On Sunday, hackers infiltrated the popular NFT registration platform Premint and escaped with 320 stolen NFTs and more than $ 400,000 in profits in one of the largest such hacks this year.
According to analysis from the blockchain security company CertiK, the hackers compromised the Premint website on Sunday with malicious JavaScript code. They then created a pop-up on the site asking users to confirm ownership of the wallet, apparently as an additional security measure.
Several users quickly realized that the pop-up window was illegitimate and immediately took to Twitter and Discord to warn others not to follow the instructions. Still, within minutes, the hackers had already tricked several Premint customers.
The stolen NFTs included those from popular collections Bored Ape Yacht Club, Otherside, Moonbirds Oddities and Goblintown. After securing these NFTs, hackers immediately began turning them around in marketplaces such as OpenSea; a stolen Bored Monkey received a price of 89 ETH, or around 132,000 dollars.
Over the course of Sunday, hackers collected 275 ETHs, or just over $ 400,000, in sales of all 320 stolen NFTs.
The hackers then sent the funds to Tornado Cash, a service that collects the cryptocurrency deposits of many users and shuffles them, effectively wiping out the digital trail usually left by blockchain transactions. Mixed services like Tornado Cash often used by cybercriminals to “clean up” stolen cryptocurrency.
Yesterday, Premint took to Twitter to acknowledge the hack and assure users that the majority of the accounts were unaffected by the hack. “Thanks to the incredible web3 community that spreads warnings, a relatively small number of users fell for this,” the company twitret.
However, some Premint users noted that the hacked site remained for about 10 hours after hackers first infiltrated it early Sunday. Others apologized for the loss of their digital assets and asked if Premint would refund these accounts the value of the stolen NFTs.
Premint has since started collecting data on all NFTs stolen in the hack. The company refused to respond Decrypt at the post office.
Perhaps ironically, in the days before the hack, the company had planned to announce a new security feature: the ability to log in to Premint via Twitter or Discord, a method that would allow users to access the site without entering wallet details directly. Any Premint customer who uses such a login method would have been protected from yesterday’s hack.
However, the feature was not released yet. Following Sunday’s events, Premint’s management decided to roll out the function a few days earlier than expected:
The hack is just the latest scam to target the NFT market, which last year alone generated $ 25 billion in sales. In February, a phishing scam on OpenSea stole NFTs for over $ 1.7 million. In April, a hack of Bored Ape Yacht Club’s Instagram account took place led to a $ 2.8 million NFT theft. Last month, actor Seth Green paid nearly $ 300,000 to recover a stolen Bored Ape NFT he planned to make the centerpiece of an upcoming TV series.
Despite the huge amount of capital flowing through the NFT area, the security of these assets – especially when linked to centralized firms such as Premint – is a persistent problem.
As one Premit user put it“Security is the biggest thing that is not taken seriously[ly] in the crypto space. “
Do you want to become a crypto expert? Get the best from Decrypt right to your inbox.
Get the biggest crypto news + weekly summaries and more!
