BAYC Instagram Hack: Possible NFT Scam-As-A-Service Operation?
The Otherside mint, a new Metaverse launched by iconic Bored Ape Yacht Club (BAYC) creator Yuga Labs, presented an opportunity for hackers to steal millions in NFT assets. Analysis of open source information and on-chain transactions by TRM Labs suggests a coordinated effort to steal victim assets before, during, and after the event. What happened, and what can be learned?
- Fake mint sites and cryptocurrency wallets were set up prior to the mint.
- Hackers compromised both the BAYC Instagram account and Discord server to post links to fake mint sites.
- Stolen NFTs were sold for around $2.4 million; estimated losses may be as high as $13.7 million, according to Bored Ape Yacht Club (BAYC).
Ongoing investigation may reveal whether this was a NFT Scam-as-a-Service (NFT SaaS), or involved an organized criminal network. TRM investigators have identified nearly 170 similar scam sites so far, and blockchain analysis suggests financial connections to the Revoke.site scam from early April.
Background
The Bored Ape Yacht Club (BAYC) is arguably the most influential NFT project in the world. BAYC is a collection of 10,000 NFT apes with varying fur types, facial expressions, clothing, jewelry, and accessories that has grown into a pop culture phenomenon with a tremendous following. Today, Bored Ape NFT ownership is viewed by many as a status symbol, selling for around $200,000 each and owned by celebrities such as Jimmy Fallon and Eminem. Future NBA hall of famer Stephen Curry used one as his Twitter profile pic for some time. According to OpenSea, in the past thirty days, the BAYC collection has had the highest floor price and second highest trading volume on the market.
So when BAYC creator Yuga Labs launched the Otherside metaverse, “FOMO” was on overdrive. On Saturday, April 30, 2022, users who pre-registered were able to participate in the first mint for Otherside — and scammers were ready to take advantage of the excitement. The scenario unleashed a combination of hacking, phishing, and money laundering which resulted in huge losses for the BAYC community.
Hack, phish, and clean your catch
Prior to the first mint, unidentified hackers took over a verified BAYC Instagram account and posted a link to a fake minting site. The URL was chosen to appear legitimate, but in fact it directed users to a fake minting site.
When users connected their wallets to the site, they unwittingly signed a safeTransferFrom transaction, which transferred their assets to the alleged hackers’ wallet.
In a single day, the scam resulted in losses of around $2.4 million in NFTs and ETH. Actual losses are likely much greater. The alleged hackers sold many of the stolen NFTs at far below their estimated market value, which Coindesk estimated at about $13.7 million.
TRM’s on-chain analysis revealed the NFTs were quickly sold on the LooksRare NFT marketplace for WETH. The attacker then sent ETH and WETH to a second Externally Owned Account (EOA), or private wallet.
The owner of this account then broke up the funds and deposited them to accounts at five different centralized exchanges. In other cases, TRM investigators have seen hackers use these types of accounts, operated by money mules, or opened using stolen or fraudulent Know-Your-Customer (KYC) credentials, to swap the proceeds for other assets, or to cash out to fiat currency.
Interestingly, some of the pre-hack funding for the two identified hacker accounts may have come from the Revoke.site scam from early April.
Copycats Suggest NFT Scam-as-a-Service Operation
Following the Saturday mint, additional scam sites appeared, built to look like a legitimate Otherside site. A link to one such site, otlherside[.]xyz, was originally posted on Twitter via a mimic account @OthersidelMeta but has since suspended.
TRM investigators have unearthed and linked around 170 similar sites through domain intelligence, linguistic analysis, and other clues. While the content varies, the deployment of these copycat sites is consistent, which suggests the possibility that these sites comprise an NFT Scam-as-a-Service (NFT SaaS) operation. Such an organized criminal scheme is reminiscent of the Classiscam SaaS, which used phony classified ads to lure and phish victims. CUJO AI’s recent article highlights at least one case in which scammers are being scammed by NFT SaaS.
Upcoming government actions on NFTs
Law enforcement and regulators are taking action to regulate and require stricter anti-money laundering measures on NFTs, which will help the real victims of the thefts, namely the NFT collectors who have lost tens of thousands of dollars in valuable assets with a click. In March, according to a report by Bloomberg, the SEC is investigating whether certain NFTs are being used to raise money like traditional securities, and whether they should be treated as such. This was followed by the DOJ announcement of the arrest of the Frosties creators on fraud and money laundering charges. In New York, state legislators want to make “illegal rug pulls” and certain forms of crypto fraud crime.
Foreign governments are also enacting measures to protect and regulate NFTs. Just last week, Cointelegraph reported that UK court recognized NFTs as private property.
At TRM Labs, we support regulatory and criminal investigations to build trust and confidence in the next generation financial system for billions of people. Our investigators use TRM Forensics to trace NFT provenance, hunt down stolen assets, and share leads with trusted law enforcement partners.
About TRM Labs
TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.
Want more content like this?
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.