It’s an unfortunate fact of the internet that scams and thefts are rife. For every successful and legitimate transaction, there are several phishing scams or social engineering attacks that take away assets legitimately owned by unsuspecting and unfortunate buyers. As you might expect, this problem hasn’t gone away with the introduction of Web3, the metaverse, and NFTs; in fact, the problem has arguably been exacerbated by the decentralisation of the blockchain, meaning that thefts often go unpunished.
Sadly, just such an attack happened recently to one of the most famous and recognisable NFT collections in the world. The Bored Ape Yacht Club (BAYC) is probably the collection to which most people would point when you ask them what NFTs are, even if they’re not personally involved in this exciting new space. However, just last week, the Bored Ape Yacht Club collection was hacked, with hackers making off with millions of dollars’ worth of NFTs. Here’s what happened in that hack, as well as what it might mean or imply for the NFT space at large.
What exactly happened to BAYC?
Last week, a hacker managed to steal four NFTs from the BAYC collection, as well as several other NFTs created by BAYC creator Yuga Labs. The total value of the theft amounts to around $3 million, with most of that – around $2.4 million – coming from a small collection of rarer NFTs created by Yuga. BAYC spotted the issue and began working to resolve it on Monday afternoon, but by then, the damage had, unfortunately, already been done.
How did the hack happen?
According to BAYC itself, the hacker gained control of the official Instagram account for the Bored Ape Yacht Club collection. From there, the hacker persuaded users to click a fake link that led to a copycat version of the BAYC website, on which could be found an Airdrop that users could use in order to “sign a ‘safeTransferFrom’ transaction”. Tapping that Airdrop transferred assets to the scammer’s wallet, thereby stealing the NFTs from unsuspecting users. In essence, it was a classic phishing scam brought about by the hacker successfully obtaining credentials for the BAYC account.
Did BAYC do everything it could to protect its account?
It’s hard to say whether BAYC took every measure it possibly could in order to protect its account. According to Artnet, 2-factor authentication was enabled at the time of the hack, meaning the hacker managed to gain access to the BAYC Insta account through two layers of security. This doesn’t bode well for either Instagram’s assurances of secure login or for BAYC itself, unfortunately; there’s likely to be a backlash as users wonder whether their assets are, in fact, safe after a hack like this.
Can the NFT owners get their NFTs back?
Unfortunately, given the way in which NFT ownership works, it can be difficult to recover NFTs once they’re stolen. There’s still the question of how, exactly, the thief will sell the compromised NFTs (although they began doing just that as soon as the theft was completed), but unlike physical artwork, NFTs can’t simply be reclaimed. There is precedent – stolen NFTs have been recovered before – but given that the blockchain is pseudonymous and doesn’t store information, it’s extremely hard to know exactly who was responsible for the BAYC hack.
Has this happened before?
Sadly, yes. This isn’t the first time BAYC apes have been stolen from their owners. At the start of April, NFT owner s27 (it’s a pseudonym, naturally) had around $570k worth of NFTs stolen by a fraudulent transaction on trading site swapkiwi. Prior to that, in December 2021, NFT owner Todd Kramer famously tweeted “all my apes gone” after he was hacked and $2.2 million of NFTs were stolen from him. The cryptocurrency sector’s decentralisation and relative lack of regulation make it extremely difficult to police and prosecute theft, so you should be careful if you’re trading in NFTs.
How is BAYC changing to stop this happening again?
According to BAYC, it’s currently investigating how the hack happened and what measures it can take in order to ensure a hack of this magnitude doesn’t happen again. BAYC says that it will never announce new NFT mints via its Instagram accounts, either BAYC or Otherside, and that it will only reveal important information via its official Twitter feeds: @BoredApeYC, @yugalabs, and @OthersideMeta. You’ll also see these announcements if you’re part of the official BAYC Discord, so make sure to keep an eye out on the #announcements channel for those reveals.
How can I stop my NFTs being stolen?
Once you’ve bought an NFT (from a reputable source, of course), there are a number of things you can do to try and keep it safe. Don’t ever give out your wallet information to anyone, no matter who asks for it. Store all of your information in the real world, not online, because it’s easy for hackers to obtain it. Get yourself a cold storage wallet and keep all of your NFT information on that wallet, and question every single transaction you make, because scamming and social engineering are so rife in the NFT space that there’s a very strong possibility you’re being scammed, even if everything looks legit.
This hack is serious business for BAYC and could massively impact user trust in the collection. Thankfully, the hack doesn’t affect any of the major NFT marketplaces like OpenSea, but it does mean that users will likely be looking at NFTs and the crypto space in general with increased scrutiny. Be careful out there if you’re a crypto fan.