Premint Hack: Over 300 NFTs Stolen, Resold for $400,000 Marking One of 2022’s Biggest Breach

Premint, an NFT registration platform has found itself in a vulnerable situation after its system was breached by hackers over the weekend. In total, 320 NFTs were stolen by the hacker(s), who then re-sold them on NFT marketplaces like OpenSea and churned a total of $400,000 (roughly Rs. 3.20 crore) in 275 Ether tokens. This breach of the Premint systems mark for one of the biggest attacks that the blockchain industry has witnessed so far in 2022.

As described on its website, Premint allows NFT artists around from the world to build access lists with randomly selected collectors and community members to use for presales and giveaways. The platform has been used by top NFT artists and collectors like Coldie, DeekayMotion, Cool Cats, Known Origin, Async Art, and Shaq among others.

The attacker(s) infested the Premint website with a malicious JavaScript code. Next, they created a pop-up to emerge on the site prompting users to verify their wallet ownership, under the pretence of offering them an additional security measure. Within minutes, several Premint users were already scammed via this pop-up, blockchain security firm CertiK said in its findings about this breach.

Many people realised this scam and also posted warning messages on Twitter, alerting other Premint users.

The hacker(s) managed to get hands on expensive NFTs from popular series of digital collectibles including Bored Ape Yacht Club (BAYC), Otherside, Moonbirds Oddities, and Goblintown, a Decrypt report said.

The 275 Ether tokens that the hacker(s) garnered by flipping these stolen NFTs were then wired into unknown wallets after having been passed from the TornadoCash crypto mixer. These are privacy tools that remove any digital signatures associated with a trade and allow complete anonymous crypto transactions between two wallets.

The percentage of funds passing through crypto mixers from the custody of cyber criminals touched $51.8 million (roughly Rs. 413 crore) in April 2022.

Premint has been updating people about this breach on Twitter.

So far in 2022, cyber criminals have stolen over $1.7 billion (roughly Rs. 13,210 crore) in digital assets with Decentralised Finance (DeFi) protocols accounting for 97 percent of the total, a report by Chainalysis had recently claimed.

The $600 million (roughly Rs. 4,660 crore) Ronin bridge breach in late March and the $320 million (roughly Rs. 2,486 crore) Wormhole attack in February were the main sources of the loot.

In February, OpenSea also suffered a phishing attack, losing $1.7 million (roughly Rs. 12.5 crore).

In a bid to mitigate risks from crypto hacking attempts, blockchain research firm Chainalysis has launched a hotline to accept reports of such events. If entities are approached with suspicious crypto payment requests from strangers, they can call up this hotline and register their alerts.