Bored Ape Yacht Club targeted by Instagram hacker, NFTs worth millions stolen

Two of the stolen Bored Ape Yacht Club NFTs
It's the latest in a series of heists targeting cryptocurrency and NFT owners. Photo credit: Supplied / OpenSea

One of the biggest NFT creators has been targeted by an Instagram hacker with victims losing millions of dollars worth of tokens.

Yuga Labs, creators of the popular Bored Ape Yacht Club (BAYC) series, confirmed its photo account was hacked, allowing the attacker to phish the community for cryptocurrency wallets.

The hacker used the promise of an airdrop - free tokens for those who already own them - to get people to supply their details.

"The hacker posted a fraudulent link to a copycat of the BAYC website with a fake Airdrop, where users were prompted to sign a 'safeTransferFrom' transaction. This transferred their assets to the scammer's wallet," Yuga Labs said on social media.

"Immediately upon discovering the hack, we alerted our community, removed links to the compromised IG account from our platforms and attempted to recover the account."

How the hacker managed to gain access to Yuga Labs' Instagram account remains a mystery.

"At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices," Yuga Labs tweeted.

"We've regained control of the account, and are investigating how the hacker gained access with IG's team."

According to some reports over US$2.5 million (NZ$3.8 million) worth of NFTs were stolen, including some from Yuga Labs' other projects like Mutant Ape and Bored Ape Kennel Club.

That included four Bored Apes with a total value of over NZ$1.5 million.

The Verge reported the hacker's wallet had been removed from trading platform OpenSea, but by using the Rarible platform were able to see 134 NFTs in the hacker's wallet.

The most valuable Bored Ape stolen, #6623, was last sold for 123 ether, around $NZ555,000, three months ago.

The least expensive Bored Ape stolen was #7203, which was last sold for 47.9 ether, or NZ$216,000.

According to OpenSea's transaction history, viewable by anyone, both have been transferred twice since being stolen, with the original account now banned. An OpenSea user called PPMan currently has both #6623 and #7203 in his account.

As NFTs and cryptocurrencies have gained popularity, so has the number and value of thefts.

OpenSea was sued in February after a Bored Ape was stolen from a Texas man's wallet.

Since then players of the Axie Infinity token game lost NZ$886 million to North Korean hackers who targeted the game and decentralised financed (DeFi) company Beanstalk Farms was robbed of NZ$270 million in 13 seconds after its governing system was exploited.