On Sunday, hackers infiltrated popular NFT registration platform Premint and made away with 320 stolen NFTs and more than $400,000 in profit in one of the biggest such hacks this year.
According to analysis by blockchain security firm ЦертиК, the hackers compromised the Premint website on Sunday with malicious JavaScript code. They then created a pop-up within the site that prompted users to verify their wallet ownership, ostensibly as an additional security measure.
Multiple users quickly realized the pop-up was illegitimate and immediately took to Twitter and Discord to warn others not to follow its instructions. Even so, within minutes, the hackers had already duped several Premint customers.
The pilfered NFTs included those from popular collections Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown. After securing these NFTs, the hackers immediately began flipping them on marketplaces like OpenSea; one stolen Bored Ape nabbed a price of 89 ETH, or around $132,000.
Over the course of Sunday, the hackers collected 275 ETH, or just over $400,000, through the sale of 302 stolen NFTs. The hackers have so far retained 18 unsold NFTs, according to Certik.
The hackers then sent the funds to Tornado Cash, a service that pools together the cryptocurrency deposits of many users and mixes them, effectively wiping out the digital trail typically left by blockchain transactions. Mixing services like Tornado Cash are frequently used by cybercriminals to “clean” stolen cryptocurrency.
Yesterday, Premint took to Twitter to acknowledge the hack and assure users that the majority of accounts were unaffected by the hack. “Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this,” the company твеетед.
Some Premint users noted, however, that the hacked site was left up for approximately 10 hours after hackers first infiltrated it early Sunday. Others bemoaned the loss of their digital assets and asked whether Premint would be refunding these accounts the value of the stolen NFTs.
Premint has since begun accumulating data on all NFTs stolen in the hack. The company declined to respond to Дешифрирај на записник.
Perhaps ironically, in the days leading up to the hack, the company had planned to announce a new security feature: the ability to log in to Premint via Twitter or Discord, a method that would allow users to access the site without entering wallet details directly. Any Premint customer using such a login method would have been protected from yesterday’s hack.
The feature had not been released yet, however. After Sunday’s events, Premint leadership decided to roll out the feature a few days earlier than anticipated:
The hack is only the latest scam to target the NFT market, which last year alone generated $25 billion in sales. In February, a phishing scam on OpenSea украо НФТ-ове у вредности од преко 1.7 милиона долара. У априлу, хакирање инстаграм налога Боред Апе Иацхт Цлуб-а довело до НФТ крађе од 2.8 милиона долара. Прошлог месеца, глумац Сет Грин платио скоро 300,000 долара да поврати украдени Боред Апе НФТ планирао је да буде средишњи део предстојеће телевизијске серије.
Despite the huge amount of capital flowing through the NFT space, the security of these assets—especially when connected to centralized firms like Premint—remains an enduring issue.
As one Premit user ставите га, “Security is the biggest thing not taken serious[ly] in the crypto space.”
Editor’s note: This article was updated after publication to clarify that the hackers have retained 18 stolen NFTs and sold 302 so far, according to Certik.
Желите да будете стручњак за криптовалуте? Добијте најбоље од Дешифровања директно у пријемно сандуче.
Добијте највеће вести о крипто вести + недељне прегледе и још много тога!
Source: https://decrypt.co/105385/300-nfts-stolen-400k-in-ethereum-taken-in-premint-hack
