Web3 can be a risky frontier that requires a high security mindset to survive, as users of the NFT whitelisting service, Premint, learned the hard way when a malicious (but suspicious) login link stole their NFTs. Because it is impossible to directly steal blockchain tokens from a crypto wallet, a smart hacker / scammer must use phishing attacks and user ignorance to steal tokens. Users can avoid phishing attacks by practicing Web3 operational security (or “opSec“), and by being skeptical and cautious when prompted to submit transactions.
Non-fungible token collections (NFT) are an effective way for a new project or affect raising capital from investors and fans while building a community. This often involves a “pre-mint“phase where people sign up for a raffle to be among the first wave of buyers / recipients, and bots are often created to unfairly increase the odds of winning one or more places. Premint is an NFT”whitelist“service where creators can set custom criteria to verify (“whitelist“) wallets that can participate in pre-mint (ie require social media verification, have a sufficient cryptocurrency balance and / or own another NFT), and collectors have a dashboard that reports which pre-mints they have won. Unlike NFT marketplaces such as OpenSea, Premint never takes custody or facilitates the transfer of NFTs, and does not require the submission of transactions for use.
According to CryptoSlate, About $ 400,000 of users’ NFTs were stolen from their wallets by a malicious login link on Premint’s website on July 17. Premint’s official Twitter post claims an unknown third party manipulated the site’s file, which then presented a malicious wallet connection request. Authentication with a wallet is normal for Web3 logins, but the request started a suspicious transaction instead. While all victims had a chance to reject the transaction, those who confirmed the attacker’s smart contract gave full permission to transfer all tokens across many NFT collections to the attacker’s wallets, resulting in over $ 400,000 of stolen NFTs.
Last night, a file was manipulated on PREMINT by an unknown third party which led to users being presented with a malicious wallet connection.
– PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022
OpSec is critical for Web3
In a world of Web3, blockchain and the decentralized Metaverse, users need to practice a little opSec along with healthy skepticism. Malicious transactions can be indistinguishable from benevolent, and the use of “burning wallets“strongly urges to reduce damages if / when such a transaction is accidentally confirmed. In this dual-wallet system, the burner wallet acts as a disposable account that submits transactions, collects token airdrops, tests new Web3 apps for the first time, and transfers all unnecessary tokens it receives to the main wallet.In return, the main wallet acts as a savings or bank account and rarely interacts with Web3 apps.This practice significantly reduces the chances of phishing attacks to steal tokens.
What will happen to the stolen NFTs is yet to be seen, but unless they are returned to their owners, they are now black market items with damaged value, and after being reported stolen, they cannot be sold on OpenSea for full price until they have been returned. The hacker must rely on decentralized NFT marketplaces to sell the stolen tokens, in the hope that the person who buys them does not check the tokens’ ownership history first. Hopefully, the victims will be compensated for their losses, other users and projects will notice for the future, and Premint can find out what happened and give an explanation of how a third party gained access to its production code base.
Source: CryptoSlate, @ PREMINT_NFT / Twitter
About the author
