Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

Illustration by Alex Castro / The Verge

A hacker stole millions of dollars in NFTs after compromising the official account for Bored Ape Yacht Club and using it to post a fake link that transferred NFTs out of users.

There is no mint going on Monday, according to the BAYC account.

There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.

— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022

A user affiliated with the project claimed to show an image that had been posted from the BAYC account, promoting a free token for any users who connected.

BAYC's warning was too late for many holders of the Bored Ape NFTs, which were stolen in the hack. The hacker's account received more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects, all presumably taken from users who connected their wallet.

The hacker's profile page was no longer visible on OpenSea at the time of publication. The hacker's account was banned from the platform by OpenSea's terms of service, as they prohibited taking items without authorization.

The contents of the hacker's wallet can be seen on other platforms. The wallet contained 134 NFTs, among them four Bored Apes and many other items from projects made by Yuga Labs and the creators of BAYC.

Each of the stolen Apes is worth six figures, based on the most recent sale price. Four months ago, the lowest priced Ape was sold for 47.9 ETH, equivalent to $138,000 at the current exchange price. The last price for the pair was 88.88 ETH, or $266,200. The total value of the four stolen Apes is just over $1 million, and Bored Ape was the most valuable of them all.

It is not known how the hacker was able to compromise the project. In a statement sent to The Verge by email, Yuga Labs said that the security of the account followed best practices and that two-factor authentication was enabled at the time of the attack. Yuga Labs said that they were working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallet rather than more secure environments because the popular cripto wallet application MetaMask only supports NFT display on mobile. It encourages users to use the app rather than the extension. The use of social media to deliver a swastika is an effective way to steal NFTs, as the link is more likely to be interacted with from a mobile wallet.

The fact that the link was sent through the official BAYC social media account likely convinced the victims that it was legit, raising difficult questions about where exactly the fault lies.

The victims of the hack would not be compensated by the project according to an email from Yuga Labs.