Hacker stole $375,000 from Premint NFT platform

On Sunday, a hacker hacked into the official website of an NFT whitelist platform called Premint to steal $375,000 worth of NFTs.

According to security firm CertiK, a hacker injected a malicious JavaScript snippet into premint.xyz, instructing users to sign malicious transactions through a wallet pop-up window. A total of six users signed the code, giving the hacker complete control over how their funds were spent.

“Last night, an unknown third party manipulated a file in PREMINT, which resulted in users being presented with a malicious wallet connection,” the Premint team said.

Before the exploit was discovered, the hacker was able to steal 314 different NFTs. These include NFTs from collections such as Bored Ape Yacht Club, Otherside, Moonbirds Oddities and Goblintown.

The stolen assets were sold for 270 ETH ($375,000) around 07:30 AM ET on Sunday. The hacker transferred the proceeds to his address and redirected them to Tornado Cash, a popular transaction mixer on the Ethereum network.

The exploit continues the growing trend of hackers exploiting vulnerabilities in traditional web infrastructure to perform security exploits in web3 projects.

Last month, hackers used the websites of decentralized finance projects Ribbon Finance and Convex Finance to carry out phishing attacks. In other cases, Discord servers, social media accounts were used to distribute phishing links aimed at stealing cryptocurrencies and NFTs.

“It is clear from this that the web3 ecosystem needs to consider interdependence with web2 technologies, especially in cases where its dependence on them becomes a vulnerability,” said a CertiK spokesperson.

 250 total views,  1 views today

Leave a Comment