Threat actors took over Bored Ape Yacht Club (BAYC) for the third time this year. They have stolen and sold NFTs worth $250,000 or 142 ETH. The attacker used a phishing attack and established a phishing site that mimicked the official BAYC site, which asserted that BAYC, MAYC and OthersideMeta holders could get a free NFT for a short period.
The website was advertised through the official BAYC Discord for a Yuga Labs community manager that was previously hacked.
“CertiK analysis reveals that this community manager,
account –@BorisVagner (“BorisVagner | SBS” on Discord)– posted a message to BAYC’s
Discord server with a phishing link that led to the fake site. This then granted the scam the
appearance of authenticity and made it easier to dupe the NFT holders.” reads the analysis published by blockchain cybersecurity firm CertiK.
After the theft of NFTs, the attacker began to sell the collected assets at 08:25:42 AM UTC.
After selling off the stolen NFTs, threat actors moved the funds to the obfuscation platform
Tornado Cash.
Three attacks this year: The first hack of the BAYC discord server took place on April 1st. On April 25th, BAYC was hit the victim of another phishing attack, threat actors hacked its Instagram account and stole 91 NFTs, equivalent to $1,345,472.34
At this time it is unclear how the attackers have hacked the community manager’s account.
Reference:
