- The NFT space has attracted many scammers and hackers as it has grown.
- Collectors should consider using hardware wallets to store valuable NFTs.
- Active NFT users should also exercise caution to avoid phishing attacks.
Crypto Briefing shares a list of operational security best practices for safeguarding your NFTs.
Security Tips For NFT Collectors
In 2021, NFTs exploded into the mainstream. The market for non-fungible tokens has seen huge growth, with trading volumes hitting record highs and top-tier pieces selling for millions of dollars. Last year, NFT sales hit $25 billion, while platforms like OpenSea continue to see huge interest from crypto natives and new adopters alike. The flurry of excitement surrounding tokenized collectibles has inspired celebrities like Jay-Z and Paris Hilton to buy into projects like CryptoPunks and Bored Ape Yacht Club, further fueling the demand.
Thanks to the rising prices of the most sought-after NFTs, the space has attracted many scammers and hackers. These opportunists use social media platforms like Discord and Telegram to target vulnerable collectors and attempt to steal their most prized pieces. As interest in the technology grows, NFT investors must stay up-to-date with best practices in operational security. In this feature, we explain all of the measures NFT owners can take to protect their collections.
Ensuring Wallet Security
NFT collectors can lose their holdings if hackers gain access to their wallet’s seed phrase, which is a private string of words that gives access to a cryptocurrency wallet.
NFT owners must therefore take precaution to ensure their seed phrase always stays secure. Hardware wallets such as Ledger and Trezor are widely considered one of the most secure ways to store crypto assets. Hardware wallets are a form of cold storage wallet as they are stored offline rather than hot wallets like MetaMask. Unlike hot wallets, hardware wallets store the private key within the device. To make a transaction with a hardware wallet, the user must have the device in-hand to confirm the transaction, making it much harder for hackers to gain access. For anyone with a collection of valuable NFTs, hardware wallets are undoubtedly one of the best storage options.
It is also vital to ensure that the seed phrase to any wallet that stores NFTs is secured offline in a safe place. Some users opt for splitting their seed phrase across multiple locations to add an extra layer of security. Durable materials like titanium and steel are also popularly used to store seed phrases.
It’s extremely risky to store seed phrases on digital, Internet-facing devices in case the device is compromised.
Verifying NFTs Before Minting or Buying
NFT collectors should always apply due diligence to find out whether an NFT is authentic before buying into a collection. This can help alleviate the risk of buying a counterfeit NFT. On OpenSea, official collections usually receive a “verified” checkmark once they surpass 100 ETH in trading volume.
During NFT minting, collectors should also check that they are connected to the correct website. Scammers frequently clone websites by making a slight amend to the original domain name with the goal of stealing crypto assets. When buying into newer NFT collections on secondary marketplaces like OpenSea or Rarible, it is important to verify if the project’s smart contract came from the official team.
In October 2021, an anonymous hacker memorably hacked into the CreatureToadz project’s Discord server. Posing as an admin, they announced a fake NFT mint, which was enough to trick community members into sending them over $340,000 in Ethereum. While the funds were later returned to the team, the incident highlighted the importance of verifying official smart contracts for prospective mints.
On several occasions, fraudsters have used the names of famous artists to mislead investors. One scammer went as far as hacking Banksy’s website to post a link to a piece; it sold for $336,000 in Ethereum.
Taking Caution Against Honeypot, Malware, and Phishing Attacks
One of the most common ways scammers target NFT collectors is through phishing attacks. Hackers frequently execute “honeypot” schemes to lure investors. In this type of attack, they send fake airdrops to NFT holders to trick them into claiming tokens. However, when the victim proceeds with the claim, they interact with a malicious smart contract that seeks permission to spend their assets. If they inadvertently grant permission to the contract, it can drain the assets in their wallet.
In December 2021, the New York-based NFT collector Todd Kramer lost $2.2 million worth of NFTs in a phishing attack. He interacted with a phishing contract disguised as a genuine application, leaving his wallet exposed to the hack. It was drained of several NFTs from the Bored Ape Yacht Club, Mutant Ape Yacht Club, and CloneX collections.
It is also possible for hackers to use malware to gain backdoor access to devices. Hackers often send malicious links that immediately deploy malware and can take over computers. Hackers can then extract the private key to hot wallets like MetaMask and withdraw all of the NFTs and other assets.
As hackers frequently prey on investors on social media apps like Discord, it’s important to be vigilant when interacting with anyone online. NFT collectors should always verify someone’s identity before they interact with them and avoid clicking on any suspicious links.
Protecting Personal Privacy
NFT collectors often show off their non-fungibles in their social media avatars (Twitter has just rolled out a feature that gives users a way to prove that they own their NFT avatar, and Meta is also set to release a similar feature soon). However, using NFT avatars or human-readable domain names like Ethereum Name Service can make it easier for hackers to identify investors they want to target.
As the blockchain makes all transactional and wallet data available, malicious entities can easily track collectors that own valuable NFTs if they share any details of their addresses on social media. This may lead to targeted phishing attacks or physical threats.
NFT investors also need to pay attention to vulnerabilities that may leak their private information. Recently, a cryptographer discovered a MetaMask bug that could give hackers access to a users’ IP addresses on mobile devices. MetaMask says it’s aware of the issue but is yet to fix it.
As NFTs have grown in popularity, so has the appetite of scammers looking to steal valuable pieces from collectors. Many of these attackers use sophisticated methods to target investors. It’s therefore vital for anyone active in the NFT space to always take the necessary precautions and due diligence to ensure that they protect their collections. As ever, investors should be aware that NFTs are a nascent technology in a risky space. As such, users should always take caution and follow operational security practices when investing.
Disclosure: At the time of writing this feature, the author owned ETH and other cryptocurrencies.
Bored Ape NFT Collector Loses $2.2M in Phishing Scam
An NFT collector has lost millions of dollars’ worth of NFTs in an apparent phishing attack. NFT Collector Targeted With a Phishing Attack A New York-based art curator and NFT…
$1.8M Lost to Fake MetaMask Token Honeypot Scam
A fake MetaMask token has conned traders out of over $1.8 million. Hackers injected code into the DEXTools application’s front end, convincing traders that the token was verified. The MetaMask…
Investing Survey: Win A $360 Subscription To Pro BTC Trader
We’re doing this because we want to be better at picking advertisers for Cryptobriefing.com and explaining to them, “Who are our visitors? What do they care about?” Answer our questions…
MetaMask Knows It Has a Critical Privacy Vulnerability, But Hasn’…
Alexandru Lupascu says that MetaMask users who access the app on mobile devices are at risk of exposing their IP address. MetaMask Mobile App Can Expose Users’ Privacy MetaMask users…