On Sunday, hackers infiltrated popular NFT registration platform Premint and made away with 320 stolen NFTs and more than $400,000 in profit in one of the biggest such hacks this year.
According to analysis by blockchain security firm CertiK, the hackers compromised the Premint website on Sunday with malicious JavaScript code. They then created a pop-up within the site that prompted users to verify their wallet ownership, ostensibly as an additional security measure.
Multiple users quickly realized the pop-up was illegitimate and immediately took to Twitter and Discord to warn others not to follow its instructions. Even so, within minutes, the hackers had already duped several Premint customers.
The pilfered NFTs included those from popular collections Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown. After securing these NFTs, the hackers immediately began flipping them on marketplaces like OpenSea; one stolen Bored Ape nabbed a price of 89 ETH, or around $132,000.
Over the course of Sunday, the hackers collected 275 ETH, or just over $400,000, in sales of all 320 stolen NFTs.
The hackers then sent the funds to Tornado Cash, a service that pools together the cryptocurrency deposits of many users and mixes them, effectively wiping out the digital trail typically left by blockchain transactions. Mixing services like Tornado Cash are frequently used by cybercriminals to “clean” stolen cryptocurrency.
Yesterday, Premint took to Twitter to acknowledge the hack and assure users that the majority of accounts were unaffected by the hack. “Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this,” the company tweeted.
Some Premint users noted, however, that the hacked site was left up for approximately 10 hours after hackers first infiltrated it early Sunday. Others bemoaned the loss of their digital assets and asked whether Premint would be refunding these accounts the value of the stolen NFTs.
Premint has since begun accumulating data on all NFTs stolen in the hack. The company declined to respond to Decrypt on the record.
Perhaps ironically, in the days leading up to the hack, the company had planned to announce a new security feature: the ability to log in to Premint via Twitter or Discord, a method that would allow users to access the site without entering wallet details directly. Any Premint customer using such a login method would have been protected from yesterday’s hack.
The feature had not been released yet, however. After Sunday’s events, Premint leadership decided to roll out the feature a few days earlier than anticipated:
The hack is only the latest scam to target the NFT market, which last year alone generated $25 billion in sales. In February, a phishing scam on OpenSea stole over $1.7 million worth of NFTs. In April, a hack of Bored Ape Yacht Club’s instagram account led to a $2.8 million NFT theft. Last month, actor Seth Green paid almost $300,000 to recover a stolen Bored Ape NFT he was planning to make the centerpiece of an upcoming television series.
Despite the huge amount of capital flowing through the NFT space, the security of these assets—especially when connected to centralized firms like Premint—remains an enduring issue.
As one Premit user put it, “Security is the biggest thing not taken serious[ly] in the crypto space.”
Want to be a crypto expert? Get the best of Decrypt straight to your inbox.
Get the biggest crypto news stories + weekly roundups and more!