Hackers have stolen cryptocurrency and nonfungible tokens after compromising a Discord server run by Yuga Labs Inc., the creator of leading NFTs such as the Bored Ape Yacht Club.
The successful attack involved the compromise of an account belonging to Yuga Labs Community and Social Manager Boris Vagner. With access to Vagner’s account, those behind the attack posted phishing links in both the official BAYC and the Otherside Discord channels.
The phishing messages, pretending to be from Vagner, promised an exclusive giveaway with a message that only those holding BAYC, Mutant Ape Yacht Club and Otherside NFTs could participate. The holders were then sent to a phishing site that asked users to enter their login details. Once the login details were handed over, the attackers then stole all Ethereum and NFTs held in the account’s linked wallet. Access to the Discord server was eventually returned to Yuga Labs but not before the damage was done.
Bleeping Computer reported Saturday that those behind the attack stole an estimated 145 Ethereum worth approximately $250,000 and 32 NFTs. The official Twitter account of BAYC states that the stolen NFTs were worth around 200 ETH ($361,000). NFTs allow users to create and verify the ownership of virtual items by recording their sales and trades on blockchains.
Despite what appears to be a lapse in staff security, the Discord wasn’t randomly compromised. Gordon Goner, one of the founders of BAYC, blamed Discord for the compromise.
Discord isn’t working for web3 communities. We need a better platform that puts security first.
— GordonGoner.eth (@GordonGoner) June 4, 2022
This isn’t the first time a Yuga Labs account has been compromised. In a nearly identical attack, hackers obtained access to the BAYC Instagram account in April and then sent out phishing messages with malicious links. NFTs valued at about $3 million was stolen.
In the Instagram case, Yuga Labs claimed two-factor authentication was enabled and the security practices surrounding the Instagram account were tight. The question is still raised: How did hackers get access to first the Instagram account and then Discord servers?
Security does not seem to be at the forefront of the company’s practices, but it’s not as if it can’t afford it. Yuga Labs last raised $450 million in funding on a $4 billion valuation in March.