Hackers Want Your NFTs
We're starting to see more security incidents around NFTs. Prepare accordingly!
Metaversal is a Bankless newsletter for weekly level-ups on NFTs, virtual worlds, & collectibles
Dear Bankless Nation,
We’re starting to see an influx of really talented people around the NFT ecosystem as these digital assets become more popular.
Unfortunately, a small but growing number of these newcomers are hackers who have the means, knowledge, and incentives to profit around NFTs in whatever ways they can.
This is why it’s so important in the ongoing NFT boom to circle and highlight the security basics over and over again. What are the threats that NFT users face, and how can we fight them?
In this Metaversal write-up, then, we’ll be exploring some of the main ways hackers can approach the NFT ecosystem and the best measures you can undertake to defend your NFTs against them. 🔐
-WMP
🙏 Sponsor: Unstoppable—get a .crypto NFT domain to make payments simpler!
Enter to win an NFT-friendly domain name!
Unstoppable is giving away a .crypto domain name each week to Metaversal readers! Enter your email here every week for a chance to win. ✌️
Congratulations to subscriber Larry Ketchersid for winning the previous domain giveaway! Enjoy your new .crypto NFT! 🎉
Hackers Want Your NFTs
Whenever the cryptoeconomy heats up, it attracts the attention of people from all walks of life. This includes blackhat hackers, who are starting to show up in greater numbers to capitalize on nefarious digital heists.
NFTs, which have been breaking into the mainstream lately, have increasingly become targets for blackhats accordingly. And unfortunately, these attackers have a range of techniques they can use to steal your NFTs if proper precautions aren’t taken. Attack vectors include:
Command & control attacks, which let hackers deploy files to computers in order to steal login info and beyond.
Keylogging incidents, which entails malware that records keystrokes to hunt for passwords.
Screenscrapings, where malware is used to record sensitive data visually scraped from device screens.
DNS compromises, where hackers take control of a website’s domain and then manipulate it, e.g. creating an interface that authoritatively asks for users’ wallet seed phrases.
Incidents on the Rise
In recent days, there have been a number of security incidents that have affected NFT-centric projects or have the ability to affect certain NFT users. Again, NFTs are increasingly valuable and more hackers are probing for illicit ways to capitalize on them.
Just within the last week we’ve seen:
Social token platform Roll’s hot wallet acutely compromised, which led to an attacker selling-off some of the supply of NFT-based social tokens like $WHALE and $SKULL.
Attackers targeting Nifty Gateway users who don’t have 2FA security enabled, with a handful of users having their accounts — and thus their NFTs — taken over so far via password compromises.
Some DeFi projects like C.R.E.A.M. Finance temporarily lost control of their DNS names, which allowed the culprits to surreptitiously request users’ wallet seed phrases directly from app.cream.finance for a time. More than a few NFTers also user DeFi apps like C.R.E.A.M., so if any followed through with the seed request, then any NFTs in their addresses would be jeopardized.
Defending Your Digital Assets
So what can we do in the face of these blackhat threats?
Fortunately, there’s a combo of defensive measures we can take to capably defend our crypto and NFTs from talented attackers. Justin Ouellette, an NFT creator and collector among other things, had a slam dunk tweet earlier today covering some of the basics of these measures.
The first point, on password reuse, is really key. I suspect some of the MetaMask and NiftyGateway compromises we’ve seen lately have been from previously breached passwords that are reused. So that’s a big no-no. Additionally, relying on 2FA is a must if you’re building up a considerable NFT collection on centralized platforms like Nifty Gateway. The importance of never giving out your seed phrase can also never be overstated!
I’d lastly just add a few things. One, a hardware wallet is one of the single best security investments you can make for your NFTs. These “cold wallets” put you in decisive control of your NFTs and are virtually impossible to attack in most conditions, so consider them the foundation for any safe NFT vault.
Other points to consider are spreading out your NFT activities across multiple wallets, so you never have all your digital eggs in one basket, and avoiding sketchy sites and files at all costs. We never want to make things any easier for hackers, right, especially if we sometimes move NFTs through more vulnerable hot wallets!
Action Steps
Set aside some time to review the security around your NFT activities. Make improvements wherever applicable!
Metaversal is a Bankless newsletter. Subscribe to the full Bankless program today!
🙏Thanks to our sponsor
Unstoppable Domains
Send & receive crypto with human-readable blockchain NFT domain names! No renewal fees. No more worrying about sending to the wrong address.
Your Bitcoin and Ethereum addresses deserve a domain name!
👉 Get your .crypto domain now!
👉 Enter weekly contest for a chance to win a free domain!
Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.
Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. I’ll always disclose when this is the case.
Thanks William. Btw I have been scouring the web for info regarding 2FA @ OpenSea, but no luck (haven’t had any problems but I am concerned, especially after the recent NGateway hack). Any word on this? Greatly appreciated.