Apes Gone Phishing

BAYC Attack Leads to $250,000 Loss

By Ronghui Gu, CEO and cofounder at CertiK

NFTs are one of the most headline-grabbing topics in web3, with the most popular being sold for jaw-dropping prices and generating a dedicated following of fans and collectors.

Anyone still in disbelief about the monetary value of NFTs should take a look at the recent hack against Bored Ape Yacht Club (BAYC), where a hacker was able to make away with 32 NFTs, and sell them for 142 ETH (equivalent to over $250,000) in a phishing attack.

In the attack, the hacker shared a fake phishing site that impersonated the official BAYC site. This malicious site then promised that BAYC, MAYC, and OthersideMeta holders were able to claim a free NFT once they clicked on a link.

The victims of the attack can be forgiven for being duped– not only was the fake site a near duplicate of the official BAYC site, it was also distributed over the official BAYC discord server after a community manager’s account was compromised.

Shockingly, this is the third time that the BAYC servers have been compromised this year, and the second which has led to losses. On April 1st a hacker was able to access the BAYC discord server, causing BAYC to issue a warning to its community. Then later in the same month on April 25th, BAYC was hit with another phishing attack on its Instagram account, this time leading to the theft of 91 NFTs, equivalent to over $1.3 million.

The web2 hangover

Despite NFTs being seen as one of the most definitive products of the web3 ecosystem, the fact that an attacker was able to successfully use a phishing attack shows how projects are still vulnerable to hacks typically associated with web2.

The continued success of such phishing attacks is frustrating for anyone working towards securing the web3 ecosystem, as part of the promise of the decentralized nature of web3 is that it can consign such attacks to the past. However, so long as there remains centralization in web3, there remains the chance for hackers to exploit the single-point of failure that it offers. A recent State of Defi report shows that ‘centralization issues were the most common attack vector, with over $1.3 billion lost across 44 DeFi Hacks’.

In the case of phishing attacks such as the BAYC hack, this point of centralization came in the form of a community manager’s account, which gave the hacker the illusion of authenticity and lent their malicious link credibility it would not otherwise have had.

What to do?

While it is likely that there will always be some aspects of centralization in web3, there are still ways of implementing practices of decentralization into a project’s structure to boost security. For example, BAYC could have better protected itself by requiring multi-sig verification to access privileged accounts and also any time a post or change is made.

This effectively distributes the authority across multiple nodes, meaning that the hacker would have had to compromise multiple accounts before gaining privileged access to the BAYC’s discord.

How to manage accounts with privileged access remains a problem for many web3 projects, and it continues to lead to major losses when an attacker strikes. Ongoing security audits are one of the best measures teams can take to ensure their project has the best defenses, as it will highlight any areas where a hacker can leverage centralization to conduct an attack as the project grows.

Yet the risk of centralization is only half of the story here. There is also a need to cultivate a better community understanding of the risks involved in web3, and the best ways to spot bad actors attempting to trick you into giving away your assets.

Whilst all projects have a responsibility to their communities to keep their social media platforms secure, NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these can often be disguised phishing attacks.

In the case of BAYC’s June 4th attack, the malicious site had a few small differences from the real one. Firstly, unlike the authentic site, the phishing site did not provide links to BAYC’s social media sites. There was also an added tab titled “claim free land” that specifically targeted popular NFT projects.

While subtle, these differences should alert any user to potential malicious activity. At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site by comparing it with a known and confirmed site and looking for any discrepancies.

Looking Ahead

The persistence of phishing attacks alongside more sophisticated web3 attacks highlights the multiple frontiers on which the web3 ecosystem must defend itself. Web3 has the potential to be the most secure iteration of the internet to date. But to get there, web3 projects have to take an ongoing, end-to-end approach to their security. This means making use of tools such as routine smart contract audits, blockchain analytics, and implementing practices of decentralization. As the BAYC hack shows, failure to do so spells disaster not only for the projects but for their communities as well.

About the Author

Professor Gu is the Tang Family Assistant Professor of Computer Science at Columbia University and Co-Founder of CertiK. He holds a Ph.D. in Computer Science from Yale University and a Bachelor’s degree from Tsinghua University. He is the primary designer and developer of CertiKOS and SeKVM. Gu has received: an SOSP Best Paper Award, a CACM Research Highlight, and a Yale Distinguished Dissertation Award. You can find more information about CertiK here: https://www.certik.com/