Hackers behind one of the year’s largest non-fungible token hacks stole at least 314 blockchain entries worth about $375,000 from users of Premint NFT platform.
See Also: OnDemand | Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
The incident, which affected wallets containing NFTs including Bored Ape Yacht Club and Oddities, began with an injection of malicious JavaScript, crypto security firm CertiK tells Information Security Media Group. Affected users saw a pop-up asking them to verify their wallet ownership, Premint tweeted on Sunday afternoon. The website allows users to join a database of potential buyers of new NFT projects.
Users who fell for the prompt also agreed to a “SetApprovalForAll” setting in their wallet, letting hackers drain their wallets. Premint says a “relatively small number of users” fell for the prompt and that it is putting additional security in place.
SetApprovalForAll is designed to allow decentralized finance platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The function is a boon for threat actors who exploit it to transfer all of another users’ tokens to their own wallets (see: $8M of Crypto Stolen by Phishing From Uniswap Liquidity Pool).
In all, the stolen NFTs were worth about 275 of the Ethereum cryptocurrency, amounting to $374,417.66, “making it one of the largest NFT hacks this year,” CertiK says in a blog post analyzing the incident.
Six externally owned accounts – or accounts that can be controlled by anyone with the relevant private keys – were involved in the hack, CertiK says. The company says two of them have been caught.
Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious.
One Premint user who goes by @iamdeadlyz.pcc.eth says he saw the Premint website on Sunday briefly redirecting to a prank video. “Whenever you’d visit the home page or a specific project, you’d get redirected to a Rickroll video after a few seconds,” he tells ISMG.
Brenden Mulligan, founder of Premint NFT, did not respond to ISMG’s request for comments.
The platform temporarily took down its site and suggested revoking the “set approval for all” function through Revoke Cash or Etherscan and moving all assets to a separate wallet. The company is crowdsourcing a list of stolen assets to track their whereabouts via an incident report form.
The company also released a new method for users to log into their accounts that doesn’t involve connecting their wallets.
“The exploit continues the growing trend in which hackers leverage vulnerabilities in web2 to exploit web3 projects,” says CertiK cofounder Ronghui Gu.
“It’s clear from this that the web3 ecosystem needs to take into account the interconnects with web2 technologies, particularly at points where its reliance on them becomes a vulnerability,” he says.
A June incident involving NFT artist Beeple bears testimony to this. Hackers compromised Beeple’s Twitter account, stealing crypto assets worth about $438,000 from his followers in multiple phishing attacks.
The same month, hackers compromised the Discord account of Bored Ape Yacht Club NFT’s community manager Boris Vagner and posted links on the NFT company’s official Discord channels to a phishing page to steal $360,000 worth of NFTs from unsuspecting victims.
Senior Subeditor, ISMG, Global News Desk
Rashmi has seven years of experience writing and editing stories on finance,enterprise and consumer technology,and diversity and inclusion. She has previously worked at (formerly) News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement





Critical Infrastructure Security
Access Management
Cryptocurrency Fraud
Government
Critical Infrastructure Security
JPMorgan Chase Bank, N.A. – Chicago, IL
South Shore Bank – Weymouth, MA
Bank of America – Addison, TX
Amazon.com Services LLC – Dallas, TX
Continue »
90 minutes · Premium OnDemand 
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information S
ecurity Researcher, National Institute of Standards and Technology (NIST)

Was added to your briefcase
Hackers Steal $375K From Premint NFT Platform
Hackers Steal $375K From Premint NFT Platform
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.

source