flipside

    Try Quests to earn cryptoTry Quests to earn crypto
    Share

    Bored Phish: A dive into two BAYC phishing hacks in April and June 2022

    Introduction

    On 25 April 2022, both the Discord and Instagram of Bored Ape Yacht Club, an elite NFT collection & community, were hacked. The hackers offered the community members to click on a link “to mint Otherside virtual land assets.” Some users trusted the message that appeared to come from inside the community, and clicked on the link. Before an official warning announcement could be made, a number of user wallets were compromised, assets stolen, and the hackers had pulled off a phishing scam.

    Methodology

    This dashboard analyzes the aftermath of this phishing hack -- which NFTs were stolen, how many, the amount that they were worth, and what happened to users afterwards.

    The hacker wallet address, to which stolen NFTs were sent, is publicly identified.

    This analysis zeroes in on the NFT transfers to this wallet on the day of the hack (25 April). An announcement was made on the same day to warn the users against clicking on the phishing links, therefore it is unlikely that more NFTs would have been stolen via this scam on later dates.

    The phishing wallet:

    Loading...
    Loading...
    db_img
    Loading...
    Loading...
    Loading...

    132 NFTs were stolen in total. The bar chart below visualizes the number of lost tokens by collection, including 7 Mutant Apes, 4 Bored Apes, and many others:

    Below is a look into the number of wallets that were compromised, and how many NFTs each of them lost.

    • The single most unfortunate wallet lost 10 NFTs in this phishing hack.
    • Most wallets (16) lost 1 asset each.
    • In total, 45 wallet addresses were victims of the scam, in which they thought they were buying metaverse land.

    While there can be several methods for calculating the value of stolen assets, I chose to take into account the floor prices of collections on the day of the hack.

    According to this approach, users lost over 5.6M USD, most of them for BAYC and MAYC collections.

    About

    • Author: mar1na (catscatscode) - reach out on Twitter!
    • Date: 29 July 2022
    • Data Source: Flipside Crypto
    • Disclaimer: This dashboard represents the author’s best effort at interpreting the available data. It is not financial advice.
    Loading...

    Concluding Thoughts

    Since the attack analyzed above, BAYC suffered another phishing hack in June 2022 when the community’s discord was compromised again. While this dashboard does not dive into the June data, BAYC holders would do well clicking on very few links that come from the community -- when holding an expensive Ape jpeg, apparently nothing can be trusted. 😅