The founders of Bored Ape said that its Instagram account has been hacked. And hackers are now posting fraudulent links to lure people to phishing sites.
Hackers have stolen about US$3 million of the globe’s most popular NFTs after accessing the Instagram account owned by the BAYC (Bored Ape Yacht Club collection.
The hackers have uploaded a post that linked to a cloned version of BAYC’s website plus free crypto token offers.
Anybody who attempts to claim the tokens by connecting and authenticating their digital wallets to the phishing site will give the hackers free access to transfer their crypto assets and NFTs.
In the meantime, BAYC owners are investigating the imbroglio. According to them, “Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating. The Instagram account was protected with two-factor authentication.”
Hacked owners have reportedly lost four Bored Apes, six Mutant Apes, plus three Bored Ape Kennel Club NFTs that are all worth about US$3 million.
Yuga Labs revealed that the average price of a Bored Ape is presently over US$430,000.
Meanwhile, this isn’t the first time hackers have targeted rich crypto owners. And it’s not also the first time scammers are targeting BAYC.
In early 2022, 17 NFT marketplace OpenSea users lost some tokens to a phishing attack. Others have sold their NFTs to unauthorized fake buyers.
More scams and hacks are perpetrated on Crypto tradings, from Axie Infinity to exchanges to NFTs.
Social engineering and human error fuel hacks
A common feature of these Crypto hacks and scams is social engineering and human error.
Confirming this, Ronghui Gu, the chief executive officer of CertiK, expressed that since the BAYC Instagram account used 2-factor authentication, it’s likely that the scammers access the account by tricking the administrator via social engineering.
The social engineering move is using professional or personal information to gain a user’s trust to enable a hacker to elicit extra credentials or data for a valuable or sensitive account.