The PREMINT website was compromised this weekend when hackers installed a popup that prompted site visitors to grant access to their crypto wallet.
Users unlucky enough to fall for the scam had their wallets drained of NFTs. The attackers then used NFT marketplaces to flip the stolen goods for crypto.
According to a security analysis report from Certik over 300 individual NFTs were stolen in the attack, with artworks from BAYC, Otherside, and Goblintown among the losses. One stolen Bored Ape fetched 91 ETH on OpenSea.
In the early hours of Sunday morning (UTC) Crypto Twitter user @SpiritAzuki rang the alarm on PREMINT. A screenshot shared by SpiritAzuki shows that the malicious script on the website presented itself to users as a security verification measure.
Within 10 minutes of SpiritAzuki’s warning, PREMINT made their own Twitter post saying “Please do not sign any transactions that say set approvals for all!”
It wasn’t until nearly 12 hours later, however, that PREMINT issued a full statement on the situation.
“Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious,” said PREMINT via their official Twitter account. “This issue only affected users who connected a wallet via this dialog after midnight Pacific time. Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this. We took the site down early this morning to fix the issue.”
For users who had fallen foul of the exploit, the immediate reaction varied between the desperation and shock of one user who claimed to have ‘lost everything’, to more measured responses.
One user took the philosophical view that the situation could have been far worse.
“I used revoke when I saw the notices but I was evidently too late,” said @Dwayne420. “3 good NFTs I minted using premint were stolen. I only transfer crypto into that wallet when I buy…so glad and there wasn’t much of anything else in there NFT wise.”
Ultimately, what concerned users the most was the prospect of a refund. PREMINT have not yet been specific about their plans in this regard, but they have asked victims to contact them.
Report to PREMINT
PREMINT requests that anyone who fell victim to the scam should contact them via this form. To seek the return of a lost NFT users will need to provide the compromised wallet address, the OpenSea address and their Twitter account details.
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.