The Register reports that almost $3 million worth of non-fungible tokens have been exfiltrated by threat actors that hacked into the Instagram account of the Bored Ape Yacht Club, who then posted a link redirecting to a spoofed website aimed at asset harvesting.
BAYC, which sells various photos depicting apes in different poses and costumes for crypto-coins, has already warned users against minting, clicking links, or linking their wallets in the aftermath of the attack.
Notifications to impacted users are already underway, according to a spokesperson for Yuga Labs, which created BAYC, who added that the NFT collection's Instagram account had two-factor authentication enabled and had "tight" security practices.
"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account," the spokesperson added.
The attack comes after BAYC had its Discord server breached, resulting in the theft of one NFT, as reported by PeckShield.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.