The popular NFT whitelisting service, Premint, was recently compromised. This resulted in the theft of $400,000 of NFTs across multiple collections.
Web3 can be a risky frontier that requires a high security mindset to survive, as NFT whitelist service users, Premint, learned the hard way when a malicious (but suspicious) login link stole their NFTs. Because it is impossible to steal blockchain tokens directly from a crypto wallet, a clever hacker/scammer must use phishing attacks and user ignorance to steal tokens. Users can avoid phishing attacks by practicing Web3 operational security (or “securityop“), and being skeptical and cautious when asked to submit transactions.
Non-fungible token (NFT) collections are an effective way for a new project or influencer to raise capital from investors and fans while building a community. This often involves a “pre-mint“phase where people sign up for a raffle to be part of the first wave of buyers/recipients, and bots are often created to unfairly increase the chances of winning one or more places. Premint is an NFT”whitelist” service where creators can set custom criteria to check out (“whitelist“) wallets that can participate in pre-currency (i.e. needing social media verification, holding sufficient cryptocurrency balance, and/or owning another NFT), and collectors have a dashboard which indicates the pre-currencies they have earned.However, unlike NFT marketplaces such as OpenSea, Premint never takes custody or facilitates the transfer of NFTs, and does not require the submission of transactions to use.
According CryptoSlate, about $400,000 of users’ NFTs were stolen from their wallets by a malicious login link on the Premint website on July 17. Premint Official Twitter Post complaints an unknown third party manipulated the website file, which then presented a malicious login prompt to the wallet. Authenticating with a wallet is normal for Web3 logins, but the prompt initiated a suspicious transaction instead. Although all victims were given the option to reject the transaction, those who confirmed it gave the attacker’s smart contract full permission to transfer all tokens from numerous NFT collections to the attacker’s wallets, resulting in the theft of over $400,000 worth of NFTs.
Last night, a file was manipulated on PREMINT by an unknown third party, leading to users being presented with a malicious wallet login.
— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022
OpSec is essential for Web3
In the world of Web3, blockchain, and the decentralized Metaverse, users need to practice a bit of opSec with healthy skepticism. Malicious transactions may be indistinguishable from benevolent transactions, and the use of “burner wallets” is strongly encouraged to mitigate damages if/when such a transaction is accidentally confirmed. In this dual wallet system, the burner wallet acts as a disposable account that submits transactions, collects token airdrops, tests new Web3 applications for the first time, and transfers all non-essential tokens it receives to the main wallet. In return, the main wallet acts as a safe savings or deposit account, and rarely interacts with Web3 applications. This practice reduces considerably the possibilities of phishing attacks to steal tokens.
It is not yet known what will happen to the stolen NFTs, but unless they are returned to their owners, they are now black market goods with damaged value, and having been reported as stolen, they cannot not be sold on OpenSea at their full price until they have been returned. The hacker will have to rely on decentralized NFT marketplaces to sell the stolen tokens, hoping that whoever is buying them doesn’t check the ownership history of the tokens first. Hopefully the victims will receive compensation for their losses, that other users and projects will take note for the future, and Premint can determine what happened and explain how a third party gained access to their production codebase.
Next: Why falling NFT prices is a good thing
90 Day Fiancé: Miona is unrecognizable in a shocking new hairstyle
About the Author