A hacker took over BAYC’s social media accounts this week and was able to steal roughly $3 million in assets. Let’s discuss how this happened and where Web3 goes from here.
Yet again, a hacker has stolen funds from one of Web3‘s most promising companies.
Yuga Labs is preparing to launch the next big installment in its metaverse plans, the “Otherside” Web3 project. The company behind the Bored Ape Yacht Club NFT community announced last month that it raised $450 million to develop the project and create NFT-focused games as part of the expanding “Yugaverse.”
But before Yuga Labs could make good on those plans this week, BAYC’s social media accounts were hacked, with members of its community losing roughly $3 million in NFTs and other digital assets.
So, how did this Bored Ape Yacht Club hack actually happen, and how should the blockchain and crypto tech industries proceed?
On the morning of April 25, BAYC’s Instagram account and Discord channel were hacked. The hacker promoted a fake airdrop in order to gain access to Bored Ape NFT holders’ wallets and steal their BAYC collectibles and other crypto assets. Yuga Labs has been teasing that its Otherside project will be launching with a virtual land sale this upcoming weekend — the hacker leveraged this as a promotional tactic in the attack.
The scam worked in some key cases before Yuga Labs was able to regain control of BAYC’s official social accounts. Some of the stolen NFTs were posted on LooksRare for resale before being flagged as fraudulent activity.
Yuga Labs detailed what happened in a thread on BAYC’s Twitter timeline.
“Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC [Bored Ape Kennel Club], as well as assorted other NFTs estimated at a total value of ~$3m,” a spokesperson told Coindesk. “We are actively working to establish contact with affected users.”
Yuga Labs immediately alerted its community about the Bored Ape Yacht Club hack and is still working closely with Instagram and Discord to find out how the hacker got access to its accounts.
One Twitter user threaded some interesting theories about what possibly happened. For instance, perhaps the hacker tapped into data on the deep web or duplicated mobile sim cards.
BAYC holders affected by the hack or any community members that might have helpful information have been directed to contact email@example.com. Yuga Labs requests that individuals reach out first for security purposes.
“We will NOT reach out to anyone over email first, and we will NEVER ask for your seed phrase,” BAYC tweeted.
Yuga Labs concluded the thread by letting the BAYC community know that mints and other announcements will never be published first on the collection’s Instagram accounts. Instead, BAYC supporters can find the most updated and accurate information on official Twitter accounts (@BoredApeYC, @yugalabs, and @OthersideMeta) and in the announcement channel on BAYC’s Discord.
When the Web3 industry meets Web2 problems
Unfortunately, not even two-factor authentication was able to keep BAYC’s Instagram account safe from hacking, a dynamic that has consistently been the biggest downfall of Web2 (a handy name for the public internet’s broadband, social networking, and streaming era).
Two-factor authentication is a multistep security system requiring users to provide two distinct forms of identification like a password and passcode delivered via email or text. That layer of protection makes us think: Could the BAYC hack have been an inside job?
(To be clear, there’s no evidence to suggest such a thing as of this writing.)
Regardless, with the decentralized principles innate to Web3, it’s been widely assumed that traditional hacking will become a thing of the past — but is that true? At least today, the answer is no, and that’s mainly due in part to the fact that Web3 companies are still interacting in the predominantly Web2 digital space that includes Twitter, IG, and Discord.
Even aside from social media, the Web3 and crypto industries have been experiencing unexplainable hacks and scams that have resulted in significant losses. Also, let’s not forget that this isn’t the first time Bored Apes have been stolen; less than a month ago, a hacker stole Bored Ape NFTs via OpenSea.
Despite the decentralization of Web3, companies and projects in the industry are still paying for the actions of hackers. Consider these examples:
- After hackers stole approximately $620 million worth of Ethereum and US dollars from Axie Infinity gamers, the game’s creator, Sky Mavis, raised $150 million to offset reimbursement costs. Sky Mavis pulled funds to make up the rest of the reimbursement costs right from its balance sheet.
- Back in February, hackers stole more than $320 million worth of cryptocurrency assets from users on Wormhole’s crypto finance platform. The company restored all of the funds — and even offered the hackers $10 million to explain how they infiltrated its system.
This recent BAYC hack is so different from previous ones because the project’s official social media accounts were infiltrated, and Yuga Labs can’t seem to figure out how. In typical circumstances, this information becomes apparent not so long after an account is hacked, but that’s not the case here. It all makes the issue even more puzzling.
Arguably, the risk of widespread hacking in Web3 is actually more prominent due to the fact that everything a user does inside the space is linked to their crypto wallets and the digital assets inside them. Will this scare users away from participating in the growing industries and destroying what the metaverse and NFT communities have become?
It’s a question the innovators of the Web3 era will have to answer.
BAYC’s path forward
Before the Bored Ape Yacht Club hack, Yuga Labs shared on the Otherside Twitter that the new Web3 project’s journey officially kicks off on Saturday, April 30. Since making the announcement and experiencing the hack, Yuga Labs hasn’t changed those plans.
Here are some essential things to know about the Otherside project launch:
- The digital currency ApeCoin will exclusively power the mint on otherside.xyz
- The community’s initial mint will be conducted as a dutch auction
- Interested parties must meet Know Your Customer (KYC) standards unless they already hold a Bored Ape or Mutant Ape NFT
- All accurate information about the launch be posted on the Otherside Twitter account
Check out this thread for more details:
Ours is a Web3 world with Web2 problems.
Fortunately, Yuga Labs isn’t about to let the growing pains of this ongoing tech paradigm shift ruin this virtual yacht party.