Jun 2022 - Bored Ape Yacht Club Discord Hacked Again - $360k (Global)
"A limited NFT collection where the token itself doubles as your membership to a swamp club for apes. The club is open! Ape in with us." "The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation."
"BAYC was created by four friends who set out to make some dope apes, test our skills, and try to build something (ridiculous). GARGAMEL. STARCRAFT OBSESSED. EATS SMURFS. GORDON GONER. REFORMED LEVERAGE ADDICT. EMPEROR TOMATO KETCHUP. SPENT ALL THEIR MONEY ON FIRST PRESSES AND PET-NAT. NO SASS. HERE FOR THE APES. NOT FOR THE SASS."
"Each Bored Ape is unique and programmatically generated from over 170 possible traits, including expression, headwear, clothing, and more. All apes are dope, but some are rarer than others. The apes are stored as ERC-721 tokens on the Ethereum blockchain and hosted on IPFS. (See Record and Proof.) Purchasing an ape costs 0.08 ETH. To access members-only areas such as THE BATHROOM, Apeholders will need to be signed into their Metamask Wallet."
"When you buy a Bored Ape, you’re not simply buying an avatar or a provably-rare piece of art. You are gaining membership access to a club whose benefits and offerings will increase over time. Your Bored Ape can serve as your digital identity, and open digital doors for you."
"The BAYC Bathroom will become operational once the presale period is over. It contains a canvas accessible only to wallets containing at least one ape. Like any good dive bar bathroom, this is the place to draw, scrawl, or write expletives. Each ape-holder will be able to paint a pixel on the bathroom wall every fifteen minutes. Think of it as a collaborative art experiment for the cryptosphere. A members-only canvas for the discerning minds of crypto twitter. We're pretty sure it's going to be full of dicks."
"Another day, another stolen ape, and the Bored Ape Yacht Club Discord hacked again. In the wee hours of the morning on June 4th, an attacker was able to compromise mod accounts and bots in the BAYC and Otherside Discord servers, and posted a malicious giveaway link. Victims thinking they would receive a giveaway approved the attacker to transfer their NFTs, resulting in 180+ ETH of losses."
"Since Otherside was one of our biggest successors for both our team and all of our holders that currently own one, we decided to drop the final givewaya to holders as a small token of our appreciation." "OthersideMeta [was] due to launch later th[e same] week."
"[T]he phishing scam added a sense of urgency, stating that only a limited amount of NFTs was available to be minted, which likely pushed visitors to abandon caution and rush to mint the free giveaway." "Please note that there's only a limited quantity. If you are a holder and you were too slow to get one and unfortunately did pay a high gas fee, we process over the next coming days. (Just be patient!)"
"Hackers reportedly stole over $257,000 in Ethereum and thirty-two NFTs after the Yuga Lab’s Bored Ape Yacht Club and Otherside Metaverse Discord servers were compromised to post a phishing scam." "News of the hack was first reported by Twitter user NFTherder, who also estimates 145 ETH (around $260,000) was stolen along with the NFTs, tracing the stolen funds back to four separate wallets."
"Yuga Labs later confirmed the exploit occurred in a tweet of its own, saying it is still actively investigating the incident. It did so 11 hours after NFTHerder's tweet."
"Fortune reported that the hack was the result of a phishing attack that compromised the Discord account of Boris Vagner, the project’s community manager. After obtaining Vagner’s login credentials, the attacker posted fake links in the Discord channels of the official BAYC and its related metaverse project called Otherside, according to the report."
"Vagner is also the manager of his brother, the Grammy-winning multi-instrumentalist Richard Vagner, who co-founded an NFT fantasy football club called Spoiled Banana Society (SPS) with Boris. The attacker also posted a phishing link in the SPS Discord channel, though the message was subsequently deleted, Richard said."
"Once a user visited the page and attempted to mint the giveaway, the page likely stole all Ethereum and NFTs held in the linked wallet." "The attacker tricked users into providing approval to transfer their tokens. Some users got NFTs from multiple collections stolen, which suggests they approved several unique transactions. This attack did not just target BAYC/MAYC assets, but anything valuable that wasn’t nailed down."
"According to blockchain cybersecurity firm PeckShield, approximately 32 NFTs were stolen, including those from the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects."
"There has been no communication yet from Yuga Labs or the Otherside team about the hack, either as a warning, or a postmortem. Users should assume the Discords are still compromised until otherwise notified by the teams. If you’re in those servers – do not click any links, do not open any files, and do not accept any DMs!"
"As of now, the attacker seems to have finished his crime spree, and cashed out the NFTs. Ether from the attack wallet has been transferred to a named account, federalinformant.eth, who also funded the attacker initially. Funding an attack from a public wallet is quite a brazen move, and may place him at risk of discovery."
"Yuga Labs is still investigating the compromise and is warning potential customers about the contents of these phishing messages: “As a reminder, we do not offer surprise mints or giveaways,” Yuga Labs tweeted."
Further Analysis
The Bored Ape Yacht Club Discord channel was successfully breached through the permissions granted to Boris Vagner, the project's community manager. Once the attacker managed to get into the account, they were able to post an announcement on the channel, letting users know about a new minting opportunity. Once users clicked the link and signed the transaction, this would grant permissions to take their funds. Multiple users report losing NFTs and there have been no reports of recovery.
How Could This Have Been Prevented?
The lesson here is about providing an account/tool with more privileges than necessary. Using a full-permissioned account when not necessary increases the breach window. Having a weak password or two-factor authentication is problematic. Ideally, performing key actions such as banning moderators or posting global announcements would be set up such that multiple people's approval is required. In this way, it would be nearly impossible to breach. In our framework, we advocate for training platform operators about incidents such as these, and require the approval of two separate security sign-offs for a project to launch, which would likely catch any weak security practices. A discretionary treasury fund is available to cover losses, in addition to whatever treasury is available with projects directly.
More Cryptocurrency Exchange Hacks/Scams/Frauds
Memeland Fake Twitter Giveaways > > < < Moonbeam Network DelegateCall Vulnerability Pwning.eth
Sources/Further Reading
https://fortune.com/2022/06/04/bored-ape-yacht-clubs-discord-server-was-hacked-with-360000-in-nfts-stolen-blame-debated/ (Jun 19)
BAYC (Jun 19)
https://opensea.io/collection/boredapeyachtclub (Jun 19)
https://bowtiedisland.com/breaking-bored-ape-yacht-club-discord-hacked/ (Jun 20)
@0xEthanDG Twitter (Jun 20)
@0xEthanDG Twitter (Jun 20)
Bored Ape Yacht Club hacked again, loses $360,000 in NFTs | Mashable (Jun 20)
@BoredApeYC Twitter (Jun 20)
Bored Ape Yacht Club Discord Server Hacked, $360K Worth of NFTs Stolen (Jun 20)
Breaking: Bored Ape, Otherside Discords Hacked Again (Jul 7)
@yugalabs Twitter (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|