Web2 applications such as Discord have again been shown to be the weak link in the arsenal of blockchain projects. Over 175 ETH has been drained from investors’ accounts after the Bored Ape Yacht club Discord server was breached. @BorisVagner, who was only promoted to Social Media for Yuga Labs in January 2022, had his Discord account breached. The attacker was then able to post phishing links via BorisVagner’s official account on the Yuga Labs Discord server.
The link has been redacted to protect readers from visiting the phishing site. BAYC finally released a statement almost 12 hours after it was first reported stating,
“Our Discord servers were briefly exploited today. The team caught and addressed it quickly. About 200 ETH worth of NFTs appear to have been impacted. We are still investigating, but if you were impacted, email us at [email protected]”
The statement reported that the team “addressed it quickly” and confirmed the total value lost by members as 200 ETH. At today’s value that is $354k gone in almost no time at all. The lack of urgency in reporting the matter to its community and the brevity of the announcement suggests an element of complacency by Yuga Labs.
Community Manager account compromised.
According to peck shield“32 NFTs were stolen, including 1 #BAYC, 2 #MAYC, 5 #Otherdeed, 1 #BAKC” OKHotshot was one of the first to report the breach tweeting, “@BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen.” OKHotshot told us exclusively that it is around $354k.
“Proper security practices should be upheld for any project doing millions in revenue. Especially if the project is in the top 10 of the market. Not having a security manager increases that risk significantly.”
OKHotshot believes a security manager could have prevented this as “they would handle discord security practices, team policy, and make sure they are upheld. No team member should have their direct messages open, be clicking on links or using their main accounts on other servers just to give a few examples.” Yuga Labs have several job roles available, but no security roles are live.
The crypto community was also vocal about the issue through a thread posted by Reddit user u/naji102. Users discussed the drop in trust for NFTs due to the increase in scams that even come from official sources. u/XnoonefromnowhereX commented, “The message had grammatical errors that should have been a red flag,” while u/CrimsonFox99 empathetically stated, “Hard to blame them on that part, especially coming from a supposedly trusted source.”
A Twitter user reached out to OpenSea and LooksRare pleading “I just clicked a fake goblin claim. 2 MAYCs and 8 cool cats were stolen. … please help. They stole everything from me.” Calls came from other users supporting the initiative to freeze the thief’s accounts. It seems that often decentralization is only supported until investors need centralized support.
BAYC Discord compromised before
This is not the first time the Discord server has been compromised. The server was hacked in April 2022, with MAYC #8662 being stolen. The story continued as it later became known that Taiwanese pop superstar Jay Chou was the owner of the stolen NFT worth $550k. A Discord profile was compromised on both occasions, allowing the attack to post phishing links onto official channels.
Protecting web2 infrastructure tied to web3
There are solutions being released to attempt to combat the problem of scam websites. Most major antivirus tools use libraries of blacklisted sites to help users in browsing the internet. However, the speed and frequency of scams mean that these tools may not always be completely up to date. A chrome extension called Wallet Guard attempts to solve this problem in the web3 space.
Wallet Guard told CryptoSlate:
“Not everyone has a technical background nor has been around the space too long… our extension never touches your wallet it only needs to know the domain you’re attempting to visit.”
The tool flagged the URL of the phishing site posted to BorisVagner’s Discord account and could have aided investors in deciding if they should trust the link.
However, even tools such as this are not invulnerable. A sophisticated scammer could theoretically get into an official Discord server while also attacking a site like Wallet Guard to make it appear to be a legit site.” However, no tool is expected to be 100% invulnerable to all attacks. Any way investors can reduce the chance of them falling victim to fraud should be encouraged.
Still, each phishing scam attacks a blockchain project scam it comes through a web2 connection to the blockchain project. Adding web3 functionality to web2 technology such as Discord could dramatically increase its security.
CryptoSlate reached out to BorisVagner for comment but did not receive a response.
UPDATE 2 pm June 6: Revised initial reporting time of the breach thanks to information from @GrassyEth