35 NFTs including Bored Apes stolen via phishing attack in last week alone

Quick Take

  • A number of verified Twitter accounts have been hacked in the last week, in order to tweet out links to a phishing site.
  • This attack led to the theft of 35 NFTs worth over $900,000.

At least 35 NFTs have been stolen due to a widespread phishing attack involving hacked Twitter accounts, according to data from blockchain analytics company Elliptic.

Scammers have made off with at least $900,000 in NFTs over the past week, per Elliptic. Five of the stolen items were Bored Ape, Mutant Ape or Bored Ape Kennel Club NFTs, and nine high profile individuals have reported falling victim to the attack. 

Earlier this month, BAYC launched an airdrop of ApeCoin tokens for Bored and Mutant Ape NFT holders. For this attack, scammers hacked multiple verified Twitter accounts in order to promote links to a URL impersonating an ApeCoin token airdrop site. Some of the Twitter accounts had more than 50,000 followers.

Unsuspecting victims who clicked on the phishing links included both BAYC NFT owners and non-holders willing to cough up 0.33 ETH ($1,130) to take part. However, instead of registering for the chance to claim ApeCoin tokens in a new airdrop, they found themselves faced with malicious code that gave the scammers access to their wallet.

“The tweet looked strange, but this is someone that I had actually followed [previously] so I didn’t overthink it... I clicked the link in the tweet and was immediately prompted to connect my wallet, which I did not do,” explained Aaron Cadena, co-founder of NFT-themed vaping company Gutter Bars, in a tweet thread detailing how his #2017 and #2904 Gutter Cats were taken.

 “After clicking cancel, the prompt kept popping up over and over again. I clicked cancel a few more times, then caught onto what was happening and tried leaving the site but my screen was locked.”


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Cadena describes how, despite force quitting the browser, he received a notification that two assets had been transferred from his wallet. 

“It felt like a punch in the gut. I’m not sure how this was done since I never connected my wallet,” he said, adding that third parties later agreed to sell the NFTs back to him at cost. “After this whole ordeal, I’ll be out 20 ETH, which sucks, but it could’ve been a lot worse.”

AnChain.ai, which published a separate breakdown of the scam, said that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”

 Twitter has not responded to requests for comment by press time.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Callan Quinn is an NFT, gaming and metaverse reporter. She started her career working for the expat magazine City Weekend in Guangzhou, China. She also has worked as a business journalist in the UK, Somaliland and the republic of Georgia. Before joining The Block, she was a freelance journalist covering the Chinese tech industry. She speaks Mandarin, French and German. Get in touch via Twitter @quinnishvili or email [email protected].