On Sunday, hackers infiltrated the popular NFT registration platform Premint and stolen 320 NFTs and made over $400,000 in profits in one of the biggest hacks of the year.
Hackers on Sunday hacked the Premint website with malicious JavaScript code, according to an analysis by blockchain security firm CertiK. They then created a pop-up within the site prompting users to verify their wallet ownership, apparently as an added security measure.
Many users quickly realized that the pop-up was illegitimate and immediately took to Twitter and Discord to warn others not to follow its instructions. Yet, within minutes, hackers had already duped several Premint customers.
Stolen NFTs included the popular collection Bored Ape Yacht Club, Otherside, Moonbirds Oddities and Goblintown. After securing these NFTs, hackers immediately began flipping them on marketplaces like OpenSea; a stolen bored ape 89 ETH, or around $132,000.
During Sunday, the hackers collected 275 ETH, or just over $400,000, from the sale of all 320 stolen NFTs.
The hackers then sent funds to Tornado Cash, a service that aggregates cryptocurrency deposits of multiple users together and mixes them, effectively erasing the digital traces typically left by blockchain transactions. Tornado Cache. mixing services like Often used by cybercriminals To “clean” stolen cryptocurrencies.
Yesterday, Premint took to Twitter to acknowledge the hack and assured users that most accounts were unaffected by the hack. “Thanks to the incredible Web3 community warning spread, a relatively small number of users fell for it,” the company said. tweeted,
However, some Premint users noted that the hacked site was abandoned for about 10 hours after the hackers first infiltrated it early Sunday. Others mourned the loss of their digital assets and asked whether Premint would return the value of the stolen NFTs to these accounts.
Premint has since started collecting data on all NFTs stolen in the hack. The company declined to respond decrypt On the record.
Perhaps ironically, in the days following the hacking, the company planned to announce a new security feature: the ability to log into Premint via Twitter or Discord, a method that allows users to enter wallet details directly. Allows access to the site without , Any Premint customer using such a login method will be protected from tomorrow’s hacks.
However, this feature has not been released yet. Following the events of Sunday, Premint leadership decided to launch the feature a few days earlier than expected:
The hack is just the latest scam to target the NFT market, which generated $25 billion in sales last year alone. In February, a phishing scam on OpenSea Over $1.7 million worth of NFTs stolen, In April, Bore Ape Yacht Club’s Instagram account was hacked $2.8 million NFT stolen, Last month, actor Seth Green Paid about $300,000 to recover stolen Bore app NFTs He was planning to be the centerpiece of an upcoming television series.
Despite the large amount of capital flowing into the NFT sector, the security of these assets—especially when associated with centralized firms like Premint—remains a persistent issue.
As a Premit User keep this“Safety is the biggest thing that is not taken seriously”[ly] in the crypto space. ,
Want to become a crypto expert? Get the best of Decrypt straight to your inbox.
Receive the biggest crypto news + weekly roundups and more!