Popular NFT whitelisting service, Premint, was recently compromised. This resulted in $400K of NFTs across several collections being stolen.
Web3 can be a risky frontier that requires a high-security mindset to survive, as users of the NFT whitelisting service, Premint, learned the hard way when a malicious (but suspicious) login link stole their NFTs. Because it is impossible to directly steal blockchain tokens from a crypto wallet, a clever hacker/scammer must use phishing attacks and user ignorance to steal tokens. Users can avoid phishing attacks by practicing Web3 operational security (or “opSec“), and by being skeptical and careful when requested to submit transactions.
Non-fungible token (NFT) collections are an effective way for a new project or influencer to raise capital from investors and fans while building a community. This often involves a “pre-mint” phase where people sign up for a raffle to be among the first wave of buyers/recipients, and bots are often created to unfairly increase the odds of winning one or more spots. Premint is an NFT “whitelisting” service where creators can set custom criteria to verify (“whitelist“) wallets that can participate in the pre-mint (i.e. requiring social media verification, holding a sufficient cryptocurrency balance, and/or owning another NFT), and collectors have a dashboard that reports which pre-mints they’ve won. However, unlike NFT marketplaces such as OpenSea, Premint never takes custody or facilitates transfer of NFTs, and does not require submitting transactions to use.
According to CryptoSlate, approximately $400,000 of users’ NFTs were stolen from their wallets by a malicious login link on Premint’s website on July 17. Premint’s official Twitter post claims an unknown third party manipulated the website’s file, which then presented a malicious wallet connection prompt. Authentication with a wallet is normal for Web3 logins, but the prompt initiated a suspicious transaction instead. While all victims had a chance to reject the transaction, those who confirmed it gave the attacker’s smart contract full permission to transfer all tokens across many NFT collections to the attacker’s wallets, resulting in over $400,000 of stolen NFTs.
Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious.
— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022
OpSec Is Critical For Web3
In the world of Web3, blockchain, and the decentralized Metaverse, users must practice some opSec along with healthy skepticism. Malicious transactions can be impossible to tell apart from benevolent ones, and the use of “burner wallets” is highly encouraged to mitigate damages if/when one such transaction is accidentally confirmed. In this dual-wallet system, the burner wallet acts as a disposable account that submits transactions, collects token airdrops, tests new Web3 apps for the first time, and transfers all nonessential tokens it receives to the main wallet. In return, the main wallet acts like a savings or safe deposit account, and rarely interacts with Web3 apps. This practice vastly reduces opportunities for phishing attacks to steal tokens.
What will happen to the stolen NFTs is yet to be seen, but unless they are returned to their owners they are now black market goods with damaged value, and having been reported as stolen can’t be sold on OpenSea for their full price until they have been returned. The hacker will have to rely on decentralized NFT marketplaces to sell the stolen tokens, hoping that whoever buys them doesn’t check the tokens’ ownership history first. Hopefully, the victims will receive compensation for their losses, other users and projects will take note for the future, and Premint can determine what happened and provide an explanation for how a third-party gained access to their production codebase.
Next: Why NFT Prices Crashing Is A Good Thing
90 Day Fiancé: Yve & Mohamed’s Story Ending Spoiler Discovered By Fan
About The Author