Many NFTs can be very costly, making it more attractive for malicious attackers. The Bored Ape Yacht Club’s (BAYC), Discord server was compromised this week. An attacker used phishing to lure victims.
Certik is a Web3 and Blockchain security and auditing firm. It published an analysis of the attack. The account indicated that the attacker might have been involved in previous phishing attempts. The attacker stole 32 NFTs worth approximately $360K from blue-chip NFT owners.
The Bored Ape Yacht Club, the Bored Ape Kennel Club and Mutant Ape Yacht Club (MAYC) were the sources of the NFTs. Certik reports that the phishing website was a carbon copy of the official projects site, but with subtle differences.
The site did not have any social media links and a tab titled “claim free land” was added. After several victims fell for the fake phishing advertisement, the attacker was given a few NFTs and proceeded with the sale.
Certik noted that the attackers were able to obtain 142 ether. Certik also notes that 100 Ethereum was likely sent to Tornado Cash, a mixing application. Certik summarizes the reasons why some evidence suggests that the hacker received a fraction of the ether and sent it to Tornado Cash, possibly to one address.
Certik’s report states that although it is impossible to know if the 99.5 ETH funds redeemed by 0x2917… were the funds involved in today’s attack it is probable that these funds are stolen funds post-mixer due to the 20.5 ETH being sent the depositor address.
Analysis by Certik researchers adds:
Most of the funds were transferred to an [Externally Owned Account …,], which is where they are at the time of writing.
According to the blockchain security firm, links suggest that 0x5bC1 may be ‘not only associated today with the BAYC Phishing Attack but also in previous phishing attacks. The company also mentioned that BAYC was attacked on April 25, 2022 by an attacker who compromised the Instagram account of NFT collection.
The hacker posted a link to a fake Airdrop and got away with 888 Ethereum worth of non-fungible tokens. Certik’s report states that users were prompted by Certik to sign a safeTransferFrom transaction. Before the Instagram exploit at April’s end, Mutant Ape Yacht Club #8,662 had been stolen by a phishing scam that was posted to Discord. Celebrity Seth Green was recently victim to a phishing scam and lost his Bored Ape. Bored Ape #8,398 titled ‘Fred’ was to appear in Green’s new series ‘White Horse Tavern.