CertiK - BAYC Discord Hack Connections

Back to all stories

Reports

Incident Analysis

BAYC Discord Hack Connections

7/26/2022

TL;DR

We have seen a huge increase in NFT phishing hacks this year with prominent examples being the two attacks on Bored Ape Yacht Club and Beeple. Whilst these are prominent examples, NFT phishing scams, particularly through compromised Discord accounts happen almost daily. We have been logging these events, and can confirm that at least 30 phishing hacks are connected. These includes the BAYC Discord hack and the Beeple Twitter hack with total profits over $1.3m.

Event Summary

We have seen many Discord hacks that follow a similar modus operandi, whereby a compromised account or an imitation account posts a phishing link in the announcement section of a project's Discord server. We have discovered that some of the high-profile Discord hacks are connected to the same threat actor and include Bored Ape Yacht Club, TastiesNFT, Hypno Duckz, HomelessFrens and the Beeple Twitter hack to name a few. In total, we have identified at least 30 incidents that are provably linked via the blockchain.

Bored Ape Yacht Club Phishing Attack

Let’s remind ourselves of how the BAYC attack took place. On 4th June, 2022 community manager Boris Vagner’s Discord account was compromised, leading to the posting of a carbon copy of Bored Ape Yacht Club's website. In total, ~179.9 ETH (equating to ~$319k) was stolen in the attack. As we reported in our initial analysis of the incident, stolen funds were sent to EOA: eth 0xd869 and EOA: eth 0x3FF5 which were deposited into Tornado Cash.

0144e305-fcdb-4b42-a5ea-35ba84d7053d

Connections

Unfortunately, we run into a dead end with 0x3FF5, however upon looking at the previous transactions in 0xd869, we find some interesting links between this wallet and other phishing attacks. Let's start with the first significant transactions with this wallet that occurred on 7th May 2022.

cba8ef99-d068-4ee4-881f-764e88d3fa20

As we can see, ~17 ETH is transferred into 0xd869 from three different EOAs. When we follow the funds we observe some suspicious activity. For example, EOA:eth 0x1612 transfers nearly 12 ETH into 0xd869. When we observe the route of those funds, we come across a probable Discord Phishing attack from two addresses on 07 May 2022:

c2eda5d1-4062-4859-81fb-f6ef26c4882d

Lets quickly explore why we come to the assessment that these two EOA’s have highly likely been involved in phishing attacks. When we look into the activity of suspected phishing attacks, they all follow a similar pattern. This includes a large influx of NFTs and a quick sell off as well as little to no activity before the transfer of NFTs. Below is a good example from one of the wallets connected to 0xd869.

5354c768-493e-4539-ac45-2f91a5a07b58

We can see how suspicious this activity is. A large influx of NFTs in quick succession, followed by the quick selling is far from the usual behavior of a typical trader.

We recorded that Ape Dads had their Discord servers compromised on 07 May 2022. We can see that two transactions into 0xd869 occurred on the 7th May 2022 with the above patterns. Therefore, we likely have our first connection to the BAYC Discord attacker.

ed17b8a7-5e2c-43ab-ae1f-aea86d27047f

In addition, we can see multiple examples of probable phishing attacks going into the 0xd869. For example on 11th May 2022, ~5 ETH was transferred from 0x4366 which shows the same suspicious inflow / outflow of NFTs.

2c95f9a6-5d7f-4e37-948d-fe8e7a08d2aa

With the first NFT being transferred to 0x4366 at 03:56 AM +UTC, it is likely that this wallet is associated with the Droids Capital phishing attack which @CertiKAlerts notified the community at 04:15 AM +UTC.

ca133c52-d5f1-4703-8bdd-8d98ac188539

In total, we have seen that at least 30 phishing attacks are linked to 0xd869, the wallet where the majority of the stolen funds from the Bored Ape Yacht Club phishing attack were sent to. We have seen suspicious connected activity that goes back to early May and all the way through to June.

Beeple Twitter Hack Connection

We have also seen a direct connection between 0xd869 and the phishing attack on Beeple’s Twitter account. On 22 May 2022, Beeple’s Twitter account was compromised leading to two phishing sites being posted on his handle. The first phishing site was linked to a malicious contract created by EOA: eth 0xF305 and the second site linked to EOA: eth 0xcad7. Based off the funds that were deposited into Tornado Cash, $459,308 was stolen in the attack. With the BAYC phishing exploit netting ~$319k, the total profits for one threat actor is ~$778k for just two attacks.

We can see a direct link between 0xd869 (BAYC Associated) and 0xcad7 which was linked to the second phishing site posted on Beeple’s Twitter. The first transaction that is recorded within 0xcad7 is an incoming txn from 0xd869 for a small fee of $120.85. The purpose of these funds are likely to pay gas fees when the attacker starts to transfer the stolen assets out of their wallet.

61a1b888-de9b-419f-b21e-badbcc03b112

Additionally, another incoming transaction is received from 0xd896 at 11:55 AM +UTC for an additional $182.93. Again, it is likely that these funds were used to pay gas fees as stolen assets get transferred out.

cc7b481a-0777-4118-b8e7-1cf1f3c39a95

We can also see a direct link between EOA 0xd896 and another wallet associated in the Beeple Twitter hack. 0xd896 transfers a small amount of ETH to EOA 0x4e90 on 22 May 14:03 UTC. This was one of the wallets that 0xcad7 transferred valuable NFT’s to before selling for a profit. The profits from the attack are then aggregated in Fake_Phishing5744 before being deposited into Tornado Cash.

d4a41762-7b9d-4c2c-8ddb-c153ec644a44

Furthermore, we can see a similar layout of the phishing site associated with 0xcad7 and other phishing attacks. For example, with the HomelessFrens NFT phishing attack.

58f1ead4-cdf2-40bc-b3b2-14163720eec2

The only difference between the two phishing sites is the blurred background, everything else about the site is the same. In addition, we know that the wallet that was connected to the HomelessFrens phishing site, 0xAfF3…, was funded by 0xd869.

49083afd-67ac-44cd-9c31-7bff9726485d

We see this layout constantly when we’re investigating NFT Discord hacks and we suspect that they are all linked.

1e095e38-d4dc-4db0-8d43-722ba4dafd30

Where Have The Profits Gone?

In our initial analysis of the Bored Ape Yacht Club phishing attack we assessed that the stolen funds made their way to 0x5bC1, and we have found more evidence of this. When we look at the wallets that transferred funds into 0x5bC1 we find connections back to 0xd869. For example the first transaction into 0xd896 was from 0xab1b.

b5885278-cde7-4534-83ca-7af906f29946

On 04 May 2022 0xab1b received three NFTs from a likely phishing attack for the wallet to aggregate and sell.

7212e585-e299-4d28-9e6c-4aad0e0ea94f

When we look at the transaction history of 0xf472, we see that the wallet redeemed 25 ETH from Tornado Cash and sent 24 ETH to 0x6073, which then sends the funds to 0x5bC1.

97d2bd8e-93b8-4238-8270-c0a6f096d745

512bc637-5d51-41cf-8175-de8479610e53

In addition, funds from 0x6073 also fund the wallet that was responsible for the Hypno Duckz Discord hack on 1 May. Those funds ultimately made their way to 0x5bC1.

What this shows is another route to 0x5bC1 from the Bored Ape Yacht Club Discord hack which further confirms that this is where the location of stolen funds were sent. From there, the funds were sent to an EOA with the ENS domain name ‘wealthyindividual.eth’ who deposits 883 ETH into Tornado Cash. This simplified diagram further shows the connection:

f280d766-c9e6-479a-8e1d-ef998a3e39be

Remaining Questions

We have demonstrated how the Bored Ape Yacht Club Discord hack is related to many other NFT social engineering hacks which we can prove with on-chain data. However, it is noted that the Bored Ape Yacht Club Discord hack followed a different modus operandi to other connected hacks. For BAYC, the phishing site was more sophisticated and was made to look as close to the legitimate site as possible, whereas a standard template was used for the other attacks, including the Beeple Twitter hack. The question naturally arises, why was this the case?

There are a three possibilities:

Boris Vagner’s Discord account was compromised well before the attack took place, giving time to create a sophisticated phishing site.
Bored Ape Yacht Club was targeted, with the MODs targeted in conjunction with the creation of the phishing website.
Or, it didn’t take that long to create a carbon copy of the website.

Also, are there other Discord hacks that are associated with this threat actor? It is almost certain that there are.

Conclusion

By meticulously documenting the connected Discord hacks to BAYC, we can confirm that this single threat actor is responsible for over $1.3m being stolen since May 2022. However, there are almost certainly more phishing hacks connected to this threat actor. The NFT community can protect themselves from this illicit activity by practicing caution on random “free” mint announcements in Discord servers. Always double check to make sure that you are clicking on a legitimate site.

Products & Technology

KYC

Smart Contract Audit

Bug Bounty

L1 Chain Audit

Incident Response

Penetration Testing

Advisory Services

Skynet

SkyHarbor

SkyInsights

Formal Verification

Security Score

Featured Ecosystems

BNB Chain

Ethereum

WEMIX

Avalanche

Solana

Algorand

NEAR

Cosmos

Polygon

Aptos

Arbitrum

Company

About

Ventures

Worker Validation

Testimonials

Partnership

We're Hiring

Disclaimer

Resources