Bored Ape Yacht Club NFTs have become a staple in crypto culture. As one of the most recognizable collections in the NFT landscape, that too has come with a major target for scammers, hackers, and other unsavory players.
As the NFT space grows, so too does the sophisticated nature of exploits and hacks. Over the weekend, this was on prime display, as a sophisticated scheme resulted in a major Bored Ape collection heist.
Bored Ape Blues
Hacking and exploits targeting Bored Ape owners are nothing new. Case studies surrounding the collection span for well over the past year: from Hollywood actor Seth Green, to entire Discord exploits, we’ve seen a whole garden variety of successful BAYC exploit attempts.
While it’s no fault of Yuga Labs, these exploits continue to shine light on how vital wallet security is for holders of the popular NFT collection. Furthermore, these types of exploits are far from being exclusive to Bored Ape Yacht Club, and typically exist across all of the major ‘blue chip’ NFT collections.
The latest example around all of this came over the weekend, and included unbelievable levels of social engineering – leaving the community with a stark reminder that being meticulous and detail-oriented today simply isn’t enough to protect your assets.
Breaking Down The Breach
The breach in recent days resulted in 14 Bored Ape Yacht Club NFTs being stolen through a sophisticated scheme that included high-level social engineering from a single owner.
It’s the latest level of hacks that display the level of detail and work that exploiters are willing to go through in today’s world. In this case, the hacker was quickly able to liquidate the NFTs for roughly 850 ETH, or just over $1M.
A detailed thread from popular web3 security analyst @Serpent breaks down the story concisely and with great detail.
The social engineering scheme saw the hacker portraying themselves as a casting director at an LA-based studio seeking to license an NFT for a substantial fee; while the studio exists, the alias the hacker used does not. However, fake email domains, hours of calls, fake partnership pitches, and other elements drove this heist.
The scheme was at least months in the making. It’s another example that for high-dollar NFTs, cold storage is the safest option – and signing or interacting with contracts can be a substantial risk unless firmly confirmed beforehand. As Serpent concluded in his thread, using multiple wallets, confirming identities, and not signing random signatures or transactions are essential rules of thumb for NFT holders.