The NFT market exploded and grew to over $22 billion in 2021, attracting businesses and individuals who turned to NFTs to trade collectibles, generate income, or use them for promotions. However, the growing market increased the scope of scammers burning the midnight oil to try and trick individuals and organizations out of their crypto, NFTs, and other blockchain assets.
The internet transition to Web3 brings with it new security challenges that sophisticated hackers are taking advantage of, to the chagrin of Web3-related businesses. Users can only continue to successfully implement Web3 programs if they can safely circumvent security challenges and make it difficult for hackers to steal funds and NFTs.
With top collectors’ items like rare pieces from Bored Ape Yacht Club or Cool Cats attracting prices of over $30,000 a piece, it’s not difficult to see why reports like those of threat actors stealing over $600 million from NFT-based game Axie Infinity developers send chills to users. A Twitter thread explaining how the founder of a decentralized autonomous organization (DAO) Arrow, who was working on aircraft and air taxi protocol, lost almost his entire Ethereum (ETH) in a social engineering scam from a Discord user is another pointer.
Let’s dive into exposing the most common NFT and crypto scams and how you can avoid user errors that can make you vulnerable.
How to Store your Digital Asset
Just like cryptocurrency transactions, NFTs are encrypted tokens stored in a digital blockchain. By nature, blockchains are secure since they use an unchangeable distributed ledger that allows anyone within the network to view it, making it difficult for malicious players to tamper. After buying an NFT, you’re given a private key to store in a crypto wallet. The private key is required whenever you want to access or transfer your NFT.
Can an NFT get stolen?
Hackers have devised intelligent ways to exploit user error to access NFTs in digital wallets through deceit by persuading you to give them what they want. So, unless you provide a hacker access to your wallet via your private keys or send your NFT to them willingly, it would be difficult for anyone to steal your NFT.
Unfortunately, stories of everyday hacks becoming sophisticated with new twists are increasing as fraudsters use gaping security holes. With leading companies reporting being targeted by Web2-style attacks, upcoming Web3 companies must do their best to avoid inheriting the security failures of the outgoing internet. The greatest challenge has been Web3 companies focusing on getting filthy rich via digital assets without staying on the lookout for predatory scammers on the prowl.
Vulnerabilities that Cyber Criminals Exploit
Hackers will try to access your private key and seed phrase to steal your NFTs. Your private key helps verify any transaction you’re making, while the seed phrase gives access to the NFT wallet. Some of the uncanny methods scammers can use to gain access to these two pieces of critical information including:
The first red flag that a scammer is using this old trick to dupe an unsuspecting user into transferring their NFTs or providing access to their wallets will be deals that are too good to pass or unsolicited offers to help. Scammers also create fake profiles impersonating celebrities, influencers, or successful companies and then approach users offering to assist with real or imaginary problems.
Fraudsters are also keen to exploit any weak points in contracts in NFT platforms, using them to their advantage to steal crypto or NFTs. For example, hackers have previously exploited weaknesses on OpenSea and Treasure marketplaces to adjust the platform’s contracts and created orders that resulted in them buying NFTs for as little as $0.
Most NFT thefts could be avoided if users were careful about clicking “bad” links from scammers who use phishing tactics to access their seed phrases and private keys. The scam involves pretentious websites or emails designed to steal personal information and data. The fraudsters provide phony links where unsuspecting users willingly input their private keys and seed phrases, thus giving the scammers access.
Tips for Staying Safe in the Growing World of Web3
The following are practical ways your company can stay safe as you dive into the developing world of Web3 applications. Consider updating your security guidelines so all employees are aware of the steps needed to safely transact on the blockchain:
Never Connect your Wallets to Unfamiliar DApps
Web3 is a technology in its infancy, and developers are still struggling to figure out many issues. The first security measure when using Web3 is to avoid connecting your primary wallet to random decentralized applications. Always only connect your wallet to trusted DApps to avoid losing your digital assets.
Never Click on Links Shared on Discord or Telegram
Discord and Telegram may be excellent tools to connect and chat with like-minded individuals, but you can’t tell everyone’s true motives on those networks or communities. Just like you’ve been warned to avoid clicking on random links shared online, the same applies to Telegram and Discord links unless they’re from a verified source. Only access shared on a DApps’ original social media page.
Don’t Share too Much Personal Information Online
Hackers can use your personal information to create personalized social-media engineered attacks. Avoid sharing your details online unless you’re sure who you’re dealing with, why it’s needed, and how the recipients will use it. Most importantly, you can’t share sensitive information such as transactional data relating to your digital wallet.
Verify that Your Online Contact Is Real
Scammers are known to impersonate individuals and companies and open accounts specifically to defraud unsuspecting users. If you thought it was difficult to control who can reach out to you online, knowing their motives for initiating contact is worse. You, therefore, need to verify the identity of the contact you’re transacting with. You may want to reach out to the people you’re talking to via other channels to confirm if they’re the actual person or an impersonator.
Never Use the Same Credentials on Different Sites
The temptation to use one credential across different web and social media pages is a recipe for online disaster; having different passwords guarantees that the rest of your accounts remain safe. Consider investing in a good password manager to help create strong and unique passwords in the unfortunate event that one of your accounts gets hacked.
While you can’t be 100% sure that you won’t lose your NFT or cryptocurrencies to fraudsters, you can take steps to ensure that your assets remain safe and secure. It’s essential to do your research about creators, platforms, and online communities before engaging them. The 50 hours of research recommended by most experts may look extreme, but considering the value of your digital assets, it’s worth it.