Hackers Steal $421K From Premint NFT Platform (UPDATE)
Thieves Plant Malicious Code to Compromise Website, Trick Users
Hackers behind one of the year's largest non-fungible token hacks stole at least 314 blockchain entries worth about $375,000 from users of Premint NFT platform. That amount climbed to more than $421,000 with the theft of a total of 320 NFTs as of Tuesday morning.*
See Also: Delving Deeper: 2023 Fraud Insights Second Edition
The incident, which affected wallets containing NFTs including Bored Ape Yacht Club and Oddities, began with an injection of malicious JavaScript, crypto security firm CertiK tells Information Security Media Group. Affected users saw a pop-up asking them to verify their wallet ownership, Premint tweeted on Sunday afternoon. The website allows users to join a database of potential buyers of new NFT projects.
Users who fell for the prompt also agreed to a "SetApprovalForAll" setting in their wallet, letting hackers drain their wallets. Premint says a "relatively small number of users" fell for the prompt and that it is putting additional security in place.
SetApprovalForAll is designed to allow decentralized finance platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The function is a boon for threat actors who exploit it to transfer all of another users' tokens to their own wallets (see: $8M of Crypto Stolen by Phishing From Uniswap Liquidity Pool).
In all, the stolen NFTs were worth about 275 of the Ethereum cryptocurrency, amounting to $374,417.66, "making it one of the largest NFT hacks this year," CertiK says in a Sunday blog post analyzing the incident. By Tuesday, that amount stolen increased to $421,323.64 with the thieves also carrying off an additional 11.95 ETH from the sale of an additional six NFTs.**
Six externally owned accounts - or accounts that can be controlled by anyone with the relevant private keys - were involved in the hack, CertiK says. The company says two of them have been caught.
Hackers deposited all their stolen funds into Tornado Cash, the company says. Tornado Cash is a cryptocurrency mixer that hides the flow of funds on the blockchain and is routinely used by criminals as an obfuscation tool.
Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious.
— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022
One Premint user who goes by @iamdeadlyz.pcc.eth says he saw the Premint website on Sunday briefly redirecting to a prank video. "Whenever you'd visit the home page or a specific project, you'd get redirected to a Rickroll video after a few seconds," he tells ISMG.
Brenden Mulligan, founder of Premint NFT, did not respond to ISMG's request for comments.
The platform temporarily took down its site and suggested revoking the "set approval for all" function through Revoke Cash or Etherscan and moving all assets to a separate wallet. The company is crowdsourcing a list of stolen assets to track their whereabouts via an incident report form.
The company also released a new method for users to log into their accounts that doesn't involve connecting their wallets.
Web2-Web3 Link
“The exploit continues the growing trend in which hackers leverage vulnerabilities in web2 to exploit web3 projects," says CertiK cofounder Ronghui Gu.
"It's clear from this that the web3 ecosystem needs to take into account the interconnects with web2 technologies, particularly at points where its reliance on them becomes a vulnerability," he says.
Days after the Premint incident, Bored Ape Yacht Club creator Yuga Labs tweeted that its security team is monitoring a persistent threat group targeting NFT holders and communities via compromised social media accounts.
There have been multiple such incidents in the recent past.
On July 15, attackers hacked into NFT artist DeeKay Kwon's Twitter account, tweeting a link to a fake NFT mint site that Kwon said looked "100%" like his original mint site. On-chain data examined by Crypto Briefing shows attackers stole about $150,000 from Kwon's supporters who paid to mint the NFTs on the phishing site.
In June, hackers compromised the twitter account of NFT artist Beeple, stealing crypto assets worth about $438,000 from his followers in multiple phishing attacks.
The same month, hackers compromised the Discord account of Bored Ape Yacht Club NFT's community manager Boris Vagner and posted links on the NFT company's official Discord channels to a phishing page to steal $360,000 worth of NFTs from unsuspecting victims.
*Update July 19, 2022 14:27 UTC: This story was updated to reflect the increase in amount stolen by thieves and their deposit of the theft into Tornado Cash.
**Update July 20, 2022 13:58 UTC: Updated to describe the source of the additional stolen funds, the Beeple hacking incident and a warning issued by Yuga Labs.
