Bored Ape Instagram hack cost NFT owners $4 million

This happened despite there being a two-factor authentication protection on the Instagram account. PHOTO: REUTERS

NEW YORK (BLOOMBERG) - Hackers made away with about US$3 million (S$4.1 million) worth of some of the world's most popular non-fungible tokens (NFTs) after gaining access to the Instagram account belonging to the Bored Ape Yacht Club (BAYC) collection.

Once in, the hackers uploaded a post that linked to a cloned version of BAYC's official website and included an offer of free crypto tokens. Anyone who tried to claim the free tokens by authenticating and connecting their digital wallets to the fraudulent site instead gave the hackers free rein to access and transfer their NFTs and other cryptoassets.

"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We're still investigating," BAYC owners Yuga Labs said in a statement.

The Instagram account was protected with two-factor authentication, the company said. Instagram did not return a request for comment.

Hacked owners cumulatively lost four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs - together worth roughly US$3 million, Yuga said. The average price of a Bored Ape, which rank among the most popular and sought-after, is currently more than US$430,000, per tracker DappRadar.

It is not the first time scammers have targeted affluent crypto owners, nor is it the first hack targeting BAYC. Earlier this year, 17 users of NFT marketplace OpenSea lost a slew of tokens to a phishing attack. Other people have been fooled by hackers selling them NFTs that turned out to be unauthorised fakes.

"In this case we saw a hacker hack an Instagram account in order to set up an elaborate fraud," said Mr Ari Redbord, a former federal prosecutor who is now the head of legal and government affairs at TRM Labs, a blockchain intelligence company. "We are seeing more and more hacks and scams perpetrated on crypto businesses - from exchanges to Axie Infinity to NFTs. One thing that many of these hacks have in common is social engineering and some degree of human error."

Assistant Professor Ronghui Gu, chief executive officer of blockchain security firm CertiK, said that since the BAYC Instagram account used two-factor authentication, it is likely that hackers gained access to the account by tricking an administrator through social engineering.

This practice involves using personal or professional information to gain someone's trust, enabling a scammer to then elicit additional data or credentials for a sensitive or valuable account.

Join ST's Telegram channel and get the latest breaking news delivered to you.