BORED APE YACHT CLUB

DESCRIPTION OF EVENTS

"A limited NFT collection where the token itself doubles as your membership to a swamp club for apes. The club is open! Ape in with us." "The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation."

"BAYC was created by four friends who set out to make some dope apes, test our skills, and try to build something (ridiculous). GARGAMEL. STARCRAFT OBSESSED. EATS SMURFS. GORDON GONER. REFORMED LEVERAGE ADDICT. EMPEROR TOMATO KETCHUP. SPENT ALL THEIR MONEY ON FIRST PRESSES AND PET-NAT. NO SASS. HERE FOR THE APES. NOT FOR THE SASS."

"Each Bored Ape is unique and programmatically generated from over 170 possible traits, including expression, headwear, clothing, and more. All apes are dope, but some are rarer than others. The apes are stored as ERC-721 tokens on the Ethereum blockchain and hosted on IPFS. (See Record and Proof.) Purchasing an ape costs 0.08 ETH. To access members-only areas such as THE BATHROOM, Apeholders will need to be signed into their Metamask Wallet."

"When you buy a Bored Ape, you’re not simply buying an avatar or a provably-rare piece of art. You are gaining membership access to a club whose benefits and offerings will increase over time. Your Bored Ape can serve as your digital identity, and open digital doors for you."

"The BAYC Bathroom will become operational once the presale period is over. It contains a canvas accessible only to wallets containing at least one ape. Like any good dive bar bathroom, this is the place to draw, scrawl, or write expletives. Each ape-holder will be able to paint a pixel on the bathroom wall every fifteen minutes. Think of it as a collaborative art experiment for the cryptosphere. A members-only canvas for the discerning minds of crypto twitter. We're pretty sure it's going to be full of dicks."

"The Instagram account of the Bored Ape Yacht Club NFT project was hacked on Monday, [April 25th,] it announced via Twitter, reportedly resulting in millions of dollars worth of NFTs being stolen."

"CoinDesk reported that the hackers announced a fake airdrop, or distribution of NFTs, encouraging users to click a fraudulent link which would give the hackers control of their wallets. The fraudulent link, which looked like the Bored Ape Yacht Club website, reportedly claimed users could mint "land" in upcoming Web3 project OthersideMeta."

The project said in a tweet that "There is no mint going on today," warning users to "not mint anything, click links, or link your wallet to anything." Vice reported that a moderator in the Bored Ape Yacht Club Discord channel posted: "THERE IS A FAKE LAND MINT WEBSITE BEING SHARED BY THE BAYC IG. DO NOT MINT ANYTHING."

"There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything."

"It's currently unknown how the hackers got into the Bored Ape Yacht Club Instagram account. A Yuga Labs spokesperson told Vice that it had removed all links to Instagram from its services, alerted the community and has attempted to recover the account just before 10 a.m. ET this morning."

“Two-factor authentication was enabled and the security practices surrounding the IG account were tight," the spokesperson told Vice. "Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating." "Yuga Labs and Instagram are still investigating how the account was compromised, the spokesperson said."

"The wallets of those who clicked the link have now been compromised, with a series of Bored Apes and Mutant Apes being transferred to new wallets by the hackers." "According to Vice, NFTs from Yuga Labs, including Bored Ape, Mutant Ape and Kennel Club NFTs, worth a total value of $2.7 million, were stolen in the hack. On Etherscan, the hacker's wallet has been flagged as being part of a phishing scam."

"After identifying the breach, BAYC alerted its community and removed all links to Instagram from their platforms, as attempts to recover the hacked account picked pace." "Yuga Labs is trying to get in touch with the hackers to reach a settlement."

"Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m," the spokesperson said. "We are actively working to establish contact with affected users."

"Omg I connected and lost my 54 bored apes. wtf"

"I lost my entire life savings and my children will go hungry due to the Instagram hack of my apes. Pls can you redeem the lost jpegs so we can all have our money back? My wife threatened to take the kids but I told her that hopefully someone at BAYC hq has a backup of the pics."

"Lost 0.75 eth no much but a lot to me... [G]utted. Cannot believe I fell for it. Usually so careful."

"All of 300 bored apes now lost."

"Dude give me back my apes bro! Fiduciary duty compels you to bless me with an ape."

"Lost all my nft and crypto because of this."

"Lost 3 of my apes…"

"OMG! [A]ll 24 apes in my wallet are gone. [I] borrowed this money from my work credit card [and I] was not meant to. [C]an we fork BAYC to get them back to me[?]"

"[I] lost 8 of my apes, 6 lazy lions, 4 cryptopunks and 3 crazy crocodiles. [M]y life is ruined[. T]hat was my life savings. [Y]ou killed me."

The Bored Ape Yacht Club Instagram account was successfully breached despite apparently using 2 factor authentication. This allowed the attacker to post an announcement on the channel, letting users know about a new minting opportunity with the OthersideMeta project, due to launch a week later. Once users clicked the link and signed the transaction, this would grant permissions to take their funds. Multiple users report losing NFTs and there have been no reports of recovery.

HOW COULD THIS HAVE BEEN PREVENTED?

The primary issue here for the Bored Ape Yacht Club is about having strong passwords for all accounts.

Users of wallets need to exercise extreme care when interacting. Always check for information from multiple official sources.

In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.

Check Our Framework For Safe Secure Exchange Platforms

BAYC (Jun 19)
https://opensea.io/collection/boredapeyachtclub (Jun 19)
@Ian51079997 Twitter (Jun 19)
@dingdingETH Twitter (Jun 19)
@onelifeownit Twitter (Jun 19)
@NftSpooky Twitter (Jun 19)
@hitcoinmaxi Twitter (Jun 19)
@cosmicartcult Twitter (Jun 19)
@nftdefiyer Twitter (Jun 19)
@ChristianUmanaC Twitter (Jun 19)
@ChristianUmanaC Twitter (Jun 19)
@BoredApeYC Twitter (Jun 19)
Bored Ape Yacht Club's Instagram was hacked - Protocol (Jun 20)
NFTs Stolen After Bored Ape Yacht Club Instagram, Discord Hacked (Jun 19)
@zachxbt Twitter (Jun 20)
https://etherscan.io/address/0x8c7934611b6ad70fbea13a1593de167a4689b9a9 (Jun 20)
Bored Ape Yacht Club, Otherside NFTs Stolen in Discord Server Hack - Privacy Ninja (Jun 20)
Bored Ape Yacht Club Instagram, Discord Hacked, NFTs Worth $13.7 Million Stolen | Technology News (Jun 20)
@zachxbt Twitter (Jun 20)
Hackers Broke Into Bored Ape Yacht Club's Official Instagram and Made Off With Nearly $3 Million Worth of Stolen NFTs (Aug 30)
Cryptocurrency heists are getting more ambitious — and costlier to investors - CBS News (Nov 30)

More case studies

Muon Airdrop
Scam

Moonbirds
Airdrop Phishing