The Bored Ape Yacht Club’s (BAYC), Discord server was compromised on June 4, 2022. A phishing scheme targeted collectors of non-fungible tokens (NFTs) holding BAYC and Mutant Ape Yacht Clubs (MAYC), as well as other NFTs. An analysis by Certik and Blockchain Auditing and Security firm Certik revealed that the attacker of the BAYC Discord Server may have been involved with previous phishing attacks.
Blockchain Security Firm Certik Examines the BAYC Discord Phishing Attack
Many NFTs can be very costly, making it more attractive for malicious attackers. The Bored Ape Yacht Club’s (BAYC), Discord server was compromised this week. An attacker used phishing to lure victims.
Certik is a Web3 and Blockchain security and auditing firm. It published an analysis of the attack. The account indicated that the attacker might have been involved in previous phishing attempts. The attacker stole 32 NFTs worth approximately $360K from blue-chip NFT owners.
After the incident, Yuga Labs, BAYC creators, wrote that “our Discord servers were briefly exploited this morning.” The incident was quickly caught by the team. It appears that around 200 ETH worth NFTs were affected. We are still investigating but we encourage you to email discord@yugalabs.io if you have been affected. We do not give out surprise mints or giveaways.
The Bored Ape Yacht Club, the Bored Ape Kennel Club and Mutant Ape Yacht Club (MAYC) were the sources of the NFTs. Certik reports that the phishing website was a carbon copy of the official projects site, but with subtle differences.
The site did not have any social media links and a tab titled “claim your land” was added. After victims fell for the fake phishing ads, the attacker obtained a few NFTs and proceeded with the sale.
Certik noted that the attackers were able to obtain 142 ether. Certik also notes that 100 Ethereum was likely sent to Tornado Cash, a mixing application. Certik summarizes the reasons why some evidence suggests that the hacker received a fraction of the ether and sent it to Tornado Cash, possibly to one address.
Certik’s report states that although it is impossible to know if the 99.5 ETH funds redeemed by … are actually the funds involved in today’s attack. However, it is probable that these funds are stolen funds post-mixer due to the 20.5 ETH being sent the depositor address.
Analysis by Certik researchers adds:
Most of the funds were transferred to an [Externally Owned Account …,], which is where they are at the time of writing.
According to the blockchain security firm, links suggest that 0x5bC1 may be “not only associated today with the BAYC Phishing Attack, but also in previous phishing attacks.” They also mentioned that BAYC was attacked on April 25, 2022 by an attacker who compromised the Instagram account of the NFT collection.
The hacker posted a link to a fake Airdrop and got away with 888 Ethereum worth of non-fungible tokens. Certik’s report states that users were prompted by a scam link to a fake airdrop to sign a safeTransferFrom transaction. Before the Instagram exploit at April’s end, Mutant Ape Yacht Club #8,662 had been stolen using a phishing scheme posted to Discord. Celebrity Seth Green was recently victim to a phishing scam and lost his Bored Ape. Bored Ape #8,398 named “Fred” was supposed play a part in Green’s new series, “White Horse Tavern.”
