Table of Contents
The Premint website—a well-known NFT whitelist platform—was hacked on Sunday, according to security data given by CertiK. The attack’s losses are estimated to have cost roughly $375,000 in total.
Mint was attacked
At least 314 blockchain entries, worth around $375,000, were stolen from Premint NFT platform users in one of the worst non-fungible token thefts of the year.
The problem began with the insertion of malicious JavaScript, according to the crypto security firm CertiK, and it impacted wallets housing NFTs like Bored Ape Yacht Club and Oddities. According to a tweet from Premint, users who were affected saw a pop-up asking them to verify their ownership of their wallet.
The website allows users to register in order to be included to a database of potential customers of future NFT projects. Users who enabled the “SetApprovalForAll” function in their wallets after receiving the notice made it possible for thieves to withdraw money from their accounts. Premint asserts that the prompt only misled a “very limited percentage of users” and that it has improved security. Users of decentralized financial platforms can instantaneously agree to the transfer of certain tokens that have been pre-selected by an underlying smart contract at a later time by using SetApprovalForAll. Threat actors use this capability to move all the tokens owned by other users to their personal wallets.
As of this writing, PREMINT has updated their website and declared the hack to be essentially over.
An update posted to the website by PREMINT states that users may now log back into the platform using their Twitter or Discord accounts instead of wallets. This is safe and much more practical, particularly on mobile devices.
Safety precautions
The Permit team issued the warning earlier on Twitter, advising users to cancel access to their wallets if they believe they were affected by the attack and to refuse to allow any transactions that require them to “establish permissions for everybody.” The website was briefly pulled offline to make a patch.
The platform momentarily shut down its website and suggested utilizing Revoke Cash or Etherscan to disable the “set approval for all” option and moving any assets to another wallet. The company is compiling a list of stolen things and utilizing it to determine where they are by using an incident report form.
At the time this was published, the website was live. Thanks to a Premint upgrade, users are no longer required to log in to the website using their wallets. Instead of utilizing their wallets, users may now connect back into the site using their Twitter or Discord accounts. It’s more useful and considerably safer. Especially on a phone.
Additionally, PREMINT let its community know that they are working to get the wallets of the impacted individuals and their stolen property back. “We are currently collaborating to obtain a complete list of wallets that had their funds stolen from them.”
Since last year, there have been much more NFT hacks, with PREMINT being the most recent victim. A hacker hacked NFT Artist DeeKay’s Twitter account earlier on Friday. Reports state that the attack cost NFT $150,000 in losses.
Due to the rise in NFT frauds, it is now more important than ever to be extra vigilant while accepting any transactions.
