Web3 can be a risky frontier that requires a high-security mindset to survive, as users of the NFT whitelisting service, Premint, learned the hard way when a malicious (but suspicious) login link stole their NFTs. Because it is impossible to directly steal blockchain tokens from a crypto wallet, a clever hacker/scammer must use phishing attacks and user ignorance to steal tokens. Users can avoid phishing attacks by practicing Web3 operational security (or "opSec"), and by being skeptical and careful when requested to submit transactions.
Non-fungible token (NFT) collections are an effective way for a new project or influencer to raise capital from investors and fans while building a community. This often involves a "pre-mint" phase where people sign up for a raffle to be among the first wave of buyers/recipients, and bots are often created to unfairly increase the odds of winning one or more spots. Premint is an NFT "whitelisting" service where creators can set custom criteria to verify ("whitelist") wallets that can participate in the pre-mint (i.e. requiring social media verification, holding a sufficient cryptocurrency balance, and/or owning another NFT), and collectors have a dashboard that reports which pre-mints they've won. However, unlike NFT marketplaces such as OpenSea, Premint never takes custody or facilitates transfer of NFTs, and does not require submitting transactions to use.
Related: World's Largest NFT Marketplace Reveals Mind-Bending Stat About Free NFTs
According to CryptoSlate, approximately $400,000 of users' NFTs were stolen from their wallets by a malicious login link on Premint's website on July 17. Premint's official Twitter post claims an unknown third party manipulated the website's file,
Read more on screenrant.com