The Premint website was hacked on Sunday, and according to an assessment by blockchain security company CertiK, the hackers used malicious JavaScript code. Then, apparently as an additional security step, they built a pop-up within the website that asked visitors to confirm their ownership of their wallet.
In one of the biggest such attacks this year, hackers broke into the well-known NFT registration platform Premint on Sunday and made off with 320 stolen NFTs and more than $400,000 in profit. All 320 of the stolen NFTs were sold by the hackers on Sunday for 275 ETH, or maybe just over $400,000.
Following their swift realisation that the pop-up was fraudulent, numerous users immediately took to Twitter and Discord to alert others not to follow its directions. However, the hackers had already tricked a number of Premint clients within a matter of minutes.
The popular collections Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown were among the stolen NFTs. After obtaining these NFTs, the hackers started selling them right away on platforms like OpenSea; one stolen Bored Ape brought in 89 ETH, or around $132,000, for its owner.
The hackers then sent the money to a platform named Tornado Cash, which combines and mixes the cryptocurrency deposits of multiple users, effectively destroying the digital traces that blockchain transactions generally leave behind.
Premint acknowledged the attack on Twitter yesterday and reassured users that the majority of accounts were unaffected. As per the company, a small number of people fell for this scam thanks to the web3 community’s warnings.
“This issue only affected users who connected a wallet via this dialogue after midnight Pacific time. Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this. We took the site down early this morning to fix the issue,” the company tweeted.
However, other Premint users pointed out that following the initial intrusion early on Sunday, the compromised site stayed up for about 10 hours. Others protested the loss of their digital possessions and inquired as to whether Premint would be crediting these accounts for the value of the NFTs that were stolen.
A user named @the_nftgoat replied to a tweet by premint— “Got scammed/drained because I’m stupid and trust you. Please make sure you help/refund people that had trust in you.” Premint has since started compiling information on all NFTs that were stolen in the breach.
Strangely, the business had intended to introduce a new security feature in the days prior to the hack: the ability to log in to Premint via Twitter or Discord, a mechanism that would allow users to access the site without explicitly entering wallet data. Such a login procedure would have protected Premint users from yesterday’s breach.