At least 35 NFTs have been stolen due to a widespread phishing attack involving hacked Twitter accounts, according to data from blockchain analytics company Elliptic.
Scammers have made off with at least $900,000 in NFTs over the past week, per Elliptic. Five of the stolen items were Bored Ape, Mutant Ape or Bored Ape Kennel Club NFTs, and nine high profile individuals have reported falling victim to the attack.
Earlier this month, BAYC launched an airdrop of ApeCoin tokens for Bored and Mutant Ape NFT holders. For this attack, scammers hacked multiple verified Twitter accounts in order to promote links to a URL impersonating an ApeCoin token airdrop site. Some of the Twitter accounts had more than 50,000 followers.
Unsuspecting victims who clicked on the phishing links included both BAYC NFT owners and non-holders willing to cough up 0.33 ETH ($1,130) to take part. However, instead of registering for the chance to claim ApeCoin tokens in a new airdrop, they found themselves faced with malicious code that gave the scammers access to their wallet.
“The tweet looked strange, but this is someone that I had actually followed [previously] so I didn’t overthink it... I clicked the link in the tweet and was immediately prompted to connect my wallet, which I did not do,” explained Aaron Cadena, co-founder of NFT-themed vaping company Gutter Bars, in a tweet thread detailing how his #2017 and #2904 Gutter Cats were taken.
“After clicking cancel, the prompt kept popping up over and over again. I clicked cancel a few more times, then caught onto what was happening and tried leaving the site but my screen was locked.”
Cadena describes how, despite force quitting the browser, he received a notification that two assets had been transferred from his wallet.
“It felt like a punch in the gut. I’m not sure how this was done since I never connected my wallet,” he said, adding that third parties later agreed to sell the NFTs back to him at cost. “After this whole ordeal, I’ll be out 20 ETH, which sucks, but it could’ve been a lot worse.”
AnChain.ai, which published a separate breakdown of the scam, said that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”
Twitter has not responded to requests for comment by press time.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.