The hacker posted a link to a fake copy of the BAYC website, which lured users with an ostensible airdrop. Victims were asked to sign a ‘safeTransferFrom’ transaction, which resulted in their NFTs being sent to the scammer’s wallet.
The hacker made off with four NFTs from the BAYC, six from the Mutant Ape Yacht Club, three from the Bored Ape Kennel Club, and “some other assorted valuable NFTs,” according to Garga, co-founder of the BAYC.
The BAYC team assured users they had been following security best practices, including two-factor authentication. They did not share the source of the breach, saying they were “investigating,” but Twitter users suggested a SIM card swap, malware, and even an inside job.
The attack would not have been possible had the hacker failed to access the official BAYC Instagram account, but a social engineering aspect was equally important. The fraudulent link was posted around the first anniversary of the collection’s launch, prompting users to believe the airdrop was a legitimate celebration of the Apes’ birthday.
The BAYC told affected users to contact the support team, but stopped short of declaring any form of reimbursement.