Skip to content

BAYC’s Instagram Hack is Another Reminder of Web 2.0’s Security Flaws

Table of Contents

BAYC has been hacked. Again. On April Fool’s Day, BAYC’s Discord fell victim to hackers. Before the month is over, BAYC’s Instagram account was also hacked.

“There is no mint going on today,” BAYC tweeted on Monday. “It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything.”

According to reports, hackers infiltrated BAYC’s Instagram and posted a link to a fraudulent version of BAYC’s official website that offered free crypto tokens. Those who tried to claim the tokens connected their digital wallets, unknowingly giving hackers access to their accounts.

Yuga Labs revealed that hacked owners cumulatively lost four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs, with a total value of around US$3 million.

“Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account. We’re still investigating,” BAYC owners Yuga Labs said in a statement.

The hack exploited Instagram’s two factor authorization (2FA) security layer – a system widely used across Web 2.0.

SIM swapping

In a thread, Twitter user sama_eth explained that the hackers most likely used SIM swapping to bypass BAYC’s Instagram 2FA. “[2FA] allows you to add a extra layer of security when logging in. This is either through a phone number or authentication code,” Sama tweeted.

“There’s 3 different ways this could have happened,” the Twitter user explained. According to Sama, the hacker would have needed to get hold of the BAYC phone number attached to the Instagram account by:

  1. A social engineering “media support panel.” Available for purchase on the black market, the VIP support system discloses Instagram info including usernames and verfications.
  2. An interlink between BAYC’s Discord dredentials and Instagram.
  3. “Knowing someone who knows someone.”

The Twitter user believes the first method was most likely used by the hackers. Once having access to the phone number, the hacker can call support using “social engineering tactics like convincing them that you lost your sim, and need the number to be reset to a new sim-card.”

Then, using an administrative tool the hacker’s sim card can be assiged to the victim’s number, which can then be used to request a password the Instagram account.

Of course, this is just speculation from one Twitter user, but hacks such as these are relatively simple to pull off in Web 2.0 applications. Moving forward, it will be interesting to monitor how Web 3.0 applications address security flaws of its predecessor.