The NFT market exploded and grew to over $22 billion in 2021, attracting businesses and individuals who turned to NFTs to trade collectibles, generate income, or use them for promotions. However, the growing market increased the scope of scammers burning the midnight oil to try and trick individuals and organizations out of their crypto, NFTs, and other blockchain assets. The internet transition to Web3 brings with it new security challenges that sophisticated hackers are taking advantage of, to the chagrin of Web3-related businesses.
Users can only continue to successfully implement Web3 programs if they can safely circumvent security challenges and make it difficult for hackers to steal funds and NFTs. With top collectors’ items like rare pieces from Bored Ape Yacht Club or Cool Cats attracting prices of over $30,000 a piece, it’s not difficult to see why reports like those of threat actors stealing over $600 million from NFT-based game Axie Infinity developers send chills to users.
A Twitter thread explaining how the founder of a decentralized autonomous organization (DAO) Arrow, who was working on aircraft and air taxi protocol, lost almost his entire Ethereum (ETH) in a social engineering scam from a Discord user is another pointer. Let’s dive into exposing the most common NFT and crypto scams and how you can avoid user errors that can make you vulnerable.
Just like cryptocurrency transactions, NFTs are encrypted tokens stored in a digital blockchain. By nature, blockchains are secure since they use an unchangeable distributed ledger that allows anyone within the network to view it, making it difficult for malicious players to tamper. After buying an NFT, you’re given a private key to store in a crypto wallet. The private key is required whenever you want to access or transfer your NFT.
Hackers have devised intelligent ways to exploit user error to access NFTs in digital wallets through deceit by persuading you to give them what they want. So, unless you provide a hacker access to your wallet via your private keys or send your NFT to them willingly, it would be difficult for anyone to steal your NFT.
Unfortunately, stories of everyday hacks becoming sophisticated with new twists are increasing as fraudsters use gaping security holes. With leading companies reporting being targeted by Web2-style attacks, upcoming Web3 companies must do their best to avoid inheriting the security failures of the outgoing internet.
The greatest challenge has been Web3 companies focusing on getting filthy rich via digital assets without staying on the lookout for predatory scammers on the prowl.
Hackers will try to access your private key and seed phrase to steal your NFTs. Your private key helps verify any transaction you’re making, while the seed phrase gives access to the NFT wallet.
Some of the uncanny methods scammers can use to gain access to these two pieces of critical information include:
The first red flag that a scammer is using this old trick to dupe an unsuspecting user into transferring their NFTs or providing access to their wallets will be deals that are too good to pass or unsolicited offers to help. Scammers also create fake profiles impersonating celebrities, influencers, or successful companies and then approach users offering to assist with real or imaginary problems.
Fraudsters are also keen to exploit any weak points in contracts in NFT platforms, using them to their advantage to steal crypto or NFTs. For example, hackers have previously exploited weaknesses on OpenSea and Treasure marketplaces to adjust the platform’s contracts and created orders that resulted in them buying NFTs for as little as $0.
Most NFT thefts could be avoided if users were careful about clicking “bad” links from scammers who use phishing tactics to access their seed phrases and private keys. The scam involves pretentious websites or emails designed to steal personal information and data. The fraudsters provide phony links where unsuspecting users willingly input their private keys and seed phrases, thus giving the scammers access.
The following are practical ways your company can stay safe as you dive into the developing world of Web3 applications.
Consider updating your security guidelines so all employees are aware of the steps needed to safely transact on the blockchain:
Web3 is a technology in its infancy, and developers are still struggling to figure out many issues. The first security measure when using Web3 is to avoid connecting your primary wallet to random decentralized applications. Always only connect your wallet to trusted DApps to avoid losing your digital assets.
Discord and Telegram may be excellent tools to connect and chat with like-minded individuals, but you can’t tell everyone’s true motives on those networks or communities. Just like you’ve been warned to avoid clicking on random links shared online, the same applies to Telegram and Discord links unless they’re from a verified source. Only access is shared on a DApps’ original social media page.
Hackers can use your personal information to create personalized social-media-engineered attacks. Avoid sharing your details online unless you’re sure who you’re dealing with, why it’s needed, and how the recipients will use it. Most importantly, you can’t share sensitive information, such as transactional data relating to your digital wallet.
Scammers are known to impersonate individuals and companies and open accounts specifically to defraud unsuspecting users. If you thought it was difficult to control, who can reach out to you online, knowing their motives for initiating contact is worse. You, therefore, need to verify the identity of the contact you’re transacting with. You may want to reach out to the people you’re talking to via other channels to confirm if they’re the actual person or an impersonator.
The temptation to use one credential across different web and social media pages is a recipe for online disaster; having different passwords guarantees that the rest of your accounts remain safe. Consider investing in a good password manager to help create strong and unique passwords in the unfortunate event that one of your accounts gets hacked. While you can’t be 100% sure that you won’t lose your NFT or cryptocurrencies to fraudsters, you can take steps to ensure that your assets remain safe and secure.
It’s essential to do your research about creators, platforms, and online communities before engaging them. The 50 hours of research recommended by most experts may look extreme, but considering the value of your digital assets, it’s worth it.