On Saturday the Discord server belonging to Bored Ape Yacht Club (BAYC) was compromised by a malicious actor, who successfully finessed 200 ETH, roughly $359,000 from the NFT set’s holders.
Yuga Labs, who is BAYC’s parent company, tweeted 11 hours after the attack confirming that the attack had happened and the amount stolen. The attacker breached the Discord’s security through the project’s manager, Boris Vagner.
“Our Discord servers were briefly exploited today,” Yuga Labs tweeted via its BAYC Twitter handle. “The team caught and addressed it quickly. About 200 ETH worth of NFTs appears to have been impacted. We are still investigating.”
The actor was able to scam the holders by hacking into Vagner’s Discord and posting a phishing link. In the message containing the link, the hackers promised a limited quantity of giveaways for their existing holders. Unsuspecting viewers of the message clicked on the link, which effectively compromised their own wallets, sending the NFTs in said compromised wallets into the hacker’s.
It was in February this year that Boris Vagner was promoted to his position of social and community manager, according to a tweet in which he praised the founders.
Despite proper security measures by way of two-factor authentication, attackers, in this instance, may have circumvented security by obtaining a Discord ID token from a targeted victim.
This is not the first time that BAYC has been hacked though. In April this year, hackers had breached the project’s Instagram account to post fake airdrops, which led to around 100 NFTs being stolen, according to reports at the time. In another instance, another phishing link was posted through the company’s Discord, compromising only one wallet containing one mutant ape.
One explanation for the method behind the attack was that Vagner’s Discord ID token — used to log in multiple times locally without verifying one’s identity — was also compromised. This could have allowed the actor to gain access to Vagner’s account.
“They [BAYC] should consider investing a full-time security manager,” said NFTherder, the initial whistle blower on the scene, in response to one user’s comment on BAYC’s security. “Surprised they haven’t already though.”