Eleven hours after security researchers exposed the vulnerability on Twitter, Yuga Labs, the company behind the “Boring Ape” NFT, finally confirmed that its Discord server was hacked on Saturday, resulting in 200 ETH (about $360,000) worth of tokens NFTs were stolen.
CoinDesk pointed out that the incident stemmed from the theft of community manager Boris Vagner’s Discord account, which was then used by attackers to post phishing links in the official BAYC and Metaverse projects.
Twitter user @NFTherder first revealed the incident, and he estimated that 145 ETH (about 260,000 US dollars) was stolen along with the NFT. Subsequent tracing showed that the stolen funds were transferred to four separate wallet addresses.
Yuga Labs officials later confirmed the existence of the vulnerability in a tweet, saying that it was actively investigating the hacking incident – even though it had been a full 11 hours since the NFTherder tweet was posted.
The attackers posted a phishing text on the Discord channel of an NFT fantasy football club called Spoiled Banana Society (SPS) co-founded by Boris Vagner and Richard Vagner, but the message and link have since been cleaned up.
At 09:00 UTC, Richard Vagner claims that the account was hacked an hour ago, and hopefully, no one clicks on the phishing link. Luckily for them, after regaining control of the Boris account, they discovered that a wave of hackers hadn’t deleted the entire Discord server.
Although Richard has asked everyone to proactively disclose it, it is unclear how many SBS channel members were affected by this phishing attack. In the next few days, they will also work to restore all the messed-up tags, as well as drill down to see if there are other potential problems.
It is reported that Vagners also operates a record label called Metaverse Records. In the same SBS Discord message, Richard confirmed that BAYC and Otherside Discords had also been “hacked” and hoped that everyone would take the lead.
In fact, this is the third time we’ve heard of something like this recently. Back on April 1st, Mutant Ape Yacht Club #8662 was stolen due to a phishing link posted on a Discord channel. On April 25, BAYC’s Instagram/Discord account was again exploited by hackers to post fake links to the Otherside coinage. Then last week, actor Seth Green was tragically a victim.
In response to Saturday’s hack, a founding member of BAYC blamed the security breach on Discord. Gordon Goner tweeted: “Discord is not for the Web 3 community, we need a better platform that puts security first”.
Even so, @stevefink refuted in a tweet – you don’t lose NFTs by using Discord, the truth is that you clicked malicious transaction links with your hands. In the absence of security awareness, changing the client will not prevent you from repeating the same mistakes.
If you like our news and you want to be the first to get notifications of the latest news, then follow us on Twitter and Facebook page and join our Telegram channel. Also, you can follow us on Google News for regular updates.