Another day, another Bored Ape NFT got stolen. This past weekend marked the third time the Bored Ape Yacht Club NFTs were compromised.
For an NFT collection that's so popular, it isn't surprising that BAYC is a common target for hackers. But the NFT creators need to do a better job of providing protection for its holders.
Bored Ape Yacht Club members got hacked again.
The scam started when Boris Vagner, the BAYC community manager, had his Discord account compromised, which allowed the malicious party to post phishing links on BAYC’s official Discord channel and the brand’s metaverse project, the Otherside.
Vagner is the manager of Grammy Award-winning instrumentalist Richard Vagner, who's also his brother. The brothers co-founded Spoiled Banana Society, a NFT fantasy football club. A Twitter user by the username of "NFTherder," first reported the hack on June 4 at 6:46 a.m. EST. BAYC’s Twitter page confirmed the breach nearly 11 hours later, which was a little bit too late.
The attack on June 4 is the third BAYC phishing attack.
While only three NFTs were compromised in the hack on June 4, it's the third BAYC scam to occur through Yuga Labs having its social media accounts hacked. The first attack occurred on April 1, when a Discord community member’s account was hacked and it posted phishing links, which resulted in a Mutant Ape being stolen. On April 25, Bored Ape Yacht Club’s Instagram and Discord accounts were hacked and it posted a fraudulent link to mint Otherside NFTs.
An estimated 24 Bored Apes and 30 Mutant Apes were stolen in the second hack, which was worth approximately $3 million in NFTs at the time. Famous actor Seth Green was one of the victims of that attack. His Bored Ape and two Mutant Apes were stolen among the other collectibles that were taken.
Who’s to blame for these NFT attacks?
One of Bored Apes’ co-founders, who goes by the pseudonym "Gordon Goner," posted a tweet on June 4 and said, “Discord isn’t working for web3 communities. We need a better platform that puts security first.” NFTherder responded to the tweet and said, “Don’t blame Discord for users getting socially engineered, having DMs open, and clicking phishing links. Use the tool correctly first before blaming it.” Other people in the NFT space blame NFT holders for getting their wallets hacked.
While it will take a collective effort, BAYC and other NFT creators have to do a better job of educating current and future NFT holders about the risks of NFTs, phishing links, and how to use platforms like Discord effectively.
One of the most common phishing attacks occurs when a malicious party sends DMs to NFT holders. The malicious party acts as if they’re one of the community managers giving away a link to an exclusive minting drop. The link ends up being a scam, and for people new to Discord and the NFT space, it’s difficult to decipher what’s real and what isn't. One thing that Discord could change, is that when you join a new channel, DM's from other channel members are automatically turned off.
Even if the social platform does that, it doesn’t fix the problem with community managers getting their social accounts hacked and posting phishing links. If the link comes from a verified account on Discord or Instagram, it’s completely reasonable for someone to click the link. If the link wasn’t fraudulent and it was an exclusive drop, that person would miss out if they didn't click the link. No matter what platforms NFT creators use, they must better educate buyers and holders and take better responsibility for keeping their own social accounts safe.