Hackers steal $ 375,000 from the Premint NFT platform

Hackers behind one of this year’s largest non-fungible token hacks stole at least 314 blockchain entries worth around $ 375,000 from users of the Premint NFT platform.

See also: OnDemand | Fireside Chat | Zero tolerance: Control the landscape where you meet your opponents

The incident, which affected wallets containing NFTs including the Bored Ape Yacht Club and Oddities, began with an injection of malicious JavaScript, the crypto-security firm CertiK tells Information Security Media Group. Affected users saw a pop-up window asking them to confirm ownership of their wallet, Premint tweeted Sunday afternoon. The website allows users to join a database of potential buyers of new NFT projects.

Users who fell for the request also accepted a “SetApprovalForAll” setting in the wallet, allowing hackers to empty the wallet. Premint says that a “relatively small number of users” fell for the request and that it puts extra security in place.

SetApprovalForAll is designed to allow decentralized financial platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The feature is a boon for threat users who use it to transfer all other users’ tokens to their own wallets (see: $ 8 million crypto stolen by phishing from Uniswap Liquidity Pool).

In all, the stolen NFTs were worth around 275 of the Ethereum cryptocurrency, which amounts to $ 374,417.66, “making it one of the biggest NFT notches this year,” CertiK said in a blog post analyzing the incident.

Six externally owned accounts – or accounts that can be controlled by anyone with the relevant private keys – were involved in the hack, says CertiK. The company says two of them have been taken.

Last night, a file was manipulated on PREMINT by an unknown third party which led to users being presented with a malicious wallet connection.

– PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022

A Premint user who passes by @ iamdeadlyz.pcc.eth says that he saw the Premint website on Sunday briefly redirect to a joke video. “When you visit the website or a specific project, you will be redirected to a Rickroll video after a few seconds,” he tells ISMG.

Brenden Mulligan, founder of Premint NFT, did not respond to ISMG’s request for comment.

The platform temporarily took down his page and suggested revoke the “set approval for all” function through Revoke Cash or Etherscan and move all assets to a separate wallet. The company crowdsourcing a list of stolen assets to track their whereabouts via an incident report form.

The company too released a new method for users to log in to their accounts that does not involve connecting to the wallet.

Web2-Web3 Link

“Exploitation continues the growing trend of hackers exploiting web2 vulnerabilities to exploit web3 projects,” said CertiK co-founder Ronghui Gu.

“It is clear from this that the web3 ecosystem must take into account the connections with web2 technologies, especially at points where dependence on them becomes a vulnerability,” he says.

An incident in June that involved an NFT artist Beeple testify to this. Hackers compromised Beeple’s Twitter account, stealing cryptocurrencies worth around $ 438,000 from his followers in several phishing attacks.

That same month, hackers compromised the Discord account of Bored Ape Yacht Club NFT community manager Boris Vagner and posted links on the NFT company’s official Discord channels to a phishing site to steal NFTs worth $ 360,000 from unsuspecting victims.