The business behind the Bored Apes NFTs announced the vulnerability 11 hours after it was discovered on Twitter.
According to Yuga Labs, the Bored Ape Yacht Club (BAYC) Discord server was hacked on Saturday, and the attacker made off with 200 ETH ($360,000) worth of NFTs.
Boris Vagner, the project’s community manager, had his Discord account hacked, and the attacker utilized it to send phishing links on both the main BAYC and its linked metaverse project named Otherside’s Discord channels.
NFTherder, a Twitter user, was the first to disclose the attack, estimating that 145 ETH (about $260,000) was taken along with the NFTs, and traced the stolen assets back to four different wallets.
Yuga Labs later verified the vulnerability in a tweet of its own, stating that it is currently looking into the matter. It took 11 hours after NFTHerder’s tweet for it to happen.
Richard Vagner, a Grammy-winning multi-instrumentalist who co-founded the NFT fantasy football club Spoiled Banana Society (SPS) with Boris, is also managed by Vagner. According to Richard, the attacker also posted a phishing link on the SPS Discord channel, however the message was afterwards deleted.
Richard Vagner remarked in a Discord chat at 09:00 UTC, “Hey @everyone, we were hacked an hour ago, hoping no one clicked any links.” “Thank goodness he didn’t wipe the entire server since we regained control of the discord and Boris’s account.”
Although Richard has sought information from Discord members connected to the hack, it is unclear if anyone in the SBS channel was harmed.
“We’ll have all the tabs back up in the coming days,” he added, adding, “let us know if there’s anything more he messed with.”
The Vagners also run Metaverse Records, a record label. Richard verified that the BAYC and Otherside Discords were also “hacked” in the same SBS Discord chat.
He wrote, “pls keep safe.”
This is the third time a bad actor has been able to steal money from Yuga Labs users by impersonating a Yuga Labs account. On April 1, Mutant Ape Yacht Club #8662 was stolen when a phishing link was shared in the project’s Discord, then on April 25, the Bored Ape Yacht Club Instagram and Discord accounts uploaded a bogus link to an Otherside minting.
When someone successfully tricked actor Seth Green out of his Bored Ape last week, he became a notable example of the sort of phishing schemes that are widespread in the NFT market.
One BAYC founder criticized Discord for the security breakdown on Saturday in reaction to the event.
Gordon Goner tweeted, “Discord isn’t working for Web 3 communities.” “We require a better platform that prioritizes security.”
Another crypto project’s founder, on the other hand, accused customers for breaching their wallets.
Steve Fink wrote, “You lost your NFT because you signed a fraudulent transaction using your key.” “Stop blaming Discord; switching clients won’t prevent you from making the same mistakes.”