The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021.
To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account.
As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as support staff to trick targets into sharing account access. Some use old-fashioned phishing techniques to lure NFT holders into transferring funds or giving up credentials. Let’s dig deeper into the emerging threats that heighten NFT security risk.
The NFT Boom and Security
In 2021, the NFT market was worth at least $40 billion. In January 2022, 2.4 million NFTs were sold on OpenSea, the world’s largest NFT marketplace. This was an increase of a million sales compared to December 2020. NFT sales by value also shattered records in January, with over $4.8 billion sold on OpenSea alone. Even traditional auction houses like Christie’s and Sotheby’s are now holding their own token auctions. With that much financial activity going on, threat actors were bound to take notice.
Old Fashioned Phishing and NFT Fraud
In February 2022, scammers stole hundreds of NFTs from OpenSea users with 254 tokens stolen during the attack. The estimated value of the heist totaled more than $1.7 million, all happening in the span of about three hours.
OpenSea CEO Devin Finzer tweeted that victims were duped into signing an online contract to trade tokens, but the contract order details were left blank. With the authorization signature in place, attackers then filled in the contract details without the victim’s knowledge. This enabled transfer of NFT ownership to the attackers. It’s believed this attack occurred through some kind of phishing, perhaps an email with a false request for contract signatures.
Imitation NFT store sites also exist that try to trick targets into giving up their credentials through email and social media phishing campaigns.
Crypto Wallet Security Cracking
While many are careful not to fall for phishing scams, what if someone sends you a free NFT as a gift? Accepting it could unleash a series of events that ends up compromising your crypto wallet. Researchers recently discovered an OpenSea vulnerability that works this way. The sequence of events goes like this:
- The attacker creates and gifts a malicious NFT to a target victim.
- Upon viewing the malicious NFT, a pop-up triggers from the OpenSea storage domain. The pop-up requests connection to the victim’s cryptocurrency wallet, a common request.
- To receive the gifted NFT, the victim opens up a wallet connection enabling access to their wallet.
- Attackers can extract money from the wallet by triggering an additional malicious pop-up.
Since then, this vulnerability has reportedly been secured.
Fake NFT Support on Discord
Consider the social engineering ruse that took place on OpenSea’s Discord server. Attackers lurked on the instant messaging platform waiting for someone to ask a support question. They then invite the unsuspecting target to a secondary fake ‘support’ server.
After luring them to their server, attackers ask the target to enable screen sharing to solve the problem. The victim is then instructed to ‘resynchronize’ their MetaMask crypto wallet Chrome extension with their MetaMask app. Next, the victim is guided to perform the Configuration> Advanced> Sync with Mobile action chain which eventually generates a QR code.
Attackers can then take a screenshot of the QR code and use the image to sync the wallet with their own MetaMask app. After syncing, the attackers can freely steal crypto funds from the victim’s wallet.
NFT Theft and Digital Art Scams
What about digital works of art? How do people steal them? When an NFT is minted, the created token is linked to a unique physical or digital object, such as a URL. So when you buy an NFT, you essentially buy the URL for it. If you make a counterfeit work of art, you could then sell it linked to a unique URL.
When selling NFTs on many marketplaces, artist verification may not be required. Online art thieves can simply copy, paste, mint and sell the artwork as their own. An Information Security Newspaper report explains that NFT buyers might end up purchasing illegally copied art. The scam doesn’t stop there. Later, victims might get a call from a blackmailer threatening to report them for owning stolen digital assets.
Redline Malware Scam
Threat actors can also pose as artist patrons. Through social engineering, these fake patrons set up social media pages and act as if they collect digital art. The scammers then approach artists asking them to create something new. Once they get the artist to download malware (via fake contracts, art samples, etc.) attackers can deploy Redline malware.
This attack enables threat actors to steal usernames, passwords and art files saved on device hard drives. Redline can also steal crypto wallet information from browser extensions and wallet.dat files.
Among the wide range of existing NFT scams, this one is the easiest to execute. An automated NFT tweet mining bot can automatically convert tweets into NFTs.
Think tweets aren’t worth anything? Twitter founder Jack Dorsey’s first ever tweet sold for the equivalent of $2.9 million. If anyone posts their artwork in a tweet, attackers could steal it right from under their noses. This happened to artist RJ Palmer:
Cool new scam artists should be aware of. Any rando can now turn your tweet and by extension, your artwork into an NFT by tagging this account @/tokenizedtweets
Block this guy pic.twitter.com/JeHXwcoYFV
— RJ Palmer (@arvalis) March 9, 2021
How to Improve NFT Security
Some ways to boost NFT security include:
- Use multifactor authentication for all accounts
- Learn how to spot phishing attacks and never click or download anything from suspicious or unsolicited emails
- Beware of requests to create new art. Dig into the requester’s background, scour their social media site and get references if possible.
- Use a hardware wallet instead of a software wallet
- Note that you can use DMCA copyright infringement takedowns if someone steals your art.
The NFT universe is still in its infancy, and the opportunities are growing, as is the risk. For those who participate in NFT investments, it pays to remain up to date about security threats.