Bored Ape Thefts on Instagram Are Crypto’s Latest Hack Headaches

When it comes to crypto hacks, it seems like it’s the same story every time. Scammers take advantage of a vulnerability in a blockchain’s design and make off with millions, like in the $600 million-plus heist involving the play-to-earn NFT game Axie Infinity and the $77 million theft that took place Saturday on decentralized finance projects Rari Capital and Fei Protocol.

But a $3 million hack last week involving nonfungible tokens from the popular Bored Ape Yacht Club (BAYC) universe exploited a different kind of weakness that isn’t unique to blockchain.

Scammers infiltrated the NFT collection’s official Instagram account and posted a link to a fake website where users connected their crypto wallets for what they thought was an NFT launch. In reality, they had unwittingly opened themselves up to theft. When the actual launch happened on Saturday, users were again targeted when scammers posted links to fake websites that ended up cleaning users out of NFTs worth a collective $6.2 million.

The incidents exemplify a growing trend in which social media is being used as a tool for amplifying and executing crypto and NFT scams. These thefts aren’t just hitting Instagram: Twitter, Facebook, and the chat platforms Discord and Telegram are also fertile ground for these maneuvers, according to Ronghui Gu, CEO of blockchain security firm CertiK.