Link investor

$400,000 worth of NFTs stolen via malicious link on Premint NFT service

The popular NFT whitelisting service, Premint, was recently compromised. This resulted in the theft of $400,000 of NFTs across multiple collections.

Web3 can be a risky frontier that requires a high security mindset to survive, as NFT whitelist service users, Premint, learned the hard way when a malicious (but suspicious) login link stole their NFTs. Because it is impossible to steal blockchain tokens directly from a crypto wallet, a clever hacker/scammer must use phishing attacks and user ignorance to steal tokens. Users can avoid phishing attacks by practicing Web3 operational security (or “securityop“), and being skeptical and cautious when asked to submit transactions.

Non-fungible token (NFT) collections are an effective way for a new project or influencer to raise capital from investors and fans while building a community. This often involves a “pre-mint“phase where people sign up for a raffle to be part of the first wave of buyers/recipients, and bots are often created to unfairly increase the chances of winning one or more places. Premint is an NFT”whitelist” service where creators can set custom criteria to check out (“whitelist“) wallets that can participate in pre-currency (i.e. needing social media verification, holding sufficient cryptocurrency balance, and/or owning another NFT), and collectors have a dashboard which indicates the pre-currencies they have earned.However, unlike NFT marketplaces such as OpenSea, Premint never takes custody or facilitates the transfer of NFTs, and does not require the submission of transactions to use.


Related: World’s Largest NFT Market Reveals Mind-Blowing Free NFT Stats

According CryptoSlate, about $400,000 of users’ NFTs were stolen from their wallets by a malicious login link on the Premint website on July 17. Premint Official Twitter Post complaints an unknown third party manipulated the website file, which then presented a malicious login prompt to the wallet. Authenticating with a wallet is normal for Web3 logins, but the prompt initiated a suspicious transaction instead. Although all victims were given the option to reject the transaction, those who confirmed it gave the attacker’s smart contract full permission to transfer all tokens from numerous NFT collections to the attacker’s wallets, resulting in the theft of over $400,000 worth of NFTs.

OpSec is essential for Web3

In the world of Web3, blockchain, and the decentralized Metaverse, users need to practice a bit of opSec with healthy skepticism. Malicious transactions may be indistinguishable from benevolent transactions, and the use of “burner wallets” is strongly encouraged to mitigate damages if/when such a transaction is accidentally confirmed. In this dual wallet system, the burner wallet acts as a disposable account that submits transactions, collects token airdrops, tests new Web3 applications for the first time, and transfers all non-essential tokens it receives to the main wallet. In return, the main wallet acts as a safe savings or deposit account, and rarely interacts with Web3 applications. This practice reduces considerably the possibilities of phishing attacks to steal tokens.

It is not yet known what will happen to the stolen NFTs, but unless they are returned to their owners, they are now black market goods with damaged value, and having been reported as stolen, they cannot not be sold on OpenSea at their full price until they have been returned. The hacker will have to rely on decentralized NFT marketplaces to sell the stolen tokens, hoping that whoever is buying them doesn’t check the ownership history of the tokens first. Hopefully the victims will receive compensation for their losses, that other users and projects will take note for the future, and Premint can determine what happened and explain how a third party gained access to their production codebase.

Next: Why falling NFT prices is a good thing

Source: CryptoSlate, @PREMINT_NFT/Twitter

Miona Bell 90 Day Fiance Season 9

90 Day Fiancé: Miona is unrecognizable in a shocking new hairstyle

About the Author