What are NFTs?
Non-fungible tokens (NFTs) are unique and irreplaceable digital assets that, by their nature, have an intrinsic value. These could be digital art, photography, GIFs, avatars, memes, 3D objects, domain names, trading cards, virtual land, music, or other digitally tradable tokens. Each contains a distinctive identifier that allows them to be sold or traded via blockchain.
NFTs and theft
If you ask a cyber extortionist what’s hotter than NFTs right now, they’ll probably say NFT theft. There’s a trend sweeping the blockchain community, and it’s a worrying one. NFTs are stolen by account takeover fraud and account hacking regularly – and blue-chip NFT collections, like Bored Ape Yacht Club, CryptoPunks, Decentraland, or NBA Top Shots, can easily sell for tens of thousands of USD per token.
Using account takeover (ATO) fraud, bad actors take ownership of online accounts using stolen usernames and passwords. These can be acquired through the purchases of lists of credentials on the dark web – typically from data breaches, social engineering, or from phishing attacks – then used to bulk submit these (known as ‘credential stuffing’) to website login forms to fraudulently gain access to user accounts. Despite decades of advice from IT security experts, users still reuse passwords across multiple sites and don’t always change them when they are notified of breaches. This is a recipe for disaster.
NFTs are stored on the blockchain, but NFTs are purchased and managed in a digital wallet and through marketplaces used for trading. These are sites such as Rarible, which is partnered with Adobe and uses the Ethereum (ETH) currency, charging a flat 2.5% fee on every transaction plus any gas fees (the amount of ETH needed for an ETH blockchain network user to perform a trade on the network). A digital wallet or cryptocurrency exchange is only as safe as the passwords and credentials protecting it. As NFTs allow for verifiable ownership, and with the anonymity that digital currency provides, once an account takeover has happened and an NFT has been transferred to another blockchain account, the new owners are virtually untraceable. One of the primary tenets of cryptocurrency is the elimination of possible centralized intervention – making this doubly hard to fix any ownership issues. Bear in mind that many individual NFTs have sold for over USD 1M each, with one single NFF reselling for nearly USD 70 million.
Being an ‘invisible’ and digital interaction, NFT theft is far more prevalent than one may believe. This is a clear call for better digital protection. After a phishing attack in June 2022, Robot Chicken co-creator and Family Guy/Austin Powers trilogy star Seth Green had four NFTs stolen from his crypto wallet. One of these NFTs, a unique Bored Ape token, was to be the star in his upcoming series which was already in production. He was forced to appeal via Twitter to the new owner, who appeared to have bought it in good faith, costing him 165 ETH (around USD 297,000 at the time) to recover it. In another case, Todd Kramer, a Chelsea art gallery owner, had around USD 2.3 million worth of NFTs stolen by scammers in December 2021, and listed on the peer-to-peer NFT marketplace OpenSea. The OpenSea platform had further issues in February 2022, when an attacker used a phishing attack to steal two hundred and fifty-four tokens in under three hours, totaling over USD 1.7 million in profits. In March 2022, bad actors used cracked accounts in the Nifty Gateway platform to buy and sell hundreds of thousands of dollars worth of NFTs, charging the affected users’ credit cards for gas and trading fees.
Attacks are more prevalent as NFTs become more popular, easier to trade, and enter the digital zeitgeist. So what can we do about it?
Preventing NFT theft
At the exchange
The cryptocurrency exchanges say that they are doing their best but that they are the middle man and can only do so much. OpenSea, for example, can’t return stolen NFTs as they are stored on the Ethereum blockchain. They can only stop them from being traded within OpenSea.
“OpenSea is a blockchain explorer, meaning our goal is to provide the most comprehensive view into NFTs across different blockchains. We do not have the power to freeze or delist NFTs that exist on these blockchains, however, we do disable the ability to use OpenSea to buy or sell stolen items. Since this issue emerged, we’ve built security tools and processes to combat theft on OpenSea. We are actively expanding our efforts across customer support, trust and safety, and site integrity so we can move faster to protect and empower our users.”
Cryptocurrency exchanges can, however, make use of professional account takeover protection without any loss from legitimate transactions or reduction in site performance. Preventing account takeover fraud requires multi-layered, intent-based detection to identify malicious access attempts – with low false positives and clear and actionable insights. Context is critical for effective mitigation, and it’s critical to be able to clearly see which user accounts and sites are under attack, what techniques were used, and whether the credentials are publicly available. Users are demanding more protection in the marketplace and these exchanges need to put their users’ minds at ease when conducting transactions. As such, it’s important to inform customers when an attempt to take over their account is detected and blocked, even if this is done so automatically, and to utilize this opportunity to recommend further ways the customer can avoid the risk and foster best practices.
Personal responsibility
It’s 2022. I don’t know who needs to hear this, but stop reusing passwords!
For as little as a couple of USD a month you can get an excellent password management tool where you can store software licenses, all your passwords, and any other sensitive information you might need at your fingertips – on your desktop, laptop, or on the move. All of this is sealed behind a single master password and complex password generator, meaning everything can be different and there’s only one localized key you need to know. Set up is easy, and they work across multiple platforms and devices. Asking around our team we personally use 1Password, Zoho, RoboForm, LastPass, LogMeOnce, Bitwarden, and Keeper.
When we do have to create a password we should avoid all the usual 7-letter clichés, and consider using a password system to avoid creating logins you can’t remember. You should also change them frequently. Many of the password management tools have random password generators, which is obviously the preferable approach.
Save the apes
In order to grow the NFT market, and any platform or exchange, transactions have to be safe and reliable. While investment in exchanges and platforms appears to be forthcoming the art world, and the investment world, have mixed feelings about NFTs. Wallets and platforms need to be secure and worry-free.
Users need to take responsibility for their digital assets, but any service allowing users to buy, sell, auction, or create NFTs on the blockchain where millions of US dollars could be changing hands must demonstrate they are doing their best to protect their users from account takeover and fraud. They must promote best practices and be seen as a reliable repository if they are to succeed – regardless of their other responsibilities. Good account takeover security is good PR, and NFT portfolio platforms will need that in the years to come if the medium is to be trusted beyond early adopters and further normalize investment in the crypto community.
Try Imperva for Free
Protect your business for 30 days on Imperva.