Threat actors performed one of the biggest non-fungible tokens (NFT) hacks this year. In the morning, on July 17, 2022, the hackers breached a website of Premint, a popular NFT platform that allows top NFT artists to build access lists and raffles for community members. 314 NFTs were stolen during the attack.
“Please do not sign any transactions that say set approvals for all! This is relevant for transactions signed over the last few hours. This is a precaution while we work on the reported problem,” tweeted the company.
According to blockchain security firm CertiK, the cybercriminals injected a malicious JavaScript code to premint.xyz. This code instructed future victims to “set approvals for all” during the process of connection their wallets to the compromised website. Thus, the threat actors could access victims’ crypto assets.
As explained by CertiK, in total, six externally owned accounts (EOAs) are directly associated with the attack, with approximately 275 ETH stolen (near $375k). Two of these EOAs have been spotted early, that’s why some lucky users were able to get their assets back using revoke.cash function.
“Web2 has been the predominant state of the internet with its emphasis on social networking and user-generated content. Users turn to Web2 for its ease of use when making investments in NFT and cryptocurrency. However, Web2 infrastructure often involves a single point of failure through centralization vulnerabilities. This shows how one compromise can lead to devastating losses for the NFT community,” warned CertiK.