Sandbox Followers Fall Victim To Hacked Instagram
With several individuals losing NFTs and others being phished for their Bored Apes.
On Thursday, September 8, The Sandbox saw its Instagram hacked and a phishing link posted to its page disguised as an “Alpha Season 4 Holder Raffle.” Those who entered the site to participate in the perceived raffle were then prompted to sign a transaction with their Web3 wallet that would ultimately grant the hacker access to all their assets.
While the exploit was removed and the account recovered within a few hours, several followers still fell victim to the hacker. Stolen tokens included Vee Friends Series 2, The Lobstars, as well as Steve Aoki and Snoop Dogg Sandbox NFTs, among others — according to data found on Etherscan.
Taking things a step further, the hacker also attempted to steal Bored Ape Yacht Club (BAYC) NFTs, reaching out to followers of The Sandbox who had the tokens as their profile pictures — offering them 40 Ethereum to rent for 24 hours. This particular part of the exploit appears to be unsuccessful as no BAYC thefts have been reported.
? Instagram account recovered. The hacker tried to rent Bored Apes Yacht Club NFTs – using our account. We would NEVER ask via DM and have contacted all users to notify them. https://t.co/1DRFR3JlIq pic.twitter.com/CKQWfVBTNF
— Sebastien ? (@borgetsebastien) September 8, 2022
Unfortunately, the brand still does not know how they were compromised and said that all necessary security measures were in place, including two-factor authentication.
In a recent conversation on security practices with Cointelegraph, Polygon’s Chief Security Officer Mudit Gupta shared how most of the largest hacks in the crypto space have been due to Web2 failures in security and not blockchain technology itself. One of the main points of failure is human vulnerability to phishing schemes and the lack of protection of sensitive information.
“I’ve been pushing at least all of the major companies to get a dedicated security person who actually knows that key management is important,” said Gupta, adding that “you have API keys that are used for decades and decades. So there are proper best practices and procedures one should be following. To keep these keys secure. There should be proper audit trail logging and proper risk management around these things. But as we’ve seen these crypto companies just ignored all of it.”
However, despite the recent exploit, both The Sandbox and its parent company Animoca Brands are pushing full steam into Web3. The Hong Kong based software and venture capital company has its sights on the metaverse, and on the same day as the exploit announced the closing of a $110 million USD funding round.
— Animoca Brands (@animocabrands) September 8, 2022
Considering Web3 and related products are an emerging space, it is clear that there is still much to be done in terms of security and that exploiters are shifting more towards a social engineering tactic, where they attempt to target and manipulate individuals rather than entire protocols.
Some of the best practices can be double and triple checking things that seem too good to be true, as well as carefully reviewing all transactions before signing them. Most importantly, users should look to store all of their valuable assets in cold storage wallets like a Ledger, and when interacting with the blockchain use a dedicated hot wallet with minimal funds.