More Bored Apes stolen, this time in a Yuga Labs Discord hack. This is what you need to know.
- Yuga Labs Discord Hack
- Bored Ape Yacht Club Issues
Yuga Labs Discord Hack
The official Bored Ape Yacht Club (BAYC) Discord community suffered a phishing attack yesterday. The account of BAYC’s community manager Boris Vagner was compromised, meaning it was used to send phishing emails to several members of the Discord.
“Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted,” Bored Ape Yacht Club said via Twitter.
As the vague “200 ETH worth of NFTs” implies, the phishing attack didn’t just include BAYC NFTs — 200 ETH would only net you about two of those bad boys. According to Certik, the attack comprised many different NFT projects including Alien Frens, Mutant Ape Yacht Club, Lazy Lions, and Invisible Friends. Though, BAYC 3215 did manage to exchange hands
Update on BAYC #phishing attack.
Using CertiK’s #SkyTrace we can see the phishing attack victim’s NFTs (32) flow in & out of the attacker’s wallet, and the @TornadoCash tx.
Follow the NFT x-fers and funds yourself using SkyTrace 👇https://t.co/BhIWVu6J61 pic.twitter.com/PdmlzAQ5WV
— CertiK Alert (@CertiKAlert) June 4, 2022
Bored Ape Yacht Club told anyone affected by the phishing attack to email them. They also gave a reminder that they, “do not offer surprise mints or giveaways.”
Recommended: Immutability, Decentralization, and The Bored Ape Yacht Club
Yuga Labs And Bored Ape Yacht Club Issues
This isn’t the first time BAYC’s Discord was hacked. It’s also not just a problem for BAYC, seeing as many Discords have suffered the same attacks.
“Seems the @yugalabs hack is the increasingly common scam of promising something and then having you approve their contract to steal your NFTs,” The Ape Collector said via Twitter. “The site will scan what NFTs you have and then ask you to do a `setApprovalForAll` tx which allows them transfer your NFTs to themselves.”
In other words, the contract you sign using your wallet gives the attacker the permission to do this. Nevertheless, many still are pinning the blame on the Discord community. In this case, the reason the phishing attack was successful was because of community manager account falling into the wrong hands. Seeing him offer something outlandish didn’t raise alarm bells for some unfortunate community members.
This has led to a lot of criticism from the community, and even some suggestions on how to protect the investors better in the future.
Can @yugalabs hire some programmers & security experts that got rugged by @coinbase so that we don’t have any more discord hacks & gas wars? Or just use ERC721A. You don’t even have to acknowledge @AzukiOfficial. They gave it out for everyone to use!!!
— AshChild 🧬⛩🍌🌈 (@iamashchild) June 4, 2022
How to never get your discord hacked:
– only allow a single bot to post announcements
– post announcement on-chain
– the bot reads messages from on-chain and reposts them in discord
Please send tip if you implement this idea and save your users from getting hacked.
— cory.eth (@cory_eth) June 4, 2022
It’s unclear if any of this would actually help. You could update the tech all you want, but scammers tend to update their methods. There is no solving for human error.
can’t believe the discord exploit is turning into a “discord is bad” storyline when this is in the fault of Yuga Labs. show some responsibility first before you shill some new web3 social you’re building 🤦♂️🤦♂️
— 3070.yo (@thirtyseventy_) June 5, 2022
The easiest solution unfortunately comes down to using common sense. At the end of the day, a phishing attack only works if you let it work.
Recommended: Bored Ape TV Show Shut Down After Ape Stolen in Phishing Scam