Being an “invisible” digital interaction, theft of NFTs is more widespread than previously thought.
Non-fungible tokens (NFTs) are unique and irreplaceable digital assets that, by their nature, have an intrinsic value. It can be digital art, photography, GIFs, avatars, memes, 3D objects, domain names, trading cards, virtual lands, music or other numerically tradable tokens. Each has a unique identifier that allows it to be sold or traded via the blockchain.
There is a trend sweeping the blockchain community, which is concerning. NFTs are regularly targeted by account takeover and account takeover fraud, including top-tier NFT groups, such as Bored Ape Yacht Club, CryptoPunks, Decentraland, NBA Top Shots…passwords. They can be obtained by purchasing lists of credentials on the dark web, usually from data breaches, social engineering, or phishing attacks, and then using them to send them in bulk (so-called “credential stuffing”) to website login forms to access the site. Web fraudulent user accounts. Despite decades of advice from computer security experts, users still reuse passwords across multiple sites and don’t always change them when notified of breaches.
NFTs are stored on the blockchain, but NFTs are purchased and managed in a digital wallet and through marketplaces used for trading. These are sites like Rarible and OpenSea that use Ethereum (ETH), and charge a flat fee per transaction, as well as a gas fee (the amount of ETH required for a user of the ETH blockchain network to complete a transaction on the network). A digital wallet or cryptocurrency exchange is not as secure as the passwords and credentials that protect it. Since NFTs allow for verifiable ownership, and with the anonymity that digital currency provides, once an account takeover occurs and the NFT is transferred to another blockchain account, the new owners are virtually untraceable.
Even if the examples below grabbed the headlines and weren’t representative of the average cost of NFT by group, what we should remember is that this industry also attracts more and more hackers Attacks are more frequent as NFT becomes more popular and easier to trade, entering the zeitgeist of the digital age .
After a phishing attack in June 2022, four NFTs were stolen from his crypto wallet. One of these NFTs, a unique Bored Ape icon, was the star of his next series that was already in production. He was forced to appeal via Twitter to the new owner, who appeared to have bought it in good faith, costing him 165 ETH (around $297,000 at the time) to get it back. Todd Kramer, owner of Chelsea Art Gallery, stole an estimated $2.3 million from NFT by fraudsters in December 2021 and listed it on the peer-to-peer NFT marketplace.
The OpenSea platform ran into further problems in February 2022, when an attacker used a phishing attack to steal two hundred and fifty-four tokens in less than three hours, totaling more than $1.7 million in revenue. In March 2022, malicious actors used compromised accounts on the Nifty Gateway platform to buy and sell hundreds of thousands of dollars’ worth of NFTs, charging affected users’ credit cards for gas and trading fees.
There are also many cases where fraudsters open fake accounts on NFT marketplaces such as OpenSea and sell artwork that does not belong to them. To avoid buying fake artwork, it is important to have a thorough check of the official websites, Discord servers and verified profiles in the markets
DappRadar’s latest NFT industry report shows an increase in market share for smaller NFT markets and higher trading volume among new NFT ventures, perhaps a sign that buyers and traders are worried about being a target for scams if they invest in more expensive NFTs. NFTHerder tweeted to his 44,000 followers that 22 NFT Discords were hacked in the first six days of June, mostly as a result of avoidable mistakes by NFT team members and investors dealing with security after the incident. Discord is valuable to the NFT community, but it needs to amend clear rules and educate users.
Preventing account takeover fraud requires multi-layered intent-based discovery to identify malicious access attempts and clear, actionable insights. Context is essential for effective mitigation, being able to clearly see which user accounts and sites are under attack, what methods are used, and whether the credentials are publicly available is key. Users demand more protection in the market and these exchanges need to reassure their users when making deals.
We have a personal responsibility, we must stop reusing passwords! Use password managers where you can store all your passwords and any other sensitive information you might need at your fingertips. One thing is for sure, the platforms or the exchange, the transactions must be safe and reliable. Wallets and platforms should be safe and worry-free. Users must take responsibility for their digital assets, but any service that allows users to buy, sell, auction or create NFTs on the blockchain must prove that they are doing their best to protect their users.