On Monday morning, the official Instagram account of a non-fungible token (NFT) collection suffered a major hack. It is estimated that a whopping $3 million (£2.4 million) worth of Bored Ape Yacht Club NFTs were taken during the mass theft.

Unlike paintings or sculptures, NFTs can’t be physically stolen because they only exist as digital units stored on the Ethereum blockchain. So how do you steal an NFT? In the case of Bored Ape, the hacker compromised the collection’s Instagram account in order to post a phishing link. The link led many followers to a fake website that promised a special new feature to holders of Bored Ape NFTs. Clicking on the link, however, allowed the hacker to access the victims’ Ethereum wallets and steal their NFTs. Yuga Labs, the multi-billion dollar creator of Bored Ape, also had several NFTs pilfered from related projects.

“The IG hack resulted in 4 Apes, 6 Mutants [Mutant Apes collection], 3 Kennels [Bored Ape Kennel Club collection], and some other assorted valuable NFTs being lost,” tweeted Greg Solano, a Bored Ape co-founder. “We will be in contact with the users affected and will post a full post-mortem on the attack when we can.”

Other types of NFTs were also stolen while the hacker emptied the victims’ wallets. Both Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account, despite it having a two-factor authentication process enabled.

“Instagram attacks are nothing new but often take an element of social engineering,” explained Jake Moore, global cybersecurity adviser at the security firm ESET. “Unfortunately, however, this takeover has had a huge consequence and resulted in a mass robbery of digital assets. Similar to when physical art is stolen, there will be questions over how they would now be able to sell on these assets, but the problems in NFTs still prevail and users must remain extremely cautious of this still very new technology.”

Bored Ape Yacht Club is one of the most prominent collections of NFTs, having been launched in 2021. Although this is the first time the collection itself has been hacked, Bored Ape NFTs have been stolen from users before. In April 2022, the collector known as “s27” was deceived into swapping their $500,000 (£399,000) collection of Bored Apes for counterfeits.