$550 000 USD

MARCH 2022

GLOBAL

BORED APE YACHT CLUB

DESCRIPTION OF EVENTS

"A limited NFT collection where the token itself doubles as your membership to a swamp club for apes. The club is open! Ape in with us." "The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation."

 

"BAYC was created by four friends who set out to make some dope apes, test our skills, and try to build something (ridiculous). GARGAMEL. STARCRAFT OBSESSED. EATS SMURFS. GORDON GONER. REFORMED LEVERAGE ADDICT. EMPEROR TOMATO KETCHUP. SPENT ALL THEIR MONEY ON FIRST PRESSES AND PET-NAT. NO SASS. HERE FOR THE APES. NOT FOR THE SASS."

 

"Each Bored Ape is unique and programmatically generated from over 170 possible traits, including expression, headwear, clothing, and more. All apes are dope, but some are rarer than others. The apes are stored as ERC-721 tokens on the Ethereum blockchain and hosted on IPFS. (See Record and Proof.) Purchasing an ape costs 0.08 ETH. To access members-only areas such as THE BATHROOM, Apeholders will need to be signed into their Metamask Wallet."

 

"When you buy a Bored Ape, you’re not simply buying an avatar or a provably-rare piece of art. You are gaining membership access to a club whose benefits and offerings will increase over time. Your Bored Ape can serve as your digital identity, and open digital doors for you."

 

"The BAYC Bathroom will become operational once the presale period is over. It contains a canvas accessible only to wallets containing at least one ape. Like any good dive bar bathroom, this is the place to draw, scrawl, or write expletives. Each ape-holder will be able to paint a pixel on the bathroom wall every fifteen minutes. Think of it as a collaborative art experiment for the cryptosphere. A members-only canvas for the discerning minds of crypto twitter. We're pretty sure it's going to be full of dicks."

 

"Hackers gained access to the Discord of Bored Ape Yacht Club (BAYC), Mutant Ape Yacht Club (MAYC) and Mutant Ape Kennel Club (MAKC), all three NFT collections owned by Yuga Labs." "[T]he BAYC team confirmed that their Discord servers were compromised."

 

"Oh no, our dogs are mutation! MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs!"

 

"Bored Ape Yacht Club's Instagram account and Discord server were both hacked on Monday, with an unofficial "mint" link being sent out to followers."

 

"[T]he hackers even managed to steal a valuable Mutant ApeYacht Club (MAYC) NFT." "According to security firm PeckShield, the hacker successfully posted a phishing link to the discord channel Mutant Ape Kennel Club, disguised as a “disguised” NFT mint and used to steal MAYC artwork number 8662 from one user."

 

"A fraudulent "mint" link was sent to followers. Some appear to have taken the bait."

 

"In a tweet, the BAYC team confirmed that their Discord server’s compromise was true, and during the time that it was compromised." "The BAYC team said in its tweet that it had ‘caught’ the issue immediately. Nevertheless, the team cautioned users not to mint any NFT using a link posted on its Discord and reminded observers that it had no plans for any April Fools stealth mints."

 

"STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."

 

"Although the NFTs in the MAYC collection has a floor price of 23.6 ETH ($77.4k), the NFT 8862 had a lower bid to its name of about 21.3 ETH ($69.5k). While reports began appearing early on, it was only after this theft that people started taking this seriously."

 

"According to Serpent, the Ticket Tool was the real source of the hack."

 

"The user also stated that according to the inside information received from the hackers, the official Captcha Bot was also hacked and that the source code had been stolen."

 

"I have received inside information from one of the hackers. THE OFFICIAL CAPTCHA BOT IS HACKED, REMOVE IT FROM YOUR SERVER. BAYC & Doodles have already been hacked within the last 30 minutes but MANY MORE SERVERS WILL BE HACKED."

 

"This is not 100% confirmed to be the root cause of these hacks but remove it from your servers to stay safe and use a different verification bot."

 

"I was told that the owner of Captcha Bot (ImDarkDiamond) was compromised and the source code was stolen (This part is 100% confirmed)" "Last I was told, owner of captcha bot was hacked, the source code was stolen and they were going to extort him. The bot doesn't seem compromised currently but I would still stay far away from it. REAL source of the hack is 100% confirmed to be Ticket Tool." "Security researchers said a ticketing tool that checks users and sends out notifications across the channel has been compromised."

 

"As of the time of writing, BAYC has only issued a precautionary message for all its Discord members to be wary about the messages that appear on their Discord server by tweeting."

 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.”

 

"The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer's wallet in order to participate in a fake Airdrop," a spokesperson told CoinDesk via email. "At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account."

 

"The wallets of those who clicked the link have now been compromised, with a series of Bored Apes and Mutant Apes being transferred to new wallets by the hackers." "At the time of writing, it is estimated that around 24 Bored Apes and 30 Mutant Apes have been stolen, according to recent OpenSea transfers, although some of these may be holders transferring their non-fungible tokens for security purposes."

 

"The value of the 54 NFTs calculated by floor price is $13.7 million. Yuga Labs says the scope of the attack is far smaller."

 

"Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m," the spokesperson said. "We are actively working to establish contact with affected users."

 

"Rip another person has fallen victim to the verified Twitter BAYC phishing scam. This time Jay Chou a popular music artist in Asia. Over $550k (169 ETH) of NFTs were stolen. Most notably a BAYC, MAYC, & two Doodles."

 

"I just be hacked and the guy just transfer my NFT on a New account. I losed 0.8ETH. That was all [I] have. They don't care how it can be hard for the victim. I'm really sad"

 

"Got scammed for 0.45 eth on namesake of bored ape. My call my loss, thanks for keeping people safe out there."

 

"I always wanted ape. I tried it was my 1st ever trying to buy anything Open Sea, Discord. Lost all funds in meta mask wallet. Just wanted to be a part of something. Positive part about it I was able to purchase 11 coins."

The Bored Ape Yacht Club Discord channel was successfully breached through the permissions granted to the commonly used Ticket Tool. This allowed the attacker to post an announcement on the channel, letting users know about a new minting opportunity. Once users clicked the link and signed the transaction, this would grant permissions to take their funds. Multiple users report losing NFTs and there have been no reports of recovery.

HOW COULD THIS HAVE BEEN PREVENTED?

The lesson here is about providing an account/tool with more privileges than necessary. Using a full-permissioned account when not necessary increases the breach window.

 

Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach.

 

In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.