The popular NFT whitelisting platform Premint got hacked on Sunday with users reportedly losing about $375k worth of NFTs, but the entire stolen amount seems to appear even bigger than that.
Hackers used malicious JavaScript code to breach the Premint website. They then added a pop-up to the site that asked users to confirm their wallet ownership, reportedly as an added security step.
Multiple people recognized the pop-up as fraudulent and took to Twitter and Discord to warn others not to follow its directions. Nonetheless, the hackers had already fooled many Premint customers within minutes.
The hackers were able to steal 314 NFTs before the breach was identified. NFTs from collections such as Bored Ape Yacht Club, Otherside, Oddities, and Goblintown were stolen.
Around 7:30 AM ET on Sunday, the stolen assets were sold for 270 ETH, around $375,000. The profits were transferred to an address by the hacker and routed through Tornado Cash.
The Premint team later went on to acknowledge the incident, tweeting “Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this.”
Many Premint users observed that the hijacked site remained up for around 10 hours after hackers originally breached it. But the platform still tweeted, “We took the site down early this morning to fix the issue,” eventually receiving backlash.
The Premint team has asked the users who lost their assets to report to them via a Google document, possibly to issue reimbursements as soon as the NFT community went wild over this.
Premint had planned to reveal a new security feature, the ability to log in to Premint via Twitter or Discord, allowing users to access the site without explicitly entering wallet data.
Following the compromise situation, the Premint team decided to launch the functionality a few days sooner than planned.
The platform is continuing to investigate the entire event and warns the users that they’ll never be asked to approve any kind of transaction on Premint.
“When connecting a wallet, you’ll be asked to *sign* a message, but there will NEVER be a gas fee or anything resembling a transaction,” Premint tweeted.
Hack events in the NFT space are becoming outrageously higher as these bad actors exploit vulnerabilities in platforms and manage to drain large number of assets. Just two weeks back, Optimism’s Quixotic NFT marketplace got exploited resulting in the loss of ERC-20 tokens.
