NFTs are a modern day buzzword. Many people, especially the younger generations who are tech savvy are showing high interest in NFTs. Because of this, hackers have been looking to exploit this interest by using methods to acquire them illegally using their schemes to profit in any way possible.

What are NFTs?

An acronym for Non Fungible Tokens, NFTs are this exciting technology that everyone seems to want to get into but most don’t seem to actually know a thing about.

NFTs are non-fungible. Money is fungible. If I decide to trade RM1 for another RM1, I am still gonna end up with RM1. But if I trade one NFT for another NFT, I will not have the same NFT.
I would wind up with something entirely different. This is because an NFT is a form of digital art with data in it that gives it a unique signature.

So just like there is only one original Mona Lisa, there is always only one original NFT. So NFTs are like art on the internet. They don’t actually exist physically, but for some reason have a lot of value (the reason is their scarcity).

How NFTs are valued?

An NFT can be anything from an image to a song to a tweet to a text and other various forms of digital content. So anyone that owns an NFT owns a digital file that is marked with a unique data signature proving that it is an original and no other of its kind exists anywhere in the world.

Because NFTs have value, they attract a lot of suitors. Art collectors just love collecting and will collect anything that is collectable, resellers love the spikes in value and hackers love to steal them. The latter was the case with the enormously famous NFT collection, Bored Ape Yacht Club.

What is the Bored Ape Yacht Club?

I know it sounds like a hippy cult, but that name is actually more valuable than the screen you’re reading this from. Bored Ape Yacht Club is a collection of 10000 unique NFTs that exist on the Ethereum blockchain. Ethereum is a cryptocurrency. Blockchain is a decentralized system that allows for the recording of information in a manner where hacking, changing or cheating the system is extremely difficult if not impossible.

All these modern-day technologies make it possible for NFTs to not only exist but also have enormous value. I know what question is on your mind. If hacking is extremely difficult or even impossible, then how did Bored Ape Yacht Club get hacked? Well, this is where phishing comes in.

So, What Happened?

Phishing is a social engineering technique where a hacker will send a fraudulent message to potential victims, prompting them to reveal sensitive information that the hacker can then use to exploit or steal from their victims. Phishing is what made this theft of NFTs possible.

In April, the Bored Ape Yacht Club’s official Instagram account was hacked. The hacker, with the use of phishing, was then able to steal millions of dollars worth of these non-fungible tokens from the account’s followers. The hacker was able to do this because the compromised account already had the trust of its millions of followers. So if the account was to instruct its followers to do something, many of them would do so without even a whim of doubt. And this was precisely what transpired.

The hacker used the Bored Ape Yacht Club official Instagram account to redirect users to a fake BAYC website that impersonated the original Bored Ape Yacht Club website. Users would be presented with a phoney airdrop advertisement once they visit the fake website.

In the world of crypto, an airdrop is a marketing technique where a company sends out unsolicited cryptocurrency tokens for free to wallet addresses of other cryptocurrency traders, usually for free, in exchange for a small promotional service or to encourage engagement in other company projects.

In the case of the Bored Ape Yacht Club hack, the hacker claimed to be offering access to an upcoming Bored Ape project for any users that would connect their MetaMask crypto wallets to the site. However, once users did this, all digital assets in their wallets would be taken by the site and transferred to the hacker’s wallet.

It was reported that the hacker was able to acquire about 134 NFTs into this wallet, with many of them Bored Ape assets. It was roughly estimated that financial losses due to the scam amounted to about $3 million.

How hackers got in, remains a mystery

What is particularly interesting about this attack is that the Bored Ape Yacht Club Instagram account adhered to all of the best practices for securing your Instagram account as suggested by Instagram. Two-factor authentication was also enabled. So how the hacker was still able to gain access to the account remains a mystery, even though Bored Ape Yacht Club did reclaim their account successfully.
NFTs are scarce. Their scarcity makes them extremely valuable. NFT giants like the Bored Ape Yacht Club have reportedly driven over $1 billion dollars in sales globally. And with the spikes in the value of an NFT, the same NFTs that have driven $1 Billion dollars in sales could resell for even higher prices, further driving total sales.

Thieves such as hackers are aware of this whooping value and will stop at nothing to find novel ways to acquire these NFTs from vulnerable crypto community members. And this is why the world of Crypto and Cybersecurity must stop at nothing to identify and mitigate any security vulnerabilities. Because it is clear that when it comes to the internet and cybersecurity, you can never be too secure.

Our Advice

For firms and companies present on the internet, more emphasis and importance must be put on training your teams on cybersecurity awareness so they are able to spot hackers’ modus operandi. Companies must also invest in security teams that are able to conduct a Vulnerability Assessment and Penetration Testing (VA/PT) on their IT environments to determine their threat to the business and apply appropriate action based on their analysis.

“One single vulnerability is all an attacker needs” – Window Snyder

Condition Zebra is a CREST certified and ISO 27001:2013 company that offers Professional Cybersecurity Solutions and Cybersecurity Training for Financial Services (Banks & Insurance), Government Ministries & Agencies, Government-linked companies (GLC) and SMEs in various other industries such as IT, Hospital & Healthcare, Construction, FMCG, Real Estate, Retail, Education Management, Accounting, Computer Software, Higher Education, Automotive, Transportation, Manufacturing and others.

Please reach out to us to protect and secure your company’s IT Infrastructure such as Network, Server, Web & Mobile apps, Internet (WiFi) and others.


1) NFTs Worth Millions Stolen After Bored Ape Yacht Club Instagram Hacked

Share this: