A Twitter phishing scam hacked verified accounts, some of which had Bored Ape Yacht Club (BAYC) profile pictures. The scam sought to defraud crypto-savvy users of a little more than $1 million this week through a phony ApeCoin airdrop. 

For those who missed last week's news, ApeCoin is a cryptocurrency that can be claimed by BAYC and Mutant Ape Yacht Club (MAYC) holders. It was launched by ApeCoin DAO, and the token will power several spin-off projects from the BAYC franchise.

This week's fake airdrop lured victims with an ostensibly legitimate tweet coming from hacked accounts, which read, "Launch of Ape Coin has been a big success! We have collectively decided to airdrop some more to active NFT Traders/Holders. If you don't currently own NFTs, you can claim with a 0.33 ETH fee!" 

The tweet then enclosed a link as bait for the scam. 

AD

Unpacking the Ape Coin airdrop scam

NFT collector Bored Alien Silver Ape was one of the worst affected. He lost over half a million dollars worth of BAYC and MAYC NFTs in the attack, according to Etherscan

He immediately blamed an account called Bhawana Ghimire, a name possibly drawn from the former CEO of the Cricket Association of Nepal. 

The verified account was masquerading as a BAYC founder

AD

Blockchain analytics account AnChain.AI posted a play-by-play breakdown of the heist and identified three more compromised accounts involved in spreading the attack: Dana.eth, who also claimed to be a BAYC founder, sports journalist Gavin Quinn, and musician Mila.

An account called "NFTEthics" also identified business journalist Todd Wasserman as having had his account compromised in the scam. 

In addition to the commandeered accounts, many verified profiles were scammed out of their crypto assets, including NFT 365 podcaster Fanzo (@iSocialFanz).

Fanzo spent a decade with the U.S. Department of Defense, focusing on cybersecurity, yet even he had his wallet exploited, despite never clicking the malicious link. 

Similarly, Aarontc.eth lost over 34 Ethereum worth of NFTs, despite never connecting his wallet to the malicious link. 

AD

All compromised accounts appear to have been returned to their owners' control. 

Until then, though, the scam proved to be a lucrative venture for the assailant, as they reportedly raked in over $1 million in crypto.

Stay on top of crypto news, get daily updates in your inbox.