Bored Ape Yacht Club (BAYC), a prominent nonfungible token (NFT) project, was hacked for the third time this year on June 4. Hackers gained access to a BAYC community manager’s Discord account and submitted a message with a link to a fake website, taking about 142 Ether (ETH) worth of NFTs (around $250,000).
Users who connected their wallets, which were later emptied of NFTs, were given a free NFT gift for a short period. On two earlier instances in April, hackers breached BAYC’s Discord and Instagram accounts and used a phishing link to obtain 91 NFTs worth at over $1.3 million at the time of the second attempt.
According to blockchain security startup CertiK, hackers moved stolen money to the obfuscation platform Tornado Cash, making it difficult to follow future transactions on the blockchain. According to CertiK experts, “NFT holders should be very suspicious of anybody claiming to provide free assets, since these are typically phishing scams,” regardless of how serious the project may seem. Additionally, CertiK stated:
“In the case of the June 4th attack, the malicious carbon-copy site had some small differences. Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled “claim free land” and specifically targeted popular NFT projects.”
Since a precautionary measure, Certik recommended crypto enthusiasts to look for subtle irregularities on such sites, as they are often indicative of criminal activities. “Participants in such giveaways should at the very least examine the site’s legitimacy by comparing it to a known and verified site and looking for irregularities,” they concluded.