Following the injection of malicious code on Premint’s website, a hacker stole 314 NFTs.
CertiK reports that a black hat hacker installed malicious JavaScript code on premint.xyz, prompting users to sign a fraudulent transaction through a wallet pop-up. Six users collectively signed the code, giving the hacker complete spending authority.
“Last night, an unknown third party changed a file on PREMINT, leading to the presentation of a malicious wallet connection to users,” the Premint team claimed.
Before the vulnerability was found, the hacker stole 314 distinct NFTs. These featured NFTs from the Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown collections.
The stolen property was sold for 270 ETH ($375,000) on Sunday at 07:30 a.m. ET. The hacker sent the profits to this address and routed them via Tornado Cash, a prominent Ethereum network transaction mixer.
The attack follows the rising practice of hackers exploiting web3 projects using weaknesses in classic web infrastructure.
Hackers used the websites of decentralised financial projects Ribbon Finance and Convex Finance to conduct phishing attacks last month. In other occurrences, Discord servers, Twitter accounts, and Instagram accounts have been used to spread phishing URLs designed to steal cryptocurrencies and NFTs.
“It is evident from this that the web3 ecosystem must consider its interconnections with web2 technologies, especially when its dependence on them creates a risk,” a CertiK representative told The Block.
Also Read: India’s Finance Minister Discloses RBI Intends To Prohibit Crypto But Welcomes Global Collaboration
Wallets