Old scams and new tricks
The The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious domain registrations with names of NFT stores increased by almost 300% in March 2021.
To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace.
As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server and impersonated support staff to trick targets into sharing account access. Some use old-fashioned phishing techniques to trick NFT holders into transferring funds or giving up credentials. Let’s dig deeper into the new threats that increase NFT security risk.
NFT boom and security
By 2021, the NFT market was worth at least $40 billion. In January 2022, 2.4 million NFTs were sold on OpenSea, the world’s largest NFT marketplace. This was an increase of one million sales compared to December 2020. NFT sales by value also broke records in January, with over $4.8 billion sold on OpenSea alone. Even traditional auction houses such as Christie’s and Sotheby’s now hold their own token auctions. With so much financial activity going on, the threat actors were bound to take notice.
Old fashioned phishing and NFT scams
In February 2022, fraudsters stole hundreds of NFTs from OpenSea users with 254 tokens stolen during the attack. The estimated value of the robbery was more than $1.7 million, all of which happened in about three hours.
OpenSea CEO Devin Finzer tweeted that victims were tricked into signing an online contract to trade tokens, but the contract order details were left blank. With the authorization signature in place, the attackers filled in the contract details without the victim’s knowledge. This enabled the transfer of NFT ownership to the attackers. It is believed that this attack occurred through some form of phishing, perhaps an email with a fake request for contract signatures.
Fake NFT store pages also exist that try to trick targets into giving up their login information through email and social media phishing campaigns.
Crypto Wallet Security Cracking
While many are careful not to fall for phishing scams, what if someone sends you a free NFT as a gift? Accepting it can trigger a series of events that end up compromising your crypto wallet. Researchers recently discovered an OpenSea vulnerability that works this way. The sequence of events looks like this:
- The attacker creates and delivers a malicious NFT to a target victim.
- Viewing the malicious NFT triggers a popup from the OpenSea storage domain. The popup asks to connect to the victim’s cryptocurrency wallet, a common request.
- To receive the gifted NFT, the victim opens a wallet connection that provides access to the wallet.
- Attackers can withdraw money from the wallet by triggering an additional malicious pop-up.
Since then, this vulnerability has reportedly been patched.
Fake NFT support on Discord
Consider the social engineering that took place on OpenSea’s Discord server. Attackers lurked on the instant messaging platform, waiting for someone to ask a support question. They then invite the unsuspecting target to a secondary fake “support” server.
After luring them to the server, attackers ask the target to enable screen sharing to solve the problem. The victim is then asked to “resync” the MetaMask crypto wallet Chrome extension with the MetaMask app. Then the victim is guided to perform the Configuration> Advanced> Sync with Mobile action chain which finally generates a QR code.
Attackers can then take a screenshot of the QR code and use the image to sync the wallet with their own MetaMask app. After syncing, the attackers can freely steal crypto funds from the victim’s wallet.
NFT theft and digital art fraud
What about digital artwork? How do people steal them? When an NFT is minted, the token created is associated with a unique physical or digital object, such as a URL. So when you buy an NFT, you are essentially buying its URL. If you create a fake piece of art, you can sell it linked to a unique URL.
When selling NFTs on many marketplaces, artist verification may not be required. Online art thieves can simply copy, paste, emboss and sell the artwork as their own. A report from the Information Security Newspaper explains that NFT buyers can end up buying illegally copied art. The scam doesn’t stop there. Later, victims may receive a call from a blackmailer threatening to report them for possessing stolen digital assets.
Redline Malware scam
Threat actors can also pose as artists. Through social engineering, these fake patrons set up social media pages and behave as if they collect digital art. The scammers then approach artists and ask them to create something new. Once they get the artist to download malware (via fake contracts, art samples, etc.) attackers can distribute Redline malware.
This attack allows threat actors to steal usernames, passwords, and artwork files stored on device hard drives. Redline can also steal crypto wallet information from browser extensions and wallet.dat files.
Tweet Theft
Among the wide variety of existing NFT scams, this one is the easiest to pull off. An automated NFT tweet mining bot can automatically convert tweets into NFTs.
Think tweets are worthless? Twitter founder Jack Dorsey’s first ever tweet sold for the equivalent of $2.9 million. If someone posts their artwork in a tweet, attackers can steal it right from under theirs noses. This happened to artist RJ Palmer:
Cool new scammers to watch out for. Any rando can now turn your tweet and by extension your artwork into an NFT by tagging this account @/tokenizedtweets
Block this guy pic.twitter.com/JeHXwcoYFV
— RJ Palmer (@arvalis) March 9, 2021
How to improve NFT security
Some ways to increase NFT security include:
- Use multi-factor authentication for all accounts
- Learn how to spot phishing attacks and never click or download anything from suspicious or unwanted emails
- Beware of requests to create new art. Dig into the requester’s background, scour their social media and get references if possible.
- Use a hardware wallet instead of a software wallet
- Note that you can use DMCA copyright takedowns if someone steals your art.
The NFT universe is still in its infancy, and the opportunities are growing, as are the risks. For those who participate in NFT investments, it pays to stay up-to-date on security threats.