On June 4, the popular nonfungible token, or NFT, project Bored Ape Yacht Club (BAYC) suffered its third security compromise this year. Nearly 142 Ether (ETH) ($250,000) worth of NFTs was stolen after hackers gained access to the Discord account of a BAYC community manager and posted a message with a link to a fake website.
The link advertised a limited-time free-NFT giveaway to users who connected their wallets, which were then drained of NFTs. During two prior occasions in April, hackers breached BAYC's Discord and Instagram pages and managed to siphon 91 NFTs, worth over $1.3 million at the time of the second attempt, via a phishing link.
As told by blockchain security firm CertiK, hackers quickly moved stolen funds to obfuscation platform Tornado Cash, making it impossible to trace any further flow of funds on the blockchain. In a statement to Cointelegraph, sources at CertiK explained that however legitimate the project may seem, "NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these can often be phishing attacks." In addition, CertiK wrote:
"In the case of the June 4th attack, the malicious carbon-copy site had some small differences. Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled "claim free land" and specifically targeted popular NFT projects."
As a precautionary measure, Certik recommended crypto enthusiasts look for subtle peculiarities on such sites, as they are frequently an indicator of malicious activity. "At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site by comparing it with a known and confirmed site and looking for any discrepancies," they concluded.