Premint Hack sees 300+ NFTs and $400K in Ethereum Stolen

Fake pop-up used to coerce user

Premint, a popular NFT registration platform was the victim of another hacking infiltration that saw the platform lose 320 NFTs and more than $400K in profits.

This hack was pulled off by compromising the Premint website with malicious JavaScript. The hackers created a pop-up within the site that asked users to verify that they owned the wallet in question as a security measure.

🚨URGENT PSA 🚨
Premint has been compromised. Do NOT confirm any transactions, it will drain your wallet pic.twitter.com/PJnz30Nfqn

— CV (@SpiritAzuki) July 17, 2022

The pop-up and its lack of legitimacy was quickly discovered by multiple users and those users warned others via Twitter and Discord. The warning did not come in time as by the time everyone was clever to the ruse the hackers had already fooled several customers.

The NFTs that were stolen come from a lot of different collections such as Bored Ape Yacht Club,Moonbirds Oddities, Goblitown, and Otherside. The hackers then took the pilfered goods and sold them on the secondary market with one of the stolen bored apes taking in 89 ETH , approx. $132K.

Read More: POW of Ethereum Suffers Replay Attack

The total amount collected on the following Sunday topped at $400K after selling a total of 302 stolen NFTs. In order to get away with it the hackers sent the money to a crypto service that pools together crypto deposits of many users and mixes them. This platform named Tornado Cash effectively wipes out the digital trail of transactions. This type of platform is commonly used by cyber criminals when laundering stolen crypto funds.

Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious.

— PREMINT (@PREMINT_NFT) July 17, 2022

Premint went on twitter to reassure the community that only a small amount of users fell victim to this ploy and thanked the community for being so incredible.

Some of the community was not so happy with just a tweet and stated that the team at Premint should take some type of responsibility for what happened after they noticed the hacked site was still up for 10 hours after the heist.

Got scammed / drained because I’m stupid and trust you. Please make sure you help / refund people that had trust in you.

— nummer1.eth | 9311.eth (@nummer1_eth) July 17, 2022

Will the compensation be paid? Many people want to know!

— minakoch (@minakochenhe) July 17, 2022

The team at Premint started a preliminary investigation by accumulating data on all NFTs stolen.

All of this comes on the heels of an announcement by the team for new security features for the platform. The company palled to announce the ability to log in via Twitter or Discord which would have let users log in without using their wallet details directly, this would have left users better protected and immune to yesterdays attack. After the attack. Yesterday the team rolled out the planned security feature a bit earlier than planned.

Was planning on announcing this later this week, but given what’s going on, wanted to roll it out asap. https://t.co/GcyYLxWLNM

— BrendΞn Mulligan | PREMINT (@mulligan) July 18, 2022

Premint joins the ranks of many other platforms that have suffered hacks such as OpenSea, Bored Ape Yacht Club, Seth Green, Axie Infinity and more, once agian highlighting the importance o security for web3.