The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021.

To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account.

As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as support staff to trick targets into sharing account access. Some use old-fashioned phishing techniques to lure NFT holders into transferring funds or giving up credentials. Let’s dig deeper into the emerging threats that heighten NFT security risk.

The NFT Boom and Security

In 2021, the NFT market was worth at least $40 billion. In January 2022, 2.4 million NFTs were sold on OpenSea, the world’s largest NFT marketplace. This was an increase of a million sales compared to December 2020. NFT sales by value also shattered records in January, with over $4.8 billion sold on OpenSea alone. Even traditional auction houses like Christie’s and Sotheby’s are now holding their own token auctions. With that much financial activity going on, threat actors were bound to take notice.

Old Fashioned Phishing and NFT Fraud

In February 2022, scammers stole hundreds of NFTs from OpenSea users with 254 tokens stolen during the attack. The estimated value of the heist totaled more than $1.7 million, all happening in the span of about three hours.

OpenSea CEO Devin Finzer tweeted that victims were duped into signing an online contract to trade tokens, but the contract order details were left blank. With the authorization signature in place, attackers then filled in the contract details without the victim’s knowledge. This enabled transfer of NFT ownership to the attackers. It’s believed this attack occurred through some kind of phishing, perhaps an email with a false request for contract signatures.

Imitation NFT store sites also exist that try to trick targets into giving up their credentials through email and social media phishing campaigns.

Crypto Wallet Security Cracking

While many are careful not to fall for phishing scams, what if someone sends you a free NFT as a gift? Accepting it could unleash a series of events that ends up compromising your crypto wallet. Researchers recently discovered an OpenSea vulnerability that works this way. The sequence of events goes like this:

  1. The attacker creates and gifts a malicious NFT to a target victim.
  2. Upon viewing the malicious NFT, a pop-up triggers from the OpenSea storage domain. The pop-up requests connection to the victim’s cryptocurrency wallet, a common request.
  3. To receive the gifted NFT, the victim opens up a wallet connection enabling access to their wallet.
  4. Attackers can extract money from the wallet by triggering an additional malicious pop-up.

Since then, this vulnerability has reportedly been secured.

Fake NFT Support on Discord

Consider the social engineering ruse that took place on OpenSea’s Discord server. Attackers lurked on the instant messaging platform waiting for someone to ask a support question. They then invite the unsuspecting target to a secondary fake ‘support’ server.

After luring them to their server, attackers ask the target to enable screen sharing to solve the problem. The victim is then instructed to ‘resynchronize’ their MetaMask crypto wallet Chrome extension with their MetaMask app. Next, the victim is guided to perform the Configuration> Advanced> Sync with Mobile action chain which eventually generates a QR code.

Attackers can then take a screenshot of the QR code and use the image to sync the wallet with their own MetaMask app. After syncing, the attackers can freely steal crypto funds from the victim’s wallet.

NFT Theft and Digital Art Scams

What about digital works of art? How do people steal them? When an NFT is minted, the created token is linked to a unique physical or digital object, such as a URL. So when you buy an NFT, you essentially buy the URL for it. If you make a counterfeit work of art, you could then sell it linked to a unique URL.

When selling NFTs on many marketplaces, artist verification may not be required. Online art thieves can simply copy, paste, mint and sell the artwork as their own. An Information Security Newspaper report explains that NFT buyers might end up purchasing illegally copied art. The scam doesn’t stop there. Later, victims might get a call from a blackmailer threatening to report them for owning stolen digital assets.

Redline Malware Scam

Threat actors can also pose as artist patrons. Through social engineering, these fake patrons set up social media pages and act as if they collect digital art. The scammers then approach artists asking them to create something new. Once they get the artist to download malware (via fake contracts, art samples, etc.) attackers can deploy Redline malware.

This attack enables threat actors to steal usernames, passwords and art files saved on device hard drives. Redline can also steal crypto wallet information from browser extensions and wallet.dat files.

Tweet Theft

Among the wide range of existing NFT scams, this one is the easiest to execute. An automated NFT tweet mining bot can automatically convert tweets into NFTs.

Think tweets aren’t worth anything? Twitter founder Jack Dorsey’s first ever tweet sold for the equivalent of $2.9 million. If anyone posts their artwork in a tweet, attackers could steal it right from under their noses. This happened to artist RJ Palmer:

Cool new scam artists should be aware of. Any rando can now turn your tweet and by extension, your artwork into an NFT by tagging this account @/tokenizedtweets Block this guy — RJ Palmer (@arvalis) March 9, 2021

How to Improve NFT Security

Some ways to boost NFT security include:

  • Use multifactor authentication for all accounts
  • Learn how to spot phishing attacks and never click or download anything from suspicious or unsolicited emails
  • Beware of requests to create new art. Dig into the requester’s background, scour their social media site and get references if possible.
  • Use a hardware wallet instead of a software wallet
  • Note that you can use DMCA copyright infringement takedowns if someone steals your art.

The NFT universe is still in its infancy, and the opportunities are growing, as is the risk. For those who participate in NFT investments, it pays to remain up to date about security threats.

More from Cloud Security

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…

How to Implement Cloud Identity and Access Governance

Creating identity and access governance across cloud environments is crucial for modern organizations. In our previous post, we discussed how important human and non-human identities are for these environments and why their management and the governance of their access can be difficult. In the face of these challenges, our cloud identity and access governance (CIAG) approach offers an orchestration layer between cloud identity and access management (IAM) and enterprise IAM, as the following graphic shows. As we continue our CIAG…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…