It’s happened again. Scammers struck the Bored Ape Yacht Club (BAYC) universe and stole some tokens. But, don’t worry, you can’t blame web3 for it. Nope. Not at all.

Hackers used good old web 2.0’s trick of hacking the project’s Instagram, and luring people to click on unsolicited links.

Here’s what happened: after BAYC’s account was hacked, attackers posted a message about claiming land on the project’s metaverse through an airdrop. It asked people to connect their MetaMask (or any other equivalent cryptocurrency wallet), to claim the land.

this is what the link showed for those wondering pic.twitter.com/noG3TCniXQ

— jatuur (@jatuur) April 25, 2022

However, it was just a trick to steal NFTs. The BAYC twitter account posted a warning about this, but, by that time, there hackers were successfully able to siphon off a number of NFTs.

🚨There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.

— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022

Although tough to verify, some posts on Twitter claimed the attacker was able to steal hundreds of NFTs.

Later, a BAYC co-founder clarified that four Bored Ape, six Mutant Ape, and three Bored Ape Kennel NFTs were stolen in the phishing scam. The combined value of all of these? Well, that was estimated to be $2.4 million.

He also mentioned that the Instagram account was protected by two-factor authentication, but didn’t post details about the compromise.

The IG hack resulted in 4 Apes, 6 Mutants, 3 Kennels, and some other assorted valuable NFTs being lost. We will be in contact with the users affected and will post a full post mortem on the attack when we can. For now I would like to stress that 2FA was enabled on the account. https://t.co/bsc3tHt9QG

— Garga.eth (@CryptoGarga) April 25, 2022

The hacker’s wallet activity suggests that they’ve been moving some of the stolen NFTs around. Meanwhile, we’ve asked Yuga Labs, BAYC’s owner, if they are compensating holders for stolen assets. We’ll update the story if we hear back.

Jake Moore, Global Cyber Security Advisor at ESET, said such Instagram attacks are not new, but the value of digital assets can have big repercussions for victims:

“The world seems to be entering a very strange dynamic where NFTs are now worth [an] extortionate amount of money, but with this increase in value, there are inevitably cybercriminals lurking not too far behind.

“Instagram attacks are nothing new, but often take an element of social engineering in targeted human development in the request for codes or manipulating and intercepting messages. Unfortunately, however, this takeover has had a huge consequence and resulted in a mass robbery of digital assets.”

One of web3’s most prestigious projects has now been the target of several phishing attacks. Earlier this month, the project’s Discord was compromised.

When Yuga Labs launched ApeCoin in March, scammers took advantage of that, hacking verified Twitter profiles, and stealing assets worth nearly a million dollars from various victims.

This goes to show that cybercriminals just need to use proven methods like phishing to lure people into connecting their cryptocurrency wallets — they don’t have to use any sophisticated system to break web3 tech.

So high-value NFT projects like BAYC need to take extra steps to ensure their holders are protected. If they have fallen victim to an unsolicited phishing link, the team can give generic advice like, “Don’t click on suspicious links,” but you can’t do that when your own Instagram is putting out fake links.

Cryptocurrency investor Jordan Fish — who goes by Cobie on Twitter — suggested Yuga Labs should consider providing a custody service that would require holders to provide proof when they actually want to withdraw their NFT.

Yuga Labs or ApeCoinDAO should create a custody service asap. They are the only people that have the trust and distribution.

They could give an official "Custodied Ape NFT" that is ~not~ a redeemable receipt, but acts as proof of ape, so BAYC owners can still flex w/ hot wallet. https://t.co/d0dgek4zNw

— Cobie (@cobie) April 25, 2022

It’s important to note that if you use Metamask or any self-custodial wallet, the onus of security falls on you. And people who might not want to miss out on airdrops could overlook security at those moments.

Cobie pointed out that we need to teach better practices for self-custody, as all users might not be sophisticated enough to pay attention all the time. But, of course, achieving this is far easier said than done.