Losses Exceeds $1M. Jay Chou’s Bored Ape NFT Got Stolen by a Discord Phishing Attack

The pop star Jay Chou revealed on Instagram that his Bored Ape NFT been stolen by phishing website on Friday.

He initially thought is was an April Fool’s joke, and then checked and realized “it’s really gone”. Bored Ape (@BoredApeYC) then confirmed on its official twitter that its discord account has been hacked, reminding users not clicking on any links.

How did Jay Chou’s NFT get transferred out?

After a look by the Beosin’s technical team, we found that Jay Chou signed the wallet address starting with 0x71de2 to approve the transaction at around 11:00, granting the NFT approval to the attacker’s wallet starting with 0xe34f0. At this time Jay Chou was not aware of his NFT and was already at risk.

In just a few minutes, the attacker transferred the Bored Ape BAYC #3738 NFT to his own wallet address at 11:07.

The hacker then proceeded to steal 1 MAYC and 2 Doodles held by Jay Chou as well.

The stolen NFTs were finally sold on LooksRare and OpenSea, leading to a gain about 169.6 ETH for the hacker.

The funds currently stays at this address beginning with 0x6E85C, and just like that, Jay’s NFT was hacked for profit.

What are the risks of NFT?

Risks of NFT can be broadly classified into two categories:

One is the approval issue of the NFT itself (NFT holders can approve other addresses as agencies). It is possible to result in the hijacking of NFT privileges due to the misuse of NFT holders (mainly phishing sites, wallet-level insecure interface calls).

The other is the external risk introduced by NFT’s interacting with the DEFI system, such as: the security risks associated with the NFT stake mining contract itself, which is basically the same as the regular DEFI risks.

In addition, we need to guard against various fraudulent schemes:

For example, scammers may send you links to fraudulent websites through Discord, or send fake transaction links to lure you to click on them. In addition, scammers will use various means to trick users into sending their private keys or mnemonics to themselves, so be sure to store your private keys and mnemonics securely.

Notes:

1) Pay attention to the screening of real and phishing websites

Be sure to watch out for fake websites, especially phishing websites. Do not approve easily! Do not approve easily!

2) Do not disclose private keys or mnemonics

Protect your private keys and mnemonic from disclosure. If you do, your digital assets are likely to be at risk.

3) Cancel the wallet approval in time

If you have approved your wallet at a fraudulent website, you can check the status of your wallet approval and revoke it promptly by going to the following two addresses:

https://etherscan.io/tokenapprovalchecker

https://revoke.cash/