After injecting malicious code onto Premint’s website, a hacker took 314 NFTs. The NFTs stolen were purchased for approximately $375,000.
CertiK security firm claims that a hacker infected a malicious JavaScript code onto premint.xyz. This instructed users to sign a fraudulent transaction via a wallet popup. The code was signed by six people, giving the hacker complete control over the funds.
“Last night, PREMINT was manipulated by an unknown third-party that resulted in users being presented with malicious wallet connections,” Premint team reported.
The hacker was able smuggle 314 different NFTs before the exploit was discovered. These NFTs included those from collections such as Bored Ape Yacht Club and Otherside.
Around 07:30 AM, the stolen assets were purchased for 270 Ethereum ($375,000). ET on Sunday. The hacker transferred the funds to this address, and routed them through Tornado Cash. Tornado Cash is a popular transaction mixer on Ethereum.
This exploit is part of a growing trend where hackers exploit vulnerabilities in web infrastructure to exploit web3 projects.
Hackers used the Convex Finance websites to launch phishing attacks last month. In other cases, Discord servers, Twitter, and Instagram accounts were exploited to distribute phishing links that are aimed at stealing cryptocurrency or NFTs.
According to CertiK spokesperson, “It is clear that the web3 ecosystem must take into consideration the interconnects and web2 technologies, especially at points where their dependence becomes a vulnerability.”