Don't miss CoinDesk's Consensus 2022, the must-attend crypto & blockchain festival experience of the year in Austin, TX this June 9-12.
Bored Ape Yacht Club's Instagram account and Discord server were both hacked on Monday, with an unofficial "mint" link being sent out to followers.
"There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links or link your wallet to anything," the NFT project wrote on Twitter.
🚨There is no mint going on today. It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.
— Bored Ape Yacht Club (@BoredApeYC) April 25, 2022
The fraudulent link claimed that users could mint "land" in the upcoming OthersideMeta, which is due to launch later this week.
The wallets of those who clicked the link have now been compromised, with a series of Bored Apes and Mutant Apes being transferred to new wallets by the hackers.
At the time of writing, it is estimated that around 24 Bored Apes and 30 Mutant Apes have been stolen, according to recent OpenSea transfers, although some of these may be holders transferring their non-fungible tokens for security purposes.
The value of the 54 NFTs calculated by floor price is $13.7 million.
Yuga Labs says the scope of the attack is far smaller.
"The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer's wallet in order to participate in a fake Airdrop," a spokesperson told CoinDesk via email. "At 9:53am ET, we alerted our community, removed all links to Instagram from our platforms and attempted to recover the hacked Instagram account."
Yuga Labs and Instagram are still investigating how the account was compromised, the spokesperson said.
"Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m," the spokesperson said. "We are actively working to establish contact with affected users."
— zachxbt (@zachxbt) April 25, 2022
UPDATE (April 25, 17:05 UTC): Adds comment from Yuga Labs, changes headline.