Can NFTs be stolen?
Author: Mandee McFerren
Source: https://unsplash.com/photos/9SoCnyQmkzI Can NFTs be stolen?
Last week multiple news sources confirmed that a hacker had stolen NFTs worth £1.25 million from 32 users on the widely used crypto platform OpenSea. The perpetrator of the attack remains unknown, with estimates that at least 254 NFTs were stolen, causing widespread concern and fear across the crypto community over the safety of assets.
This may come as a surprise for many as cryptocurrency and NFTs are often touted for their safety due to the decentralized nature of the blockchain. However, the high earning potential for both crypto and NFTs has driven criminals to discover ways in which to steal these newer digital assets.
With millions of dollars on the line, how can owners of NFTs be sure they are protected? Are there ways to protect NFT and crypto investments from theft?
The answer is probably simpler than some may imagine. Crypto investments can be protected in a very similar way to physical assets – by being aware of threats and ensuring one is alert to how criminals can take control of someone else's crypto. Just as homeowners can protect their own homes with alarm systems and general safety awareness (most of the time), a comparable mindset can be put towards the digital space.
Before anything, it is important for buyers to know how criminals are able to “steal” crypto. One might assume due to the digital nature of the market that hackers are responsible for stealing NFTs, in the same way that people get their email or online accounts hacked. While
that can be a rare possibility, the sheer size of the blockchain and its decentralized structure make that method difficult. Instead, the overwhelming nature of NFT theft is through the age-old method of scamming.
Unlike the physical aggression needed to break into your house or rob you on the street, the required method for most NFT thefts involves multiple steps, with the criminal party taking advantage of the victims trust, either in themselves or in a false website or company. Through this, the criminal party can then uncover someone's crypto wallet information – namely passwords, or “keys.”
According to CoinBase, an American company that operates a cryptocurrency exchange platform, crypto wallets store your private keys, keeping your crypto safe and accessible. Keys, in the realm of crypto, are the passwords that give you access to your cryptocurrencies. Having a crypto wallet also allows you to send, receive, and spend cryptocurrencies like Bitcoin and Ethereum.
To enter a crypto wallet, you need two cryptographic keys — a public key that encrypts data and a private key that decrypts data. If the owner loses or forgets their keys, they can also use their “seed phrase”, which includes a string of 12-24 words that confirms the owners identity and allows a user to recover their crypto assets even if they lose access to their wallet.
The seed phrase is one of the most important elements to safeguard if one wants to keep their crypto wallet and assets secure. If someone can obtain someone's seed phrase, they can easily access the victim’s wallet, transferring the victim's assets to their own separate account. Many crypto security experts recommend keeping seed phrases extremely private, ideally not stored in any digital format or anywhere that people can easily find.
Scammers have also been successful in entering people’s wallets through false claims that they are interested in buying their assets (NFTs.) In these instances, the criminal party would deceive their victims into signing partial digital contracts regarding the sales or trades using a phishing email, which is an email that appears to be from a well-known or trusted source asking the consumer to provide personal identifying information. Once they obtain the victims information, they are able to access the victim’s keys and wallet, transferring the contents of the victim’s wallets to their own.
Webhooks can also be used by scammers to enter crypto wallets. Like phishing emails, criminals can also collect information via hacked webhooks – API features that power one-way data sharing on websites triggered by events and frequently take the shape of notifications. If hacked, webhooks can send convincing looking links to unsuspecting victims who assume that the link is coming from the trusted, notification-sending website, leading them to input their information.
Along with phishing and APIs, criminals can also hack support systems, impersonating support technicians of trusted websites in order to trick unsuspecting users into handing over their crypto keys or information.
Deception and scamming are by far the most common ways that NFTs and crypto are stolen, using false pretenses to convince victims that giving over their personal information is safe. While scamming is the most common, criminals can access victims' wallet information via hacking if cybersecurity on NFT platforms is not secure. This is why on top of personal responsibility, it is important to only attach your wallet to trusted platforms.
The sector of cryptocurrency and NFTs is still relatively new, meaning that the holes criminals use to take advantage of victims have not all been found and are not widely known. As with any market that makes money, there will surely be criminals trying to find ways to steal assets. While the digital world is continuously evolving, investors must consequently evolve in their awareness of threats and stay alert against anything that seems out of the ordinary.