WatchGuard Blog

Cyberattacks Targeting NFT Marketplaces and Cryptographic Aficionados

Everything technology touches gets a digital makeover and the creative space wouldn’t be the exception. Non-fungible tokens (NFTs) are virtual assets that represent objects influenced by art, music, games, and videos. You can only buy them online, likely with cryptocurrency.

NFTs are generally encoded with the same underlying software as many cryptos. In fact, they are part of the Ethereum blockchain, a cryptocurrency, like bitcoin or dogecoin. Each cryptographic token is unique, so there are no two identical NFTs in the blockchain space.

NFTs and their controversial value

NFT worth is a highly controversial topic. Some see it as a collection of JPEGs and PNGs that are mostly publicly available on the Internet, and some see it as a highly regarded digital object and are willing to pay hundreds, millions of “dollars,” only in the form of cryptocurrency. The argument here is that those who own the NFTs don’t actually have copyrights on the NFT.

Security risks in NFT marketplaces

Smart contracts

As with cryptocurrency in general, this is a space that lacks governance and regulation. With smart contracts, which are used to process payments and manage token transfers, the risk to expose sensitive information is high. The quality of the code used to develop smart contracts is critical to avoid phishing scam vulnerabilities. Experts in blockchain also recommend that security audits are performed to identify any coding errors.

Identity fraud

Similarly, identity fraud is a high risk in the NFT world. Cyberattackers can gain access to a user’s crypto wallet through malware or phishing and steal tokens by transferring them to other wallets or marketplaces. Given the ambiguity surrounding true ownership, once NFTs are stolen it’s practically impossible to verify authenticity. 

Recent attacks

OpenSea, one of the largest NFT marketplaces and Bored Ape Yacht Club, have both fallen victim to threat actors with a similar attack: a scammer compromises an account (YouTube, Instagram) and promotes a fake giveaway pretending to offer airdrops (common initiative in the crypto space that distributes tokens to wallet addresses to promote the concept of virtual currency). This tricks users into clicking on a phishing link. The result?

  • OpenSea – May 2022: 13 artworks stolen that together have a value of $18,000
  • OpenSea – April 2022: 254 tokens stolen at an estimated value of more than $1.7 million
  • Bored Ape Yacht Club – April 2022:  Four Bored Apes, as well as a host of other NFTs with an estimated total value of $3 million

Regardless of the controversy around it, the non-fungible token community is growing, and there is no doubt that there are users who believe in its value and are willing to claim ownership. Given the dynamics at play in this type of space, the discussion on improving cybersecurity belongs to both the platforms selling NFTs, and the users.

Infographic- preview

Pro tips for NFT users

  • Choose a secure crypto wallet with reliable user privacy criteria and one that encrypts your data
  • Enable multi-factor authentication
  • Use strong passwords
  • Run wallet backups frequently
  • Use a private Internet connection
  • Assess the content and sources if you’re targeted with an airdrop offer

Download our infographic here.

Sources