On Sunday, hackers broke into the popular NFT registration site Premint and made off with 320 stolen NFTs and more than $400,000 in profit. This was one of the biggest hacks of the year.
A blockchain security company called CertiK says that hackers broke into the Premint website on Sunday by using bad JavaScript code. Then, as a security measure, they added a pop-up to the site that asked visitors to confirm that they owned the wallet.
Several people saw that the pop-up was fake and used Twitter and Discord to tell others not to follow its instructions. Still, the hackers had already tricked a lot of Premint customers in just a few minutes.
The stolen NFTs were from popular collections like Goblintown, Otherside, Moonbirds Oddities, and Bored Ape Yacht Club. As soon as the hackers got their hands on these NFTs, they started selling them on sites like OpenSea. One stolen Bored Ape sold for 89 ETH, which is about $132,000.
By selling all 320 stolen NFTs on Sunday, the hackers made 275 ETH, which is a little more than $400,000.
After that, the money was sent to Tornado Cash, a service that pools and mixes the bitcoin deposits of multiple users. This basically erases the digital trail that blockchain transactions usually leave behind. Cybercriminals often use services like Tornado Cash to “clean” bitcoins that they have stolen.
Yesterday, Premint went to Twitter to admit that their accounts had been hacked and to reassure users that most of their accounts were still safe. “Thanks to the great Web3 community sharing warnings, only a small number of people fell for this,” the business said in a tweet.
Several Premint users, though, noticed that the hacked site stayed up for about 10 hours after hackers broke in early Sunday morning. Others were upset about losing their digital assets and asked Premint if it would put the value of the stolen NFTs back into their accounts.
Premint has since started to make a list of all the NFTs that were taken in the breach. The company wouldn’t say anything on the record to Decrypt.
In what might be seen as an ironic twist, the company had planned to announce a new security feature in the days before the hack: the ability to log in to Premint through Twitter or Discord. This would have let users access the site without directly entering wallet data. Anyone who used this method to log in to Premint would have been safe from yesterday’s hack.
But the functionality had not been made public yet. After what happened on Sunday, the people in charge of Premint decided to launch the feature a few days earlier than planned:
The attack is just the latest scam to hit the NFT business, which made $25 billion in sales last year. In February, a phishing scam on OpenSea stole almost $1.7 million in NFTs. In April, someone broke into the Instagram account of the Bored Ape Yacht Club and stole $2.8 million in NFT. Last month, actor Seth Green spent almost $300,000 to get back a stolen Bored Ape NFT that he wanted to use as the center of a new TV show.
Even though a lot of money flows through the NFT market, the security of these assets remains a concern, especially when they are tied to centralized companies like Premint.
“Security is the biggest thing not taken serious[ly] in the crypto space.” said one Premit user.
The post Premint Hack Steals More Than 300 NFTs and $400,000 in Ethereum appeared first on NFT News Pro.