A malicious actor has made off with 200 ether ($359,000) worth of Bored Ape NFTs after the Discord server belonging to the project was compromised on Saturday.
Bored Ape Yacht Club’s (BAYC) parent company, Yuga Labs, confirmed the amount in a tweet roughly 11 hours following the attack. The attacker was able to breach the security of the discord account belonging to BAYC’s project manager Boris Vagner, according to on-chain analyst and Twitter user @NFTherder.
“Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating,” Yuga Labs tweeted via its BAYC Twitter handle.
Following the successful breach, the actor was then able to post a phishing scam pretending to be Vagner that duped Bored Ape collectors into clicking a malicious link, sending their NFTs to the attacker’s address.
Vagner was promoted to social and community manager in February, according to a tweet where he praised the founders at Bored Apes and Yuga Labs.
Questions have sprung up on social media as to how the Discord account was compromised including a lack of properly implementing greater security. Despite the proper implementation of two-factor authentication, attackers may circumvent security by obtaining Discord’s ID token from a targeted victim.
One explanation for the method behind the attack was that Vagner’s Discord ID token – used to log in multiple times locally without verifying one’s identity – was also compromised. This may have allowed the actor to gain access to Vagner’s account.
It marks the third time BAYC has been hacked including an instance on April 1 when a Mutant Ape Yacht Club NFT was stolen via a phishing link on Discord. Almost four weeks later, on April 25, BAYC’s Discord and Instagram accounts were also hacked when a fake link to a copycat website duped users into giving up millions of dollars worth of their NFTs.
Hundreds of angry users have taken to Twitter to vent their frustration at the repeated attacks and alleged lack of security.
not getting a discord hacked is super easy. especially for projects WITH BILLIONS in revenue. honestly it’s embarrassing.
— UncleTravelingMatt.eth (@UncTravelinMatt) June 4, 2022
“They [BAYC] should consider investing a full-time security manager,” NFTherder tweeted in response to one user’s comment on BAYC’s security. “Surprised they haven’t already though.”