Over the weekend, popular NFT platform Premint became the latest victim of a security breach, leading to the loss of over 300 NFTs, including collectibles from Bored Ape Yacht Club, Otherside, and Goblintown.
According to available information, the attacker was able to swindle unsuspecting users after adding a malicious JS file on Premint’s website. The affected users reportedly received a pop-up message prompting them to confirm the ownership of their wallets. The message also urged users to enable a “SetApprovalForAll” feature in their wallets, and those who clicked the said link unknowingly gave the hacker access to steal the NFTs in their wallets.
Blockchain security company Certik reportedthat the hacker(s) stole 314 NFTs, valued at around $400,000. Meanwhile, Premint confirmed the incident, noting that only a “relatively small number of users” were affected. The team goes on to state that it had identified four wallets linked to the attack from Etherscan data.
Surprisingly, the attack happened hours after Premint warned its customers not to “sign any transactions that say set approvals for all!”
As of press time, the company had since restored operations and had introduced an update that removes the wallet login option. Users can log in to the platform through their Twitter or Discord accounts, an option that Premint claims is “safer and more convenient, especially for those logging in on mobile.”
The Premint attack is the latest in a long string of hacks in the NFT space in the last few months. In May, American actor and comedian Seth Green lost four NFTs worth more than $300,000 to a phishing scam. A Footprint Analytics report claims that 5% of the total hacks in web3 during the second quarter of 2022 were NFT-related.