It happened again. Scammers raided the world of The Boring Ape Yacht Club (BAYC) and stole some tokens. But don’t worry, web3 can’t be blamed for this.
Hackers used old web 2.0 tricks to hack the project’s Instagram and lure people into clicking on unsolicited links.
Here’s the thing: After BAYC’s account was hacked, the attackers posted a message claiming to have landed on the project’s Metaverse via an airdrop. It requires people to connect their MetaMask (or any other equivalent cryptocurrency wallet) in order to get land.
However, this is only a means of stealing NFTs. The BAYC Twitter account posted a warning, but by then, hackers had managed to steal many NFTs.
Although difficult to verify, some posts on Twitter claim that attackers were able to steal hundreds of NFTs.
Subsequently, a BAYC co-founder clarified that 4 Boring Apes, 6 Mutant Apes, and 3 Boring Apes Kennel NFTs were stolen in a phishing scam. The combined value of all this? Well, it’s estimated at $2.4 million.
He also mentioned that Instagram accounts are protected by two-factor authentication, but did not release details about the compromise.
The hackers’ wallet activity suggests they have been transferring some stolen NFTs. At the same time, we asked Yuga Labs, the owner of BAYC, if they are compensating holders for the stolen assets. We’ll update the story if we hear back.
Such Instagram attacks are not new, but the value of digital assets can have a significant impact on victims, according to Jake Moore, global cybersecurity consultant at ESET:
“The world seems to be entering a very strange dynamic where NFTs are now worth [an] extortionate amount, but as the value increases, there will inevitably be cybercriminals lurking not far away.
“Instagram attacks are nothing new, but when requesting code or manipulating and intercepting messages, there is often an element of social engineering added to targeted human development. Unfortunately, however, this acquisition has had huge consequences and This led to a massive looting of digital assets.”
One of web3’s most prestigious projects has now been the target of several phishing attacks. Earlier this month, the project’s Discord was compromised.
When Yuga Labs launched ApeCoin in March, scammers took advantage of this, hacking into verified Twitter profiles and stealing nearly $1 million worth of assets from various victims.
This suggests that cybercriminals only need to use proven methods like phishing to lure people into connecting their cryptocurrency wallets – they don’t have to use any sophisticated systems to compromise web3 technology.
Therefore, high-value NFT projects like BAYC need to take extra steps to ensure their holders are protected. If they fall victim to an unsolicited phishing link, the team can give general advice like “don’t click on suspicious links,” but you can’t do that when your own Instagram posts fake links.
Crypto investor Jordan Fish (who goes by the Twitter name Cobie) suggested that Yuga Labs should consider offering an escrow service that would require holders to provide evidence when they really want to withdraw the NFT.
It is important to note that if you use Metamask or any self-hosted wallet, the security responsibility falls on you. And those who don’t want to miss out on airdrops may overlook safety in those moments.
Cobie points out that we need to teach better self-regulation practices, as all users may not be sophisticated enough to pay attention all the time. But, of course, achieving this is easier said than done.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/a-bunch-of-boring-apes-got-stolen-again-but-dont-blame-the-web-3/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.