On Sunday, a hacker gained access to the official website of Premint, an NFT whitelisting platform, and took $375,000 worth of NFTs.
The code was signed by a total of six people, granting the hacker complete authority to spend money.
The Premint team stated on Twitter that "Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious."
The hacker was able to take 314 distinct NFTs before the issue was identified. These NFTs came from collections like Goblintown, Otherside, Moonbirds Oddities, and Bored Ape Yacht Club.
Around 07:30 AM ET on Sunday, the stolen goods were sold for 270 ETH ($375,000). The hacker sent the funds to this address and then mixed them with other transactions on the Ethereum network using Tornado Cash.
The attack is yet another example of how hackers are increasingly using security flaws in traditional web infrastructure to attack web3 initiatives.
Hackers carried out phishing attacks last month using websites run by the decentralized financial initiatives Ribbon Finance and Convex Finance.
In other cases, Twitter, Instagram, and Discord servers have been used to spread phishing URLs intended to steal cryptocurrencies and NFTs.
According to a CertiK spokeswoman, "It's evident from this that the web3 ecosystem needs to consider the interconnects with web2 technologies, particularly at places where its reliance on them becomes a risk."