Confirmed: Yuga Labs Discord Server Hack
According to Yuga Labs, the Bored Ape Yacht Club (BAYC) Discord server was hacked on Saturday, and the attacker made off with 200 ETH ($360,000) worth of NFTs.
Boris Vagner, the project’s community manager, had his Discord account hacked, and the attacker utilized it to send phishing links on both the official BAYC and its linked metaverse project called Otherside’s Discord channels.
NFTherder, a Twitter user, was the first to report the attack, estimating that 145 ETH (about $260,000) was taken along with the NFTs, and traced the stolen assets back to four different wallets.
🚨BAYC & OtherSide discords got compromised‼️
Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen
Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W
— OKHotshot (@NFTherder) June 4, 2022
Yuga Labs later verified the vulnerability in a tweet, adding that it is currently looking into the matter. 11 hours after NFTHerder’s tweet, it happened.
Richard Vagner, a Grammy-winning multi-instrumentalist who co-founded the NFT fantasy football club Spoiled Banana Society (SPS) with Boris, is managed by Vagner. According to Richard, the attacker also posted a phishing link on the SPS Discord channel, which was afterwards removed.
Richard Vagner remarked in a Discord chat at 09:00 UTC, “Hey @everyone, we were hacked an hour ago hoping no one clicked any links.” “Thank goodness Boris didn’t destroy the entire server since we regained control of the discord and his account.”
Although Richard has requested information from Discord members connected to the hack, it is unclear if anyone in the SBS channel was harmed.
“We’ll have all the tabs back up in the coming days,” he added, adding, “let us know if there’s anything more he messed with.”
The Vagners also run Metaverse Records, a record label. Richard confirmed that the BAYC and Otherside Discords were also “hacked” in the same SBS Discord chat.
He wrote, “pls stay safe.”
This is the third time a bad actor has been able to steal money from Yuga Labs users by impersonating a Yuga Labs account. On April 1, Mutant Ape Yacht Club #8662 was stolen after a phishing link was shared in the project’s Discord, then on April 25, the Bored Ape Yacht Club Instagram and Discord accounts uploaded a bogus link to an Otherside minting.
When someone successfully tricked actor Seth Green out of his Bored Ape last week, he became a notable example of the type of phishing schemes that are widespread in the NFT market.
One BAYC founder criticized Discord for the security breakdown on Saturday in response to the incident.
Discord isn’t working for web3 communities. We need a better platform that puts security first.
— GordonGoner.eth (@GordonGoner) June 4, 2022