In November 2021, a popular Twitter user and cryptocurrency enthusiast @Oxflim tweeted about a particularly nasty incident that happened to him. He lost his NFT collection, worth over 300 ETH, in the blink of an eye.
“My primary wallets were compromised last night — you never want to wake up to something like this. Down bad. I ended up losing somewhere between 300 – 500 ETH altogether. Mostly my prized collection of NFTs was taken and sold….. The perpetrator had access to 2 wallets.
I had both of them in metamask. I had these wallets on multiple machines, some of which I leave on 24/7; I didn’t use hardware wallets (I have used one in the past, got tired of it). ABSOLUTELY NOT GOOD security, and I feel that more than ever now. Never sacrifice convenience.”
He was not the first (and will certainly not the last) to be a victim of a new and emerging threat in the NFT industry: scammers.
NFT’s are the biggest and most hyped project to come out of the crypto space this 2021. But the expansion of this project has come with significant setbacks and critically underlooked security threats.
This article will discuss the dark side of NFT’s and how the fastest growing cryptocurrency industry has a very exposed underbelly, cyber security-wise.
But before we begin, let us define what the whole NFT concept is all about
Non FUNgible Tokens
What is the value of value? This simple question, confusing as it may sound, is the fundamental principle influencing the sudden upsurge of interest NFT’s have found amongst the wealthy public in recent times.
For most cryptocurrencies, their value is defined by their rarity.
In simple terms, their uniqueness is what makes them expensive.
For instance, the most famous cryptocurrency, Bitcoin, only has about 21 million Bitcoin available for mining.
NFTs, on the other hand, are even rarer than that.
NFTs are one-of-a-kind tokens whose possession belongs to a select few. It is these ownership rights that make NFT’s so valuable. Just like how ownership of classic artworks and paintings is a measure of your wealth and status.
This is the fundamental difference between NFT’s and other cryptocurrency assets. Unlike Bitcoin, for example, which purports to act as a medium of exchange, NFT’s are not divisible or directly exchangeable.
You can’t buy half of the Mona Lisa or 30% of the Sistine chapel.
The value of each NFT token lies in the importance the owner attaches to it. This individual value determination is what makes the concept radically different from other blockchain projects.
What does NFT ownership mean?
Although Non Fungible Tokens grant the individual buyer owner rights, the actual asset is located somewhere else.
You can think of the token as merely a digital representation of ownership. The Nonfungible asset itself is located on external blockchain-based web addresses.
From a cyber security standpoint, this means an NFT project has two possible vulnerabilities: the blockchain web address it is hosted on and the token itself.
Non Fungible assets are often hosted on Interplanetary File Systems (IPFS).
It is very possible for the blockchain web address on which an NFT is hosted to be subject to malicious ransomware attacks and lose operability. Even more worrying, some Non Fungible assets have been found to be non-operational or even temporarily missing.
NFT Scams and Hacks
While Non Fungible assets can possibly be a source of vulnerability in the future, the main focus of attacks by malicious scammers has been on the non fungible tokens themselves.
NFT hacks and scams come in varied types. Some are new and personalized to the NFT space, while others remain as old as time. For now, a large number of them rely heavily on social engineering attacks.
Some NFT scammers ply their trade through false impersonation. Often masquerading as helpful assistants or even platform employees, they convince unsuspecting victims to grant them access to their NFT wallets by sharing their private passwords.
NFT’s, like any blockchain project, are stored inside cryptocurrency wallets.
Thus, the ultimate target for all con men is the passwords and seed phrase private key to your NFT wallet.
The moment your private key is out of your hands, you might as well kiss your NFT goodbye.
This was what happened to Jeff Nicholas, an unsuspecting victim who lost over 150 ETH (480,000 dollars at the time) to Open sea employee impersonators. Masquerading as customer support staff, the scammers got Jeff to share his computer screen, which contained a snapshot of his QR code, to them for “troubleshooting,” and the heist began. By the time he realized something was up, it was far too late. The damage had already been done.
Another well-known method NFT scammers use is phishing attacks.
Defrauding people with fake websites that look like a perfect clone of the real project is a well-known fraudulent practice in the cryptocurrency space, and NFTs are not exempt.
NFT phishing attacks explore NFT drops and use ambiguous information from the founders of official NFT projects to perpetuate their scams. This was more or less what happened in the Aurory project phishing attacks. Over 1.1 million dollars was stolen by malicious hackers.
The hackers were able to pull off the heist through clever trickery, user impatience, and ambiguous information from the founders.
The scam took place during the NFT drop for Aurory, a popular game project on Solana. The scammer(s) made an exact replica of the website and promoted it aggressively on the project Discord’s server. Users, unaware of this and probably spurred by the founders’ mention of a backup website, proceeded to the cloned website to claim and purchase NFTs.
Once users visited the fake website and gave the cloned site permission to edit their wallets, their wallets became ransacked. Recovery of funds seems impossible.
Cryptocurrency projects and rug pulls are a tale as old as time. NFTs are not exempt. There have been several rug pull incidences where developers drain the project of funds and run. The most notorious example to date is the Evolved ape NFT project, where developers drained the project of 2.7 million dollars and vanished.
However, the difference between other projects and NFTs is that the non-fungible assets still exist, even after being dumped by the founder.
They can be resold to anyone who finds them valuable enough to be purchased. This is an essential distinction between NFT’s and other crypto tokens.
Because non Fungible Tokens are, by their very nature, merely ownership rights, scammers can sell counterfeit NFT’s that look just like the original to unsuspecting buyers.
A notorious example of this heist occurred during the NFT art auction for Banksy, a famous artist.
The website of the artist Banksy was purportedly compromised by a hacker, who was able to set up a phony nonfungible token, also known as an NFT, for sale on the site.
It led to one person losing $336,000, although the hacker ended up refunding the funds to the victim. Still, the flourishing nature of the heist indicates that just like in the traditional art industry, counterfeiting might become a significant threat to the NFT industry in the coming years.
Airdrop scams have long been a well-known problem bedeviling the crypto space.
You cannot be too surprised to see that creep into NFTs as well. These scams are pretty standard as about hundreds are noticed every day by cryptocurrency enthusiasts. These scam giveaways set their sights on the well-known cryptocurrencies and attempt to dupe their brands and personalities. The con artists target cryptocurrency enthusiasts with the scam and offer them free crypto or tokens or NFTs. It is a well-known tactic to clear out people’s wallets, and it does not come as much of a surprise to see that such vile tactics are creeping into the NFT spaces. As the NFT industry continues to explode, there will probably be more of these on various social media platforms in the coming days.
The NFT community has begun to construct a playbook for dealing with the repercussions of scams.
The most common example is community fundraising, in which generous individuals donate excess Ethereum or in-demand NFTs. At the same time, artists often contribute NFTs they’ve developed themselves.
Victims are frequently provided with zero-interest bitcoin loans, which they can utilize to invest in or start their own artistic ventures to get back on their feet again.
The NFT industry is fast growing and is projected to explode in years to come.
However, just as with anything that has to do with cryptocurrency, you need a reasonable modicum of common sense and security to protect your NFT assets from being stolen by unscrupulous individuals on the web.
The main target for most NFT scams is the seed phrase key for wallets containing NFT’s.
Thus, never expose your private keys or share them on any website, no matter how official or authentic it looks.
For over 30 years, Marin Ivezic has been protecting financial services and critical infrastructure against financial crime, cyber, and regulatory risks. He previously held multiple interim CRO, CISO and technology leadership roles in Global 2000 companies. Since 2013 he has been advising institutions and regulators around the world on safe, secure and compliant adoption of crypto assets and other decentralized technologies.