NFTs from Bored Ape Yacht Club have become a crypto culture staple. As one of the most well-known collections in the NFT landscape, it has also become a popular target for scammers, hackers, and other unsavoury characters.
As the NFT space expands, so does the sophistication of exploits and hacks. This was on full display over the weekend, when a sophisticated scheme resulted in a major Bored Ape collection heist.
Hacking and exploits aimed at owners of Bored Apes are nothing new. Case studies surrounding the collection have been accumulating for well over a year: from Hollywood actor Seth Green to entire Discord exploits, we’ve seen a wide range of successful BAYC exploit attempts.
While it is not Yuga Labs’ fault, these exploits highlight how important wallet security is for owners of the popular NFT collection. Furthermore, these exploits are far from unique to Bored Ape Yacht Club, and can be found in all of the major ‘blue chip’ NFT collections.
The most recent example of all of this occurred over the weekend, and included unbelievable levels of social engineering, serving as a stark reminder to the community that being meticulous and detail-oriented today simply isn’t enough to protect your assets.
The recent breach resulted in the theft of 14 Bored Ape Yacht Club NFTs via a sophisticated scheme involving high-level social engineering from a single owner.
The most recent level of hacks demonstrate the level of detail and work that exploiters are willing to put in in today’s world. In this case, the hacker was able to quickly liquidate the NFTs for approximately 850 ETH, or slightly more than $1 million.
A detailed thread from popular web3 security analyst @Serpent deconstructs the story succinctly and thoroughly.
The social engineering scheme involved the hacker posing as a casting director at a LA-based studio looking to licence an NFT for a large fee; while the studio exists, the alias used by the hacker does not. However, this heist was driven by fake email domains, hours of calls, fake partnership pitches, and other elements.
The plan had been in the works for at least a month. It’s yet another example of why, for high-dollar NFTs, cold storage is the best option – and why signing or interacting with contracts can be risky unless thoroughly confirmed beforehand. As Serpent concluded in his thread, NFT holders should use multiple wallets, confirm identities, and avoid signing random signatures or transactions.