Bored Ape Yacht Club Discord Hacked Again

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Bored Ape Yacht Club

The Bored Ape Yacht Club Discord channel was successfully breached through the permissions granted to Boris Vagner, the project's community manager. Once the attacker managed to get into the account, they were able to post an announcement on the channel, letting users know about a new minting opportunity. Once users clicked the link and signed the transaction, this would grant permissions to take their funds. Multiple users report losing NFTs and there have been no reports of recovery.

[1]

About Bored Ape Yacht Club

Homepage: [2]

OpenSea: [3]

"A limited NFT collection where the token itself doubles as your membership to a swamp club for apes. The club is open! Ape in with us." "The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation."

"BAYC was created by four friends who set out to make some dope apes, test our skills, and try to build something (ridiculous). GARGAMEL. STARCRAFT OBSESSED. EATS SMURFS. GORDON GONER. REFORMED LEVERAGE ADDICT. EMPEROR TOMATO KETCHUP. SPENT ALL THEIR MONEY ON FIRST PRESSES AND PET-NAT. NO SASS. HERE FOR THE APES. NOT FOR THE SASS."

"Each Bored Ape is unique and programmatically generated from over 170 possible traits, including expression, headwear, clothing, and more. All apes are dope, but some are rarer than others. The apes are stored as ERC-721 tokens on the Ethereum blockchain and hosted on IPFS. (See Record and Proof.) Purchasing an ape costs 0.08 ETH. To access members-only areas such as THE BATHROOM, Apeholders will need to be signed into their Metamask Wallet."

"When you buy a Bored Ape, you’re not simply buying an avatar or a provably-rare piece of art. You are gaining membership access to a club whose benefits and offerings will increase over time. Your Bored Ape can serve as your digital identity, and open digital doors for you."

"The BAYC Bathroom will become operational once the presale period is over. It contains a canvas accessible only to wallets containing at least one ape. Like any good dive bar bathroom, this is the place to draw, scrawl, or write expletives. Each ape-holder will be able to paint a pixel on the bathroom wall every fifteen minutes. Think of it as a collaborative art experiment for the cryptosphere. A members-only canvas for the discerning minds of crypto twitter. We're pretty sure it's going to be full of dicks."

"Another day, another stolen ape, and the Bored Ape Yacht Club Discord hacked again. In the wee hours of the morning on June 4th, an attacker was able to compromise mod accounts and bots in the BAYC and Otherside Discord servers, and posted a malicious giveaway link. Victims thinking they would receive a giveaway approved the attacker to transfer their NFTs, resulting in 180+ ETH of losses."

"Since Otherside was one of our biggest successors for both our team and all of our holders that currently own one, we decided to drop the final givewaya to holders as a small token of our appreciation." "OthersideMeta [was] due to launch later th[e same] week."

"[T]he phishing scam added a sense of urgency, stating that only a limited amount of NFTs was available to be minted, which likely pushed visitors to abandon caution and rush to mint the free giveaway." "Please note that there's only a limited quantity. If you are a holder and you were too slow to get one and unfortunately did pay a high gas fee, we process over the next coming days. (Just be patient!)"

"Hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab’s Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised to post a phishing scam." "News of the hack was first reported by Twitter user NFTherder, who also estimates 145 ETH (around $260,000) was stolen along with the NFTs, tracing the stolen funds back to four separate wallets."

"Yuga Labs later confirmed the exploit occurred in a tweet of its own, saying it is still actively investigating the incident. It did so 11 hours after NFTHerder's tweet."

"Fortune reported that the hack was the result of a phishing attack that compromised the Discord account of Boris Vagner, the project’s community manager. After obtaining Vagner’s login credentials, the attacker posted fake links in the Discord channels of the official BAYC and its related metaverse project called Otherside, according to the report."

"Vagner ​​is also the manager of his brother, the Grammy-winning multi-instrumentalist Richard Vagner, who co-founded an NFT fantasy football club called Spoiled Banana Society (SPS) with Boris. The attacker also posted a phishing link in the SPS Discord channel, though the message was subsequently deleted, Richard said."

"Once a user visited the page and attempted to mint the giveaway, the page likely stole all Ethereum and NFTs held in the linked wallet." "The attacker tricked users into providing approval to transfer their tokens. Some users got NFTs from multiple collections stolen, which suggests they approved several unique transactions. This attack did not just target BAYC/MAYC assets, but anything valuable that wasn’t nailed down."

"According to blockchain cybersecurity firm PeckShield, approximately 32 NFTs were stolen, including those from the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects."

"There has been no communication yet from Yuga Labs or the Otherside team about the hack, either as a warning, or a postmortem. Users should assume the Discords are still compromised until otherwise notified by the teams. If you’re in those servers – do not click any links, do not open any files, and do not accept any DMs!"

"As of now, the attacker seems to have finished his crime spree, and cashed out the NFTs. Ether from the attack wallet has been transferred to a named account, federalinformant.eth, who also funded the attacker initially. Funding an attack from a public wallet is quite a brazen move, and may place him at risk of discovery."

"Yuga Labs is still investigating the compromise and is warning potential customers about the contents of these phishing messages: “As a reminder, we do not offer surprise mints or giveaways,” Yuga Labs tweeted."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

Mutant Ape Yacht Club Surprise Mint

TBD fill in details[4][5].

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Bored Ape Yacht Club Discord Hacked Again
Date Event Description
June 4th, 2022 2:04:00 AM MDT Malicious Links Noted on Twitter Twitter user EthanDG notes the malicious link in a public Twitter post to warn the community[6].
June 4th, 2022 2:25:00 AM MDT Losses Tallied So Far Twitter user EthanDG tallies up the losses to users so far as 1 BAYC (Bored Ape Yacht Club) NFT, 2 MAYC (Mutant Ape Yacht Club) NFTs, 1 BAKC (Bored Ape Kennel Club) NFT, 1 Koda NFT, 5 Otherdeed NFTs, and 1 Goblin NFT[7].
June 4th, 2022 6:03:23 AM MDT CoinGape Article Published CoinGape publishes an article covering the situation which appears to have affected both the Bored Ape Yacht Club and Otherside. The article cites the total amount taken as 145 ethereum ($256,000) worth of tokens, including 32 NFTs. The article highlights the phishing link used and blames the compromise of a community manager for giving the attackers admin access on the server. Past successful attacks against Bored Ape Yacht club are also referenced[8]. TBD Follow links in article.
June 4th, 2022 6:46:17 AM MDT BowTiedIsland Article BowTiedArticle covers the situation in an article which happened "[i]n the wee hours of the morning". They note at this time there hasn't yet been any communication from Yuga Labs or Otherside about the attack. The attack was noted to be funded from a public wallet federalinformant.eth[9][10]. TBD more details fill in. No changes made to this article over time.
June 4th, 2022 2:16:00 PM MDT Bored Ape Yacht Club Acknowledges Breach Bored Ape Yacht Club posts on Twitter to acknowledge that the breach occurred. The tweet states that their "team caught and addressed it quickly", that "[a]bout 200 ETH worth of NFTs appear to have been impacted", and that they are "still investigating". An email address is provided for affected users to contact them[11]. Bored Ape Yacht Club also tweeted to remind everyone that the "do not offer surprise mints or giveaways"[12]. TBD expand with reactions.
June 4th, 2022 4:03:00 PM MDT Fortune Article Published Fortune published an article about the theft and situation[13]. TBD expand with more information from the article.
June 5th, 2022 2:12:31 PM MDT Mashable Article Published Mashable publishes an article about the theft[14][15]. TBD expand with details. Article has not changed over time.
June 24th, 2022 5:00:00 PM MDT No Other Sales or Giveaways Bored Ape Yacht club makes a specific note on Twitter that they're not doing any other giveaways[16].

Total Amount Lost

Twitter user EthanDG provided a list of stolen NFTs from the attack on Twitter shortly after noting what was happening[7].

BAYC/Otherside discord hackers have stolen (179 ETH/$316,473):

1 BAYC (3215)

2 MAYC (4439, 3197)

1 BAKC (4945)

1 KODA (2019)

5 Otherdeeds (62444, 13781, 52306, 59851, 82318)

1 Goblin (4260)

TBD break down loss values of each NFT.

The total amount lost has been estimated at $360,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Twitter user EthanDG was one of the first to post on Twitter about the malicious links[6].

BAYC AND OTHERSIDE DISCORD HACKED DO NOT CLICK THE LINK

Bored Ape Yacht Club publicly acknowledged the attack later in the day and said they were "still investigating"[11].

Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating, but if you were impacted, email us at discord@yugalabs.io.

Community Reactions

Twitter user Enormous James criticized to claim that "[Mutant Ape Yacht Club] was a surprise mint"[4] and another twitter user babs also noted that[5]. Twitter user and Bored ape collector Boshi argued that it was during "a planned event that had been talked about for weeks"[17]. Other Twitter users had varied reactions[18][19][20][21][22].

Why don’t you build a Discord type of platform buy more web3 orientated. I think is pretty much needed. Or at least invest in a team that will be able to build one. Long term vision fellas

Why are you like that? Maybe it's time to stop being bored and start having fun like the Jolly Ape Yacht Club does?

I keep getting these fake limited edition Apes in my wallet and I don't really know how to get rid of them. I guess they can just live there.

Why doesn’t Yuga makes its own private secure chat room for its members instead of relying on a third party.

While you are at it, please start a NFT custody for the holders. I can't believe people still fall for this type of shit, they should tattoo 'No surprise mints or giveaways' at this point imo

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

No investigation was found reported on Bored Ape Twitter up to August 29th.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

There do not appear to be any ongoing developments in this case.

Individual Prevention Policies

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

The lesson here is about providing an account/tool with more privileges than necessary. Using a full-permissioned account when not necessary increases the breach window. Having a weak password or two-factor authentication is problematic.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @yugalabs Twitter (Sep 20, 2023)
  2. BAYC (Jun 19, 2022)
  3. https://opensea.io/collection/boredapeyachtclub (Jun 19, 2022)
  4. 4.0 4.1 Enormous James - "Narrator: MAYC was a surprise mint" - Twitter (Jun 7, 2023)
  5. 5.0 5.1 babs - "except for that one time where we did mutants as a surprise mint" - Twitter (Jun 7, 2023)
  6. 6.0 6.1 0xEthanDG - "BAYC AND OTHERSIDE DISCORD HACKED DO NOT CLICK THE LINK" - Twitter (Jun 20, 2022)
  7. 7.0 7.1 0xEthanDG - "BAYC/Otherside discord hackers have stolen (179 ETH/$316,473)" - Twitter (Jun 20, 2022)
  8. Breaking: Bored Ape, Otherside Discords Hacked Again - CoinGape (Jul 7, 2022)
  9. Breaking: Bored Ape Yacht Club Discord Hacked - BowTiedIsland (Jun 20, 2022)
  10. Breaking: Bored Ape Yacht Club Discord Hacked - BowTiedIsland Archive June 4th, 2022 6:46:17 AM MDT (Apr 13, 2023)
  11. 11.0 11.1 BoredApeYC - "Our Discord servers were briefly exploited today. The team caught and addressed it quickly." - Twitter (Jun 20, 2022)
  12. Bored Ape Yacht Club - "As a reminder, we do not offer surprise mints or giveaways." - Twitter (Jun 7, 2023)
  13. "Bored Ape Yacht Club’s Discord server was hacked, with $360,000 in NFTs stolen. Who’s to blame is debated" - Fortune (Jun 19, 2022)
  14. Bored Ape Yacht Club hacked again, loses $360,000 in NFTs | Mashable (Jun 20, 2022)
  15. Bored Ape Yacht Club hacked, loses $360,000 worth of NFTs in phishing attack - Mashable Archive June 5th, 2022 2:12:31 PM MDT (Apr 13, 2023)
  16. Bored Ape Yacht Club - "Reminder to merch safely. https://d2lbc.apefest.com is the ONLY official place to get this drop — we’re not doing any other sales, and no giveaways. Do not connect your wallet to a site you don’t know and trust." - Twitter (Jun 7, 2023)
  17. Boshi - "During a planned event that had been talked about for weeks." - Twitter (Jun 7, 2023)
  18. Luigi - "Why don’t you build a Discord type of platform buy more web3 orientated. I think is pretty much needed. Or at least invest in a team that will be able to build one. Long term vision fellas" - Twitter (Jun 7, 2023)
  19. CoinShibaInuNFT - "Why are you like that? Maybe it's time to stop being bored and start having fun like the Jolly Ape Yacht Club does?" - Twitter (Jun 7, 2023)
  20. Kate - "I keep getting these fake limited edition Apes in my wallet and I don't really know how to get rid of them. I guess they can just live there." - Twitter (Jun 7, 2023)
  21. NFT Enthusiast - "Why doesn’t Yuga makes its own private secure chat room for its members instead of relying on a third party." - Twitter (Jun 7, 2023)
  22. Cryptic - "While you are at it, please start a NFT custody for the holders. I can't believe people still fall for this type of shit, they should tattoo 'No surprise mints or giveaways' at this point imo" - Twitter (Jun 7, 2023)

Cite error: <ref> tag with name "coindesk-8159" defined in <references> is not used in prior text.