Hackers were able to infiltrate and steal 300+ NFTs and over $400,000 in profits from NFT launch platform Premint on July 17 in one of the biggest NFT hacks of the year.
On Sunday, the hackers infiltrated Premint’s website with malicious JavaScript code, which prompted a seemingly additional security check pop-up asking users to verify wallet ownership. People who fell prey to the scheme by connecting had their wallets immediately drained out.
Some users managed to see through the scam after realizing the pop-up was illegitimate and tried to warn others over Twitter and Discord. However, thousands worth of NFTs were already stolen.
Blockchain security firm Certik confirmed the hackers stole 314 NFTs, including NFTs from popular projects such as Bored Ape Yacht Club (BAYC), Otherside, Moonbirds Oddities, and Goblintown. The estimated value of the stolen assets is around 275 ETH, with a BAYC NFT going for 89 ETH or approx $130,000.
Ironically, the hack happened hours after Premint posted a caveat on signing transactions.
According to Premint, only a “relatively small number of users” were affected. The company was able to identify four wallet addresses to which the stolen NFTs were transferred and has taken steps to restore its website.
Premint has also rolled out a pre-planned security feature that doesn’t necessitate users to log back in with wallets.
Meanwhile, affected users wept the loss and took to Twitter to express their displeasure. Some wanted to know whether Premint would issue refunds for the stolen NFTs.
The NFT space is ripe with such scams, which alone produced $25 billion in sales last year. In February, an Opeasea phishing hack duped users of over $1.6 million in NFTs. BAYC’s Instagram account was compromised in April, leading to a $2.8 million NFT theft.
Security continues to be an enduring issue despite the large amount of funds flowing into the space.