On Sunday, hackers infiltrated popular NFT registration platform Premint and made away with 320 stolen NFTs and more than $400,000 in profit in one of the biggest such hacks this year.

According to analysis by blockchain security firm CertiK, the hackers compromised the Premint website on Sunday with malicious JavaScript code. They then created a pop-up within the site that prompted users to verify their wallet ownership, ostensibly as an additional security measure.

Multiple users quickly realized the pop-up was illegitimate and immediately took to Twitter and Discord to warn others not to follow its instructions. Even so, within minutes, the hackers had already duped several Premint customers.

The pilfered NFTs included those from popular collections Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown. After securing these NFTs, the hackers immediately began flipping them on marketplaces like OpenSea; one stolen Bored Ape nabbed a price of 89 ETH, or around $132,000.

Over the course of Sunday, the hackers collected 275 ETH, or just over $400,000, through the sale of 302 stolen NFTs. The hackers have so far retained 18 unsold NFTs, according to Certik.

'Stolen' Bored Ape and Mutant Ape Ethereum NFTs Now Total Over $18.5M

A Dune Analytics user has tallied the number of NFTs from top collections that have been marked as stolen or suspicious and thus frozen on OpenSea, and the numbers are staggering. According to a new dashboard on the crypto data aggregator, 130 Bored Ape Yacht Club NFTs and 268 Mutant Ape Yacht Club NFTs have been marked as “reported for suspicious activity” on OpenSea, meaning that previous owners of those NFTs have contacted the marketplace and identified them as stolen. The value of those NFTs...

The hackers then sent the funds to Tornado Cash, a service that pools together the cryptocurrency deposits of many users and mixes them, effectively wiping out the digital trail typically left by blockchain transactions. Mixing services like Tornado Cash are frequently used by cybercriminals to “clean” stolen cryptocurrency. 

Yesterday, Premint took to Twitter to acknowledge the hack and assure users that the majority of accounts were unaffected by the hack. “Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this,” the company tweeted.

Some Premint users noted, however, that the hacked site was left up for approximately 10 hours after hackers first infiltrated it early Sunday. Others bemoaned the loss of their digital assets and asked whether Premint would be refunding these accounts the value of the stolen NFTs. 

Premint has since begun accumulating data on all NFTs stolen in the hack. The company declined to respond to Decrypt on the record. 

How to Keep Your NFTs Safe

This story comes out of PubDAO, a decentralized news wire. Last year was unprecedented for NFTs. From blue-chip collections to celebrities joining in to a huge influx of community members, the space has endured a meteoric rise compared to 12 months ago. Although that's brought liquidity to the space, opportunities, and vast potential to grow, it's also attracted potential scammers. Due to the decentralized nature of the NFT world, many have been left vulnerable to a number of scams. And in many...

Perhaps ironically, in the days leading up to the hack, the company had planned to announce a new security feature: the ability to log in to Premint via Twitter or Discord, a method that would allow users to access the site without entering wallet details directly. Any Premint customer using such a login method would have been protected from yesterday’s hack.

The feature had not been released yet, however. After Sunday’s events, Premint leadership decided to roll out the feature a few days earlier than anticipated: 

The hack is only the latest scam to target the NFT market, which last year alone generated $25 billion in sales. In February, a phishing scam on OpenSea stole over $1.7 million worth of NFTs. In April, a hack of Bored Ape Yacht Club’s instagram account led to a $2.8 million NFT theft. Last month, actor Seth Green paid almost $300,000 to recover a stolen Bored Ape NFT he was planning to make the centerpiece of an upcoming television series. 

Despite the huge amount of capital flowing through the NFT space, the security of these assets—especially when connected to centralized firms like Premint—remains an enduring issue.

As one Premit user put it, “Security is the biggest thing not taken serious[ly] in the crypto space.”

Editor's note: This article was updated after publication to clarify that the hackers have retained 18 stolen NFTs and sold 302 so far, according to Certik.