Bored Ape Yacht Club, Otherside NFTs Stolen in Discord Server Hack
Hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab’s Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised to post a phishing scam.
Earlier this morning, the Discord account for a Yuga Labs community manager was allegedly hacked to post a phishing scam on the company’s Discord servers.
This phishing scam pretended to be an exclusive, limited giveaway for existing BAYC, Mutant Ape Yacht Club (MAYC), and Otherside NFT holders, which included a link to a webpage that allowed a visitor to mint the free NFT.
As you can read below, the phishing scam added a sense of urgency, stating that only a limited amount of NFTs was available to be minted, which likely pushed visitors to abandon caution and rush to mint the free giveaway.
Once a user visited the page and attempted to mint the giveaway, the page likely stole all Ethereum and NFTs held in the linked wallet.
According to blockchain cybersecurity firm PeckShield, approximately 32 NFTs were stolen, including those from the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects.
Users also report that the hackers stole over 145 Ethereum during the phishing attack, worth approximately $250,000.
In April, a similar phishing attack occurred after Yuga Lab’s Instagram account was hacked to promote a phishing scam that allowed approximately $3 million worth of NFTs to be stolen.
At the time, Yuga Labs announced that they would never announce mints on Instagram, and users should only rely on posts from their Twitter accounts and Discord servers.
“We will also NEVER announce mints on the BAYC or Otherside Instagram accounts first, ever,” read a tweet from the Bored Ape Yacht Club Twitter account.
“Only obtain information from our official twitter accounts: @BoredApeYC, @yugalabs, and @OthersideMeta. These will be crossposted on the #announcement channel of BAYC Discord.”
It is unclear how the community manager’s account was compromised and if two-factor authentication was enabled, which usually prevents these attacks.
BleepingComputer has contacted Yuga Labs with questions about the phishing attack but has not received a response at this time.