A sophisticated phishing scam has compromised verified Twitter accounts to steal NFTs worth at least $160,000 from Bored Ape Yacht Club (BAYC) fans seeking ApeCoin airdrops.
The scheme (first detailed by analytics firm AnChain) saw hacker(s) access Twitter handles before disguising them as BAYC’s founders and prominent NFT collectors.
Hacked accounts displayed a BAYC NFT image in Twitter’s ‘verified ownership’ hexagon format. They then spread spam and social engineering messages to lure users into fraudulent airdrops for BAYC’s new social cryptocurrency.
Interacting with the links to those airdrops apparently allowed hackers access to several known individuals on Crypto Twitter™, including NFT 365 Podcast host Fanzo.
Some reports indicated the hacker was capable of accessing wallets even if they never clicked on the malicious link.
- Fanzo claimed his wallet was hacked and the attacker stole his NFTs without clicking a phishing link. He posted a video describing what happened.
- Victims also included Gutter Cat Gang creator Aarontc.eth, who lost at least two Gutter Cat Gang NFTs with a combined value of 34 ETH ($114,000) in the attack.
- Aarontc.eth subsequently fundraised to buy back his lost tokens by selling some art in the Gutter Cat Gang collection as new NFTs.
The attack involved rotating wallet addresses, meaning the hacker could’ve extracted more crypto that’s gone undetected.
Still, AnChain.AI valued tokens stolen in the airdrop scam at a minimum of 46.64 ETH ($160,000).
BAYC airdrop scam echoes Great Twitter Hack
Blockchain analysis companies like Chainalysis and CipherTrace operate intelligence platforms for law enforcement, regulatory compliance, security monitoring, and risk management.
San Jose-headquartered AnChain, which has a deal with the SEC to assist with monitoring DeFi applications, discovered this latest BAYC affinity scam.
Twitter account hacks have proliferated in the past few years. In 2020, the frenzy culminated in a takeover of more than 100 prominent handles, including profiles of former US President Barack Obama, Bill Gates, and Elon Musk.
These hackers promoted a fraudulent Bitcoin giveaway which offered to double any BTC sent to an address. Senders never received any Bitcoin and the leaders of that scam were eventually indicted for various crimes.
Twitter blamed the 2020 presidential hack on social engineering; gaining access by tricking Twitter employees rather than cracking passwords.
This obviously hasn’t deterred bad actors from targeting verified Twitter accounts to exploit popular crypto assets like NFTs. AnChain noted the sophistication of this month’s ApeCoin-themed phishing attack.
The firm said it took a skilled and knowledgable assailant to weave together Twitter’s blue check marks to exploit BAYC’s popularity just in time for its recently-launched APE token.
Follow us on Twitter for more informed news.