When MetaKovan purchased Beeple’s NFT art for more than $69 million, my first thought was that it put my CryptoKitties collection to shame. My second thought was that any asset category with this much hype and media attention is an absolute dream for cyber criminals.
With NFTs becoming mainstream, everyday scams are table stakes. For example, copycat domain names of sites like Nifty Gateway can lure victims to phishing pages where they either click a malicious link or enter their credit card info for an NFT that doesn’t really exist. Bolster found the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March of this year.
For everyday buyers, purchasing NFTs requires basic security hygiene, such as multifactor authentication, and an understanding that digital assets are real-world assets. However, if you’re a buyer of expensive or highlight sought-after NFT art, this requires a certain level of paranoia. The amount of fanfare around NFT artists and collectors means that hackers don’t have to do the legwork needed to create a highly targeted phishing email or social engineering attack. All the necessary information is spelled out on the internet for fraudsters to leverage.
The Risk of Being Your Own Bank
To be engaged in an NFT marketplace, you must have an active wallet. This leaves NFTs in a risky state of limbo because there are plenty of ways a hacker can pop open an Ether wallet through force attacks or compromise it through cross-site scripting. And if your wallet’s connected to your phone, an attacker could SIM swap or use the re-routing technique that Lucky255 recently demonstrated to VICE Motherboard.
Hackers know from their experience in stealing cryptocurrency that the greatest security weaknesses lie in the exchanges and storage of NFTs, particularly given the fact that buyers must “be their own bank.” This is even more true if you take these assets offline, onto a mobile or hardware wallet. While the security industry tends to focus on ransomware, cryptominers, and extortion, there are a myriad of other methods of targeting cryptocurrency holdings and NFTs that don’t get anywhere near the same coverage.
The hard truth is that there is no truly secure way to be an NFT art collector. You are beholden to the security of the exchange and your own security methods. And the fact that NFTs exist on the blockchain can mean that once your NFT is stolen, consider it gone for good.
New Favorite Tool for Hackers
If there’s a form of currency that doesn’t flow through a bank, bad guys are going to use it. Art has historically been an easy cover for hiding and shuffling around large sums of money. However, the digital form of NFT artwork provides an ideal means to cyber criminals for laundering assets. It’s the perfect cover, in that you are indeed “selling” a “good” as opposed to transferring a currency. Laundering money using NFTs is turning out to be easier than leveraging cryptocurrency by itself.
I’ve also seen some speculation around whether NFTs could potentially become a way in which hackers buy and sell exploits and other hacking tools. My take is that there are currently better options, and I don’t foresee NFT zero-days catching on unless an official marketplace comes online. The existing market for illicit options for selling zero-days is growing rapidly as it pays significantly more than legitimate exchanges and is increasingly accessible.
While the NFT hype may be short-lived, whenever a hot new asset that has value appears, it becomes the goal of cyber criminals to obtain that asset through any means necessary. Whether hackers target NFT exchanges, extort buyers of headline-grabbing NFT artwork, or simply use NFTs to move money digitally and pay for illicit services, I can only expect that we’ll see creative NFT-related attacks from hackers in the coming months. And given the media scrutiny of this space, cybercrime groups have likely started to diversify their approach to remain one step ahead.