The biggest security risk from buying NFTs comes from attempts by hackers to access your crypto wallet.
The most common type of wallet for buying NFTs is a non-custodial browser wallet like MetaMask. Non-custodial wallets put you in complete control of your crypto assets – including NFTs – but require you to protect a fail-safe called a recovery Seed.
Should you lose access to your wallet, the Recovery Seed – in the form of 12-24 unique words – is the only way to regain access. Think of it as a complex password. Hackers will use a range of techniques to steal it and drain all funds from your wallet, including your NFTs.
Social Engineering
There is no legitimate reason why any service would ever ask you to reveal your Seed but hackers will use complex social engineering techniques to convince inexperienced users to reveal it.
The most common tactic is listening on Social Media and Discord for users needing help buying, selling or transferring on an NFT marketplace or Metaverse games, then posing as a customer service representative eager to help. They will go to great lengths to appear genuine, even creating fake Discord servers.
Malware
Hackers will use malware to directly infect your wallet or to try and gain access to your devices and search for a digital record of your Seed, which is why you should never store it online.
Hackers will also try and install malware that tracks keystrokes, hoping you will enter your Seed at some point, or intercept information stored in your clipboard to change the destination of an NFT transfer to their own address.
The amount of money that can be made from NFTs has made them the number one target for hackers and scammers. In April 2022, the Instagram account of the Bored Ape Yacht Club (BAYC) was hacked allowing the scammers to post fake ads about an airdrop in a new metaverse project.
It encouraged users to click a link which took them to a fake version of the BAYC website and pointed them to a transfer process which then stole NFTs valued at several million dollars.
These kinds of incidents are becoming more sophisticated with an underground market for stolen credentials which can help hackers directly or indirectly engineer access to marketplace accounts, exchanges or wallets, which includes sim-swapping to circumvent text-based 2FA
Rug Pulls
One of the growing threats to buying NFTs is known as a Rug Pull. This refers to an NFT project that makes every effort to look legit. The art might look professional, there may be a website, social media, customer support and influencers, but all this is engineered to give the impression of an NFT project that is committed to creating value for investors.
In reality, it is a Rug Pull; a sophisticated scam to lure in buyers and then abandon the project when the time is right, selling all assets and disappearing, leaving buyers holding a worthless jpeg.
NFT security risk management
Given the significant security risks associated with buying NFTs it is essential to take your personal information security seriously and to be constantly vigilant assuming every interaction could pose a risk:
- Never ever share your Seed with anyone
- Don’t store your Seed online
- Automatically update your browser & operating system
- Always enable 2FA for account-based services using an App not text messages
- Use a unique email address just for crypto activities and nothing else
- Use strong passwords that are unique to each site
- Frequently review/revoke contract permissions in MetaMask
- Consider using a backup mobile just for crypto activity
- Don’t identify yourself as an NFT owner on social media
- Use a good anti-virus software; run regular scans & constantly update the virus library
- Bookmark the official websites on services you regularly use
Leave a Reply