Bored Apes Creator Warns of Threat Group Targeting NFT Communities

Yuga Labs, the development studio behind popular non-fungible tokens (NFT) collections such as the Bored Apes Yacht Club, warned in a tweet Monday of a group of attackers targeting the NFT community.

“Our security team has been tracking a persistent threat group that targets the NFT community,” Yuga developers tweeted. “We believe that they may soon be launching a coordinated attack targeting multiple communities via compromised social media accounts.”

Yuga Labs did not respond to requests asking for more specific information at writing time. However, the warning came as millions of dollars worth of NFT exploits have occurred in the past few months.

The past weekend saw over $375,000 worth of ether ETH$2,828.36 and 314 NFTs stolen from Premint NFT, a popular NFT platform. An investigation by security firm CertiK revealed the threat actors planted a malicious JavaScript code on the premint.xyz website. The script was designed to instruct users to “set approvals for all” when connecting their wallets to the site, which allowed attackers to access all assets in the user’s wallets.

“While the malicious file is no longer available due to the Domain Name Server no longer existing, the effects of the attack are visible on-chain," read a statement from CertiK at the time. "In total, six externally owned accounts (EOA) are directly associated with the attack, with approximately 275 ETH stolen (~$375K).

The firm added that attackers “exploit the centralization issues and single-points of failure” that come with crypto projects relying on centralized internet infrastructures. “Hacks of this kind are becoming increasingly popular,” CertiK said. “There has been a marked increase in attackers targeting other official accounts such as social media platforms to conduct exploits.”

The Premint attack came nearly a week after attackers stole over $1.4 million worth of ether from Omni Protocol, an NFT platform that allows users to take loans against their NFTs.

That followed a May attack when users of NFT marketplace OpenSea received false promotional messages on the project’s Discord channel, which led community members to a fake site that ultimately drained user wallets after clicking on a malicious link.

In April, the Bored Apes’ Instagram account and Discord server were exploited with an unofficial "mint" link sent out to followers. The fraudulent link claimed that users could mint "land" in the then-upcoming OthersideMeta, as previously reported.

In a separate April incident, attackers exploited a now-fixed design flaw in the Rarible NFT marketplace to steal a Bored Ape NFT from Taiwanese singer and actor Jay Chou and sell it for over $500,000.