Bored Apes, Other NFTs Are Stolen In Major Twitter Phishing Hack

Zinger Key Points
  • The attackers distributed their malicious payload through a fake Apecoin airdrop website that was promoted through multiple verified Twitter accounts that were compromised.
  • Blockchain analysis and cybersecurity firm AnChain.ai severely criticized Twitter's response, noting that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”

At least 35 non-fungible tokens (NFTs) were stolen in a major Twitter Inc. TWTR phishing-propagated hack on their holders.

What Happened: The NFTs in question were stolen by promoting a website that exploited vulnerabilities in user's web browsers to send a transaction with their non-fungible tokens to the attacker without them prompting for it to happen, according to a Wednesday report in The Block Crypto. 

Data shared with the crypto news outlet by blockchain analysis firm Elliptic shows that NFTs stolen in the attack were worth at least $900,000 and included tokens from the Bored Ape, Mutant Ape and Bored Ape Kennel Club collections.

The attackers distributed their malicious payload through a fake Apecoin APE/USD airdrop website that was promoted through multiple verified Twitter accounts that were compromised — some of which had over 50,000 followers.

Blockchain analysis and cybersecurity firm AnChain.ai severely criticized Twitter's response, noting that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”

Aaron Cadena, the co-founder of NFT-themed cannabis vaping company Gutter Bars, wrote that "the tweet looked strange, but this is someone that I had actually followed [previously] so I didn’t overthink it ... I clicked the link in the tweet and was immediately prompted to connect my wallet, which I did not do."

He explained that "after clicking cancel, the prompt kept popping up over and over again. I clicked cancel a few more times, then caught onto what was happening and tried leaving the site but my screen was locked. I ended up having to just force quit the browser, but then I got a notification that two assets were transferred from my wallet and it felt like a punch in the gut ..."

Hacks such as these are a reminder that — despite blockchains such as Ethereum's ETH/USD being exceptionally secure when compared to traditional server infrastructure — users and their local software that can interact with that blockchain is usually much easier to compromise for a skilled attacker.

One important step for protecting your cryptocurrencies is to keep your private keys away from your internet-connected devices that can easily be hacked such as computers and mobile devices through the use of hardware wallets. 

Posted In: CryptocurrencyMarketsMedia

Ad Disclosure: The rate information is obtained by Bankrate from the listed institutions. Bankrate cannot guaranty the accuracy or availability of any rates shown above. Institutions may have different rates on their own websites than those posted on Bankrate.com. The listings that appear on this page are from companies from which this website receives compensation, which may impact how, where, and in what order products appear. This table does not include all companies or all available products.

All rates are subject to change without notice and may vary depending on location. These quotes are from banks, thrifts, and credit unions, some of whom have paid for a link to their own Web site where you can find additional information. Those with a paid link are our Advertisers. Those without a paid link are listings we obtain to improve the consumer shopping experience and are not Advertisers. To receive the Bankrate.com rate from an Advertiser, please identify yourself as a Bankrate customer. Bank and thrift deposits are insured by the Federal Deposit Insurance Corp. Credit union deposits are insured by the National Credit Union Administration.

Consumer Satisfaction: Bankrate attempts to verify the accuracy and availability of its Advertisers' terms through its quality assurance process and requires Advertisers to agree to our Terms and Conditions and to adhere to our Quality Control Program. If you believe that you have received an inaccurate quote or are otherwise not satisfied with the services provided to you by the institution you choose, please click here.

Rate collection and criteria: Click here for more information on rate collection and criteria.