$1M+ Bored Ape Collection Stolen by Social Engineering

$1M+ Bored Ape Collection Stolen by Social Engineering

Boring Ape Yacht Club NFTs have become a crypto culture mainstay. As one of the most well-known collections in the NFT world, it has also become a popular target for fraudsters, hackers, and other unsavory characters.

As the NFT sector expands, so does the sophistication of attacks and hackers. This was on full show over the weekend when a smart scheme culminated in a huge Bored Ape collection robbery.

Bored Apes Blues

Hacking and exploits aimed against owners of Bored Apes are nothing new. Case studies around the collection have been accumulating for over a year: from Hollywood star Seth Green to whole Discord vulnerabilities, we’ve seen a wide range of effective BAYC attack efforts.

While it is not Yuga Labs’ responsibility, these attacks highlight how important wallet security is for owners of the popular NFT collection. Furthermore, these adventures are far from exclusive to Bored Ape Yacht Club and can be found in all of the main ‘blue chip’ NFT collections.

The most recent example of all of this occurred over the weekend and involved extraordinary levels of social engineering, serving as a clear reminder to the community that being diligent and detail-oriented nowadays just isn’t enough to secure your assets.

Dissecting the Breach

The recent hack resulted in the theft of 14 Bored Ape Yacht Club NFTs through a clever strategy, including high-level social engineering from a single owner.

The most recent hacks demonstrate the degree of detail and labor that exploiters are prepared to put in today’s society. In this hack, the hacker swiftly liquidated the NFTs for around 850 ETH, or slightly more than $1 million. A comprehensive thread from prominent web3 security expert @Serpent deconstructs the scenario succinctly and thoroughly.

The social engineering approach included the hacker posing as a casting director at an LA-based studio looking to license an NFT for a large amount. However, the studio exists, but the alias used by the hacker does not. Moreover, this crime was driven by fake email domains, hours of calls, false partnership proposals, and other features.