Bored Ape Yacht Club Instagram Hacked, $2.8M in Ethereum NFTs Stolen

The official Instagram account for the Bored Ape Yacht Club was hacked on Monday, and it shared a link to a scam website that has apparently stolen more than $2.8 million worth of NFTs from people who connected an Ethereum wallet.

The linked website falsely claimed that Bored Ape creator Yuga Labs was offering free NFT land for its upcoming Otherside metaverse game, and that anyone who connected an Ethereum wallet would receive a free airdrop of virtual land—even if they didn’t own a Bored Ape.

It was all a scam, however: the Otherside launch is planned for April 30, and the website was not an official Yuga Labs creation. However, many people apparently fell for the ruse, with 91 NFTs stolen from connected wallets with a combined value over $2.8 million, based on the current floor price (or cheapest available NFT) from each collection.

According to blockchain sleuth zachxbt, the wallet tied to the scam managed to steal four Bored Ape Yacht Club NFTs, seven Mutant Ape Yacht Club NFTs, and three Bored Ape Kennel Club NFTs, as well as an array of other NFTs.

Other reports have claimed that the official Bored Ape Yacht Club Discord server was also hacked today, but that does not appear to be the case. However, the Bored Ape Discord was previously hacked on April 1.

“This morning our team was alerted that the Bored Ape Yacht Club’s official Instagram account was hacked,” reads an official statement from Yuga Labs, provided to Decrypt. “The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake airdrop.”

“At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account,” the statement continues. “Two-factor authentication was enabled and the security practices surrounding the IG account were tight. Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating.”

Yuga Labs estimated the total value of stolen NFTs at around $3 million, which tracks with the data pulled from the attacking wallet. The firm also said that it is “actively working to establish contact with affected users,” but it did not share any details on potential plans to reimburse affected NFT holders.

The Instagram scam comes following a wave of Twitter scams in which the verified accounts of many users have been hijacked and used to spam similar NFT-stealing attacks. That particular scam originated with ApeCoin, the recently-launched Bored Ape ecosystem token, and has since spread to Azuki and Moonbirds. To be clear, the creators of those projects are not involved with the scams.

Some of the affected Twitter users have told Decrypt that their accounts similarly had two-factor authentication enabled. A Twitter representative told Decrypt on April 8 that it was "aware of and actively working on a solution to combat" such scams but did not provide an update when asked last week.