hackers stole $3 million worth of NFTs, including Bored Apes, Mutant Apes, Kennel Clubs and a CloneX. In an audacious phishing attack, scammers broke into the BAYC Instagram account and advertised another fake land drop. Users were prompted to sign a ‘safeTransferFrom’ transaction and effectively transferred their cherished and expensive NFTs to someone else for free.
In late May, we reported here when actor Seth Green was forced to halt production on his upcoming TV show White Horse Tavern. Scammers stole his Bored Ape when he signed into a fake Gutter Cat Gang website using his crypto wallet. Alongside the Ape, Green was also relieved of two Mutant Apes and a Doodles NFT.
With all of these hacks, scams, thefts, heists and frauds taking place in quick succession, the conversation around security has found fresh voice in the web3 community. Ian, Rob and I discussed the topic on the latest episode of Off The Blockchain.
Other prominent voices have been going back and forth on who to condemn when hackers steal from victims. Was it Seth Green’s fault that he was duped, or are his detractors guilty of victim-blaming? In the case of a crime like theft, surely responsibility for the misdemeanor lies squarely on the shoulders of the perpetrator?
Online NFT security
In some, but not all, cases, there are steps that people can take to reduce their chances of falling victim to cyber crimes. There are basic checks you can carry out to judge whether or not you’re dealing with a scam token. Always bear in mind that hackers will use any and all methods to take from you what is yours. DappRadar also has a guide here to staying safe with crypto.
There’s also a shift in mindset that we can all make so that thieves don’t have such an easy time when they prey on victims. We need to stop believing in the myth that decentralization has the power to solve all of the world’s modern problems and start viewing it as a useful technology that has beneficial utility.
Cryptocurrencies are not necessarily the hedge against inflation that everyone says it is. And decentralized assets don’t always protects their holders against interference from corporate and government entities. Just because you own something on a blockchain ledger, it doesn’t mean that someone else can’t steal it, manipulate it or somehow affect it negatively.
We’ve all seen enough rug pulls and fake accounts to know that scams are as much a part of the web3 story as moonshots and open-source cooperation are. And as we move further away from the invention of Bitcoin, Ethereum and the first NFT, it’s also becoming more obvious that centralized platforms will always have a part to play in the narrative. If they represent a constant security flaw, then extra precautions need to be put in place to negate the risks.
Whichever side of the argument you fall on, whether you blame Discord or you think Yuga Labs was at fault in this scenario, scammers will go to extreme lengths to find their victims. So it’s best to remember this piece of advice that Bored Ape Yacht Club tweeted out following the incident. It’s the same advice that 99 out of 100 NFT collections give and it generally holds up well in practice.
You can also use DappRadar’s NFT Collection Explorer to get in-depth information and data about every NFT collection. For anyone who wants to do their due diligence before diving into an investment, it’s got floor prices, sales information, trader volumes, average sale prices and more. It’s another tool in battle against scammers and con artists.