A hacker stole 314 NFTs after injecting malicious code on Premint’s website

By Selena On Jul 19, 2022

A hacker compromised the official website of an NFT whitelisting platform called Premint to steal $375,000 worth of NFTs.

A hacker stole $375,000 from users of Premint NFT platform

According to security firm CertiK, a black hat hacker injected a malicious piece of JavaScript code on premint.xyz, instructing users to sign a malicious transaction through a wallet pop-up. A total of six users signed the code, giving the hacker full control to spend funds.

This issue only affected users who connected a wallet via this dialog after midnight Pacific time.

Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this.

We took the site down early this morning to fix the issue. pic.twitter.com/Wq9FyRtIMl

— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022

Before the exploit could be discovered, the hacker was able to steal 314 different NFTs. These included NFTs from collections like Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown.

The stolen assets were sold for 270 ETH ($375,000). The hacker transferred the proceeds to this address and routed them through Tornado Cash, a popular transaction mixer on the Ethereum network.

The exploit continues the growing trend of hackers leveraging vulnerabilities in traditional web infrastructure to carry out security exploits on web3 projects.

Last month, hackers exploited websites operated by decentralized finance projects Ribbon Finance and Convex Finance to execute phishing attacks. In other incidents, Discord servers, Twitter, and Instagram accounts have been exploited to circulate phishing links to steal cryptocurrency and NFTs.

“It’s clear from this that the web3 ecosystem needs to take into account the interconnects with web2 technologies, particularly at points where its reliance on them becomes a vulnerability,” they added.

Read more:

Join us on Telegram