Premint Hacked for $400K... Beware of the Pop-Ups

^(Source)

Evening

So we have got the biggest NFT hack of the year at our hands, as NFT platform Premint got exploited on Sunday with hackers managing get hold of 314 NFTs worth around $410K

How it went?

As per blockchain security firm CertiK, hackers managed to compromise the Premint website with a malicious Java Script injection. This allowed them to create a fake pop up, asking the Premint users to verify their ownership of wallet as an added security measure.

Despite the early warnings by many community members, it was too late and the damage was already been done, as multiple users fell prey to the fake pop up and got deceived into giving the hackers access to their wallets.

Hackers managed to get away with 314 NFTs including popular collection like Bored Ape Yacht Club. The hackers than start selling the stolen NFTs on marketplaces like OpenSea. By the end of the day they made 275 ETH by the sale of those stolen NFTs and moved the funds to coin mixer Tornado cash to obfuscate funds movement.

Premint Response and Obligation

Premint acknowledged the hack yesterday, saying that majority of user wallets were unaffected due to early warning by many platform users. They said that they are still investigating the incident and are in process of collecting the information about all user wallets that were compromised.

So far Premint haven't announced any reimbursement plan for the affected users. Instead they are sharing various general purpose security warnings to avoid any future incidents. Whereas, these warning messages are good but for now the affected users instead want a hear about a reimbursement plan.

I feel Premint owe the affected users an apology and need to compensate them their loss, as the vile pop-up was made possible in the first place because a vulnerability on their side. Yes the users should have been more careful, but ultimately the responsibility falls on the platform to provide their users with top notch security.

Take Away/Lessons Learnt

Premit pop up hack is sad and there are certain lessons from it that crypto community can essentially learn. One is never click pop-ups until you are 100% sure of their authenticity. Second, always be on watch for anything out of routine; like pop-ups, additional security verifications and wallet signatures etc.

Basically anything out of the routine despite coming from a trusted source can be malicious and should be properly investigated. Exploiters are indeed getting innovative with their plots and are always on look out any vulnerability they can exploit. So web 3 users also need to be on their toes. Better to be safe than sorry.

Regards:)