DataBreach.com reported an update from Sunday that “Hackers behind one of the year’s largest non-fungible token hacks stole at least 314 blockchain entries worth about $375,000 from users of Premint NFT platform. That amount climbed to more than $421,000 as of Tuesday morning….” The July 18, 2022 article entitled “Hackers Steal $421K From Premint NFT Platform (UPDATE)” included these comments:
The incident, which affected wallets containing NFTs including Bored Ape Yacht Club and Oddities, began with an injection of malicious JavaScript, crypto security firm CertiK tells Information Security Media Group. Affected users saw a pop-up asking them to verify their wallet ownership, Premint tweeted on Sunday afternoon. The website allows users to join a database of potential buyers of new NFT projects.
Users who fell for the prompt also agreed to a “SetApprovalForAll” setting in their wallet, letting hackers drain their wallets. Premint says a “relatively small number of users” fell for the prompt and that it is putting additional security in place.
SetApprovalForAll is designed to allow decentralized finance platform users to automatically approve the transfer of specific tokens designated by an underlying smart contract at a future time. The function is a boon for threat actors who exploit it to transfer all of another users’ tokens to their own wallets
Unfortunately I think we will see more NFT thefts!
Author
Administraroot
