Bored Ape Yacht Club Instagram Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Bored Ape Yacht Club

The Bored Ape Yacht Club Instagram account was successfully breached - despite apparently using 2 factor authentication. This allowed the attacker to post an announcement on the channel, letting users know about a new minting opportunity with the OthersideMeta project, due to launch a week later. Once users clicked the link and signed the transaction, this would grant permissions to take their funds. Multiple users reported losing NFTs and there have been no reports of recovery.

About Bored Ape Yacht Club

[1][2]

"A limited NFT collection where the token itself doubles as your membership to a swamp club for apes. The club is open! Ape in with us." "The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation."

"BAYC was created by four friends who set out to make some dope apes, test our skills, and try to build something (ridiculous). GARGAMEL. STARCRAFT OBSESSED. EATS SMURFS. GORDON GONER. REFORMED LEVERAGE ADDICT. EMPEROR TOMATO KETCHUP. SPENT ALL THEIR MONEY ON FIRST PRESSES AND PET-NAT. NO SASS. HERE FOR THE APES. NOT FOR THE SASS."

"Each Bored Ape is unique and programmatically generated from over 170 possible traits, including expression, headwear, clothing, and more. All apes are dope, but some are rarer than others. The apes are stored as ERC-721 tokens on the Ethereum blockchain and hosted on IPFS. (See Record and Proof.) Purchasing an ape costs 0.08 ETH. To access members-only areas such as THE BATHROOM, Apeholders will need to be signed into their Metamask Wallet."

"When you buy a Bored Ape, you’re not simply buying an avatar or a provably-rare piece of art. You are gaining membership access to a club whose benefits and offerings will increase over time. Your Bored Ape can serve as your digital identity, and open digital doors for you."

"The BAYC Bathroom will become operational once the presale period is over. It contains a canvas accessible only to wallets containing at least one ape. Like any good dive bar bathroom, this is the place to draw, scrawl, or write expletives. Each ape-holder will be able to paint a pixel on the bathroom wall every fifteen minutes. Think of it as a collaborative art experiment for the cryptosphere. A members-only canvas for the discerning minds of crypto twitter. We're pretty sure it's going to be full of dicks."

"The Instagram account of the Bored Ape Yacht Club NFT project was hacked on Monday, [April 25th,] it announced via Twitter, reportedly resulting in millions of dollars worth of NFTs being stolen."


The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.[3] TBD review transactions from attacker's wallet.

Key Event Timeline - Bored Ape Yacht Club Instagram Hack
Date Event Description
April 25th, 2022 7:58:00 AM MDT Bored Ape Yacht Club Official Tweet The Bored Ape Yacht Club Twitter officially posts that there is no mint going on, and it looks like their Instagram was hacked. Their advice to protect yourself: "Do not mint anything, click links, or link your wallet to anything."[4]
April 25th, 2022 8:01:00 AM MDT Scam Warning on Twitter Twitter user DeFi-yer posts a warning that "@BoredApeYC had their IG hacked. There's no mint for @OthersideMeta yet. DON'T DO IT!"[5]
April 25th, 2022 8:13:00 AM MDT Reported on Twitter A tweet reports that both the Discord and Instagram were hacked and provides a screenshot of the stolen NFTs[6].
April 25th, 2022 8:41:00 AM MDT Screenshot of Phishing Attack Twitter user Christian Umana reports that he was "hacked" and "lost [his] NFTs" and includes a screenshot of the phishing website "apelandsdrop.com"[7]. He also provides a screenshot of the attacker's wallet[8]. TBD - can we find an archive?
April 25th, 2022 9:13:00 AM MDT ZachXBT Reports Total Damage Twitter user ZachXBT reports on the damages - 91 NFTs in total including 4 Bored Ape Yacht Club, 7 Mutant Ape Yacht Club, 3 Bored Ape Kennel Club, and 1 CloneX[9].
April 25th, 2022 9:21:00 AM MDT CoinDesk Article CoinDesk publishes an article covering the hack[10].
April 25th, 2022 9:47:00 AM MDT ZachXBT Maps Out Attacker's Address Twitter user ZachXBT maps out the "hacker[']s" address and path of funds on the blockchain[11]. TBD add more details.
April 25th, 2022 1:35:40 PM MDT Protocol Article On Attack Protocol publishes an article covering the attack[12]. “Two-factor authentication was enabled and the security practices surrounding the [Instagram] account were tight," the spokesperson told Vice. "Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating."[13] TBD explore more.
April 25th, 2022 9:50:00 PM MDT Support From Ian Twitter user Ian offers support for those affected[14].
April 26th, 2022 5:52:00 AM MDT Gadget360 Article Gadget360 publishes an article on the attack, estimating losses at $13.7m[15]. TBD review article.
April 26th, 2022 1:39:47 PM MDT CBS News Article The event is retroactively inserted into a CBS News article recently published on cryptocurrency fraud[16][17][18].
April 26th, 2022 1:49:02 PM MDT Artnet News Article Artnet publishes a news article on the situation[19][20]. TBD fill in details from article.
June 4th, 2022 Another Attack The Bored Ape Yacht Club Discord is exploited in another phishing attack.

Technical Details

TBD

Total Amount Lost

[6][8][9][15]

91 NFTs in total including 4 Bored Ape Yacht Club, 7 Mutant Ape Yacht Club, 3 Bored Ape Kennel Club, and 1 CloneX

The total amount lost has been estimated at $2,700,000 USD.

Twitter user Abdulghany Yougen reported the losses at $2,884,793.20 USD[21].


How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

"The wallets of those who clicked the link have now been compromised, with a series of Bored Apes and Mutant Apes being transferred to new wallets by the hackers." "According to Vice, NFTs from Yuga Labs, including Bored Ape, Mutant Ape and Kennel Club NFTs, worth a total value of $2.7 million, were stolen in the hack. On Etherscan, the hacker's wallet has been flagged as being part of a phishing scam."

"Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m," the spokesperson said. "We are actively working to establish contact with affected users."

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"After identifying the breach, BAYC alerted its community and removed all links to Instagram from their platforms, as attempts to recover the hacked account picked pace." "Yuga Labs is trying to get in touch with the hackers to reach a settlement."


"CoinDesk reported that the hackers announced a fake airdrop, or distribution of NFTs, encouraging users to click a fraudulent link which would give the hackers control of their wallets. The fraudulent link, which looked like the Bored Ape Yacht Club website, reportedly claimed users could mint "land" in upcoming Web3 project OthersideMeta."

The project said in a tweet that "There is no mint going on today," warning users to "not mint anything, click links, or link your wallet to anything." Vice reported that a moderator in the Bored Ape Yacht Club Discord channel posted: "THERE IS A FAKE LAND MINT WEBSITE BEING SHARED BY THE BAYC IG. DO NOT MINT ANYTHING."

"There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything."

"It's currently unknown how the hackers got into the Bored Ape Yacht Club Instagram account. A Yuga Labs spokesperson told Vice that it had removed all links to Instagram from its services, alerted the community and has attempted to recover the account just before 10 a.m. ET this morning."

“Two-factor authentication was enabled and the security practices surrounding the IG account were tight," the spokesperson told Vice. "Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating." "Yuga Labs and Instagram are still investigating how the account was compromised, the spokesperson said."

Bored Ape Yacht Club Announcement

[4]

There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.


[5] TBD Capture reply Tweet

[7]

Support For Affected Users

[14][22]

[23]

"expensive day to reimburse those affected discord - hacked Instagram - hacked wen hire cybersecurity expert with all those royalties?"

Criticism of Disbursement

[24][25]


Many Users Were Affected

[26]

"Lost 0.75 eth no much but a lot to me... [G]utted. Cannot believe I fell for it. Usually so careful."

"Lost all my nft and crypto because of this."

"Lost 3 of my apes…"

"OMG! [A]ll 24 apes in my wallet are gone. [I] borrowed this money from my work credit card [and I] was not meant to. [C]an we fork BAYC to get them back to me[?]"

"[I] lost 8 of my apes, 6 lazy lions, 4 cryptopunks and 3 crazy crocodiles. [M]y life is ruined[. T]hat was my life savings. [Y]ou killed me."


"I was scammed :-("

And Some Not As Affected

"Omg I connected and lost my 54 bored apes. wtf"

"All of 300 bored apes now lost."

"I lost my entire life savings and my children will go hungry due to the Instagram hack of my apes. Pls can you redeem the lost jpegs so we can all have our money back? My wife threatened to take the kids but I told her that hopefully someone at BAYC hq has a backup of the pics."

"Dude give me back my apes bro! Fiduciary duty compels you to bless me with an ape."


[27][28][29][30]

"If u minted this, u have no place owning digital assets this valuable"

"That’s their own damn fault…people can’t read…today is 4/25…nothing happens til 4/30…"

"Are they responsible for these losses, no, they got hacked, and i really don't understand why people are clicking a link like that when it's already announced yesterday that the drop will be on the 30th,"

"r an expensive lesson that when you own half a million dollar assets you don’t click on shit, no one’s fault but their own "

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?

Users of wallets need to exercise extreme care when interacting. Always check for information from multiple official sources. Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary issue here for the Bored Ape Yacht Club is about having strong passwords for all accounts. All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. BAYC (Jun 19, 2022)
  2. https://opensea.io/collection/boredapeyachtclub (Jun 19, 2022)
  3. Attacker's Wallet - Etherscan (Jun 20, 2022)
  4. 4.0 4.1 BoredApeYC - "Do not mint anything, click links, or link your wallet to anything." - Twitter (Jun 19, 2022)
  5. 5.0 5.1 defi_yer - "@BoredApeYC had their IG hacked. There's no mint for @OthersideMeta yet. DON'T DO IT!" - Twitter (Jun 19, 2022)
  6. 6.0 6.1 dingdingETH - "expensive day to reimburse those affected" - Twitter (Jun 19, 2022)
  7. 7.0 7.1 Christian Umana - "Got hacked and lost my NFTs" - Twitter (Jun 19, 2022)
  8. 8.0 8.1 Christian Umana - "This is the account that stole the NFTs" - Twitter (Jun 19, 2022)
  9. 9.0 9.1 zachxbt - "the BAYC Instagram hacker stole 4 BAYC, 7 MAYC, 3 BAKC, 1 CloneX, & more ( 91 NFTs in total)" - Twitter (Jun 20, 2022)
  10. NFTs Stolen After Bored Ape Yacht Club Instagram, Discord Hacked - CoinDesk (Jun 19, 2022)
  11. zachxbt - "Mapped out the hackers address here" - Twitter (Jun 20, 2022)
  12. Bored Ape Yacht Club's Instagram was hacked, leading to the theft of millions of dollars of NFTs - Protocol Archive April 25th, 2022 1:35:40 PM MDT (Apr 18, 2023)
  13. Bored Ape Yacht Club's Instagram was hacked, leading to the theft of millions of dollars of NFTs - Protocol (Jun 20, 2022)
  14. 14.0 14.1 Ian51079997 - "One ape family to another. We're here for you." - Twitter (Jun 19, 2022)
  15. 15.0 15.1 Bored Ape Yacht Club Instagram, Discord Hacked, NFTs Worth $13.7 Million Stolen - Gadget360 Technology News (Jun 20, 2022)
  16. Cryptocurrency heists are getting more ambitious — and costlier to investors - CBS News (Nov 30, 2022)
  17. Cryptocurrency heists are getting more ambitious — and costlier to investors - CBS News Archive April 26th, 2022 3:39:55 AM MDT (Apr 18, 2023)
  18. Cryptocurrency heists are getting more ambitious — and costlier to investors - CBS News Archive April 26th, 2022 1:39:47 PM MDT (Apr 18, 2023)
  19. Hackers Broke Into Bored Ape Yacht Club's Official Instagram and Made Off With Nearly $3 Million Worth of Stolen NFTs - Artnet News (Aug 30, 2022)
  20. Hackers Broke Into Bored Ape Yacht Club’s Official Instagram and Made Off With Nearly $3 Million Worth of Stolen NFTs - Artnet News Archive April 26th, 2022 1:49:02 PM MDT (Apr 18, 2023)
  21. Abdulghany Yougen - "Here's how much the NFTs they stole are worth" - Twitter (Jun 21, 2023)
  22. NftSpooky - "No bueno" - Twitter (Jun 19, 2022)
  23. DingDing.eth - "expensive day to reimburse those affected discord - hacked Instagram - hacked wen hire cybersecurity expert with all those royalties?" - Twitter (Jun 21, 2023)
  24. hitcoinmaxi - "Help I lost 938 million apes and 474,193.335 quadrillion $ETH in your hack please reimburrrrrsss" - Twitter (Jun 19, 2022)
  25. cosmicartcult - "my wife left me & my step daughter has now joined isis can the devs fix" - Twitter (Jun 19, 2022)
  26. BadInfluencer.eth - "I was scammed :-(" - Twitter (Jun 21, 2023)
  27. Untamed Eyebrow - "If u minted this, u have no place owning digital assets this valuable" - Twitter (Jun 21, 2023)
  28. AlteredMotion.eth - "That’s their own damn fault…people can’t read…today is 4/25…nothing happens til 4/30…" - Twitter (Jun 21, 2023)
  29. FlipIt.eth - "Are they responsible for these losses, no, they got hacked, and i really don't understand why people are clicking a link like that when it's already announced yesterday that the drop will be on the 30th," - Twitter (Jun 21, 2023)
  30. NotFlossin.eth - "Or an expensive lesson that when you own half a million dollar assets you don’t click on shit, no one’s fault but their own" - Twitter (Jun 21, 2023)

Cite error: <ref> tag with name "onelifeownittwitter-8139" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "privacy-8150" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bored_Ape_Yacht_Club_Instagram_Hack&oldid=4640"