The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021.

To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account.

As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as support staff to trick targets into sharing account access. Some use old-fashioned phishing techniques to lure NFT holders into transferring funds or giving up credentials. Let’s dig deeper into the emerging threats that heighten NFT security risk.

The NFT boom and security

In 2021, the NFT market was worth at least $40 billion. In January 2022, 2.4 million NFTs were sold on OpenSea, the world’s largest NFT marketplace. This was an increase of a million sales compared to December 2020. NFT sales by value also shattered records in January, with over $4.8 billion sold on OpenSea alone. Even traditional auction houses like Christie’s and Sotheby’s are now holding their own token auctions. With that much financial activity going on, threat actors were bound to take notice.

Old fashioned phishing and NFT fraud

In February 2022, scammers stole hundreds of NFTs from OpenSea users with 254 tokens stolen during the attack. The estimated value of the heist totaled more than $1.7 million, all happening in the span of about three hours.

OpenSea CEO Devin Finzer tweeted that victims were duped into signing an online contract to trade tokens, but the contract order details were left blank. With the authorization signature in place, attackers then filled in the contract details without the victim’s knowledge. This enabled transfer of NFT ownership to the attackers. It’s believed this attack occurred through some kind of phishing, perhaps an email with a false request for contract signatures.

Imitation NFT store sites also exist that try to trick targets into giving up their credentials through email and social media phishing campaigns.

Crypto wallet security cracking

While many are careful not to fall for phishing scams, what if someone sends you a free NFT as a gift? Accepting it could unleash a series of events that ends up compromising your crypto wallet. Researchers recently discovered an OpenSea vulnerability that works this way. The sequence of events goes like this:

  1. The attacker creates and gifts a malicious NFT to a target victim.
  2. Upon viewing the malicious NFT, a pop-up triggers from the OpenSea storage domain. The pop-up requests connection to the victim’s cryptocurrency wallet, a common request.
  3. To receive the gifted NFT, the victim opens up a wallet connection enabling access to their wallet.
  4. Attackers can extract money from the wallet by triggering an additional malicious pop-up.

Since then, this vulnerability has reportedly been secured.

Fake NFT support on discord

Consider the social engineering ruse that took place on OpenSea’s Discord server. Attackers lurked on the instant messaging platform waiting for someone to ask a support question. They then invite the unsuspecting target to a secondary fake ‘support’ server.

After luring them to their server, attackers ask the target to enable screen sharing to solve the problem. The victim is then instructed to ‘resynchronize’ their MetaMask crypto wallet Chrome extension with their MetaMask app. Next, the victim is guided to perform the Configuration> Advanced> Sync with Mobile action chain which eventually generates a QR code.

Attackers can then take a screenshot of the QR code and use the image to sync the wallet with their own MetaMask app. After syncing, the attackers can freely steal crypto funds from the victim’s wallet.

NFT theft and digital art scams

What about digital works of art? How do people steal them? When an NFT is minted, the created token is linked to a unique physical or digital object, such as a URL. So when you buy an NFT, you essentially buy the URL for it. If you make a counterfeit work of art, you could then sell it linked to a unique URL.

When selling NFTs on many marketplaces, artist verification may not be required. Online art thieves can simply copy, paste, mint and sell the artwork as their own. An Information Security Newspaper report explains that NFT buyers might end up purchasing illegally copied art. The scam doesn’t stop there. Later, victims might get a call from a blackmailer threatening to report them for owning stolen digital assets.

Redline malware scam

Threat actors can also pose as artist patrons. Through social engineering, these fake patrons set up social media pages and act as if they collect digital art. The scammers then approach artists asking them to create something new. Once they get the artist to download malware (via fake contracts, art samples, etc.) attackers can deploy Redline malware.

This attack enables threat actors to steal usernames, passwords and art files saved on device hard drives. Redline can also steal crypto wallet information from browser extensions and wallet.dat files.

Tweet theft

Among the wide range of existing NFT scams, this one is the easiest to execute. An automated NFT tweet mining bot can automatically convert tweets into NFTs.

Think tweets aren’t worth anything? Twitter founder Jack Dorsey’s first ever tweet sold for the equivalent of $2.9 million. If anyone posts their artwork in a tweet, attackers could steal it right from under their noses. This happened to artist RJ Palmer:

Cool new scam artists should be aware of. Any rando can now turn your tweet and by extension, your artwork into an NFT by tagging this account @/tokenizedtweetsBlock this guy— RJ Palmer (@arvalis) March 9, 2021

How to improve NFT security

Some ways to boost NFT security include:

  • Use multifactor authentication for all accounts
  • Learn how to spot phishing attacks and never click or download anything from suspicious or unsolicited emails
  • Beware of requests to create new art. Dig into the requester’s background, scour their social media site and get references if possible.
  • Use a hardware wallet instead of a software wallet
  • Note that you can use DMCA copyright infringement takedowns if someone steals your art.

The NFT universe is still in its infancy, and the opportunities are growing, as is the risk. For those who participate in NFT investments, it pays to remain up to date about security threats.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today