On June 4, the popular non-fungible token or NFT project Bored Ape Yacht Club (BAYC) suffered its third security breach this year. Nearly 142 ether (ETH) ($250,000) worth of NFTs were stolen after hackers accessed a BAYC community manager’s Discord account and posted a message with a link to a fake website.
The link advertises a limited-time free NFT giveaway to users who connect to the wallet, and then drains the NFT. In the first two incidents in April, hackers compromised BAYC’s Discord and Instagram pages and successfully stole 91 NFTs through phishing links, worth over $1.3 million on the second attempt.
As blockchain security firm CertiK said, the hackers quickly moved the stolen funds to the obfuscated platform Tornado Cash, making it impossible to trace any further funds on the blockchain. In a statement to Cointelegraph, sources at CertiK explained that no matter how legitimate the project appears to be, “NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these are often phishing attacks.” , CertiK wrote:
“In the June 4th attack, there were some small differences in the malicious CC sites. First, there were no links to social media sites on the phishing site. A tag titled “claim free land” was also added, specifically For popular NFT projects.”
As a precaution, Certik advises crypto enthusiasts to look for subtle features on such sites, as they are often indicators of malicious activity. “At a minimum, users participating in such giveaways should always strive to confirm the legitimacy of a site by comparing it to a known and confirmed site and looking for any discrepancies,” they concluded.