Here’s How the Dark Side of Web3 Gets Away With NFT Theft
How do NFT burglars pull off heists worth millions or even billions of dollars while remaining undetected? Since cryptographic transactions are written down on a public ledger, it should be easy to find out who did it. But this is more complicated than being familiar with the area, and finding out the whole tale could help us all better defend ourselves against future attacks. Despite this, NFT thieves are extremely difficult to apprehend. Part of the problem is that successful NFT thieves live on the cutting edge of the industry.
High art theft, celebrity victims, and NFT theft
Even though there are many more stolen NFTs than those belonging to famous people, very few are recovered. High-profile NFTs like Moonbirds, Mutant Ape Yacht Club, and Bored Ape Yacht Club were the targets of the priciest NFT thefts. Many people have lost a lot of money because these NFTs are expensive and used by many. The owner of an art gallery, Todd Kramer, lost almost $2.2 million on NFTs. Steven Galanis, a co-founder of Cameo, lost more than $200,000 in NFTs and cryptocurrencies. To gain the rights to utilize it in his upcoming TV series, White Horse Tavern, actor Seth Green lost four NFTs and paid $269,000 to get one back.
How NFT criminals escape detection
The procedures for carrying out a theft are relatively simple. A theft typically starts with a phishing attack and concludes with mixing cryptocurrency and making a withdrawal. The significant actions a thief is likely to do are as follows: gain control over or access to the victim’s online cryptocurrency wallet.
- Transferring cryptocurrency and NFTs from the victim’s wallet to your own
- Sell NFTs cheaply to ensure a quick exchange.
- Send cryptocurrency through a cryptocurrency mixer from the burglar’s wallet.
- Draw mixed cryptocurrency to a third wallet to obfuscate the trail (more on this below)
- Let’s examine the first stage of that process in more detail before exploring why Web3’s transparency is ineffective in identifying crooks.
How NFT criminals access your cryptocurrency wallets
Trusted NFT marketplaces put a lot of effort into maintaining a high degree of security and protecting their clients from fraud. They’ve been mainly successful in preventing hackers thus far. However, criminals and hackers have used fake websites, emails, and social media to carry out other tactics successfully. These NFT theft tactics are the most typical ones. Then we’ll open them up.
- Email phishing scams are common.
- Phishing assaults on forums and social media
- Ice phishing: Taking advantage of smart contracts
- Bugs in the market and security holes
- The typical email phishing attack
Most internet users know about phishing scams, especially those that employ email. They begin with an email that appears to be sent by a bank, the post office, or another service provider. The notice asks you to click a link immediately, finish a transaction, or reset your password. When you click the link, a fake website that asks for your username and password will redirect you there. NFT phishing campaigns have included everything from formal requests to change passwords to (obviously) limited-time offers of free tokens through privileged airdrops.
The phony website is frequently designed to resemble the marketplace as closely as feasible. This includes the tactic known as “typosquatting,” in which the URL is very similar to the URL of the targeted site. This makes it more likely that hackers will find more victims through natural traffic, who won’t notice the small mistakes. Like traditional phishing attempts, this method gives NFT thieves access to their victims’ wallets, which are then emptied by the process described above.
Phishing assaults on forums and social media
An extensive network is essential for traditional phishing emails, but for NFT thieves, the number of possible victims drops significantly. They use additional channels As a result of conducting phishing scams. This might be one of the reasons why major NFT heists frequently target celebrities. In one instance, hackers could log into the Discord server of the Bored Ape Yacht Club. From there, they disseminated malicious links to a group of very interested NFT holders. Thieves have stolen NFTs less dramatically by sending direct messages to known NFT holders while pretending to be support staff for wallet software on Twitter.
NFTs’ ice phishing
The numerous paths scammers can take are as complex as they are novel, as with most Web3-related things. Hackers have made “intelligent contracts” that let them empty their victims’ wallets instead of getting them to give them their passwords. Hackers can do this to get around security features like two-factor authentication (more on that below).
In an ice phishing assault, an intelligent contract interface is built up to look like it originated from a well-known platform. If the victims aren’t cautious and diligent, they can miss that hacked smart contracts have different addresses. For the media to work, users must sign intelligent agreements that give the media permission to make trades on their behalf. This could be for a fully automated liquidity mechanism, like the ones used by Uniswap and SushiSwap.
1/ Stolen items and scams are big issues in the NFT space. So, we’ve been hard at work on 2 new solutions to address both on OpenSea:
Introducing Malicious URL Detection and Removal 🚫 and Theft Detection and Disablement 🔐
— OpenSea (@opensea) November 2, 2022
Even the DeFi protocol Badger DAO was the target of an ice phishing assault in late 2021. Hackers could steal $121 million in just 10 hours by inserting a malicious script. This Microsoft Security page on ice phishing attacks provides a detailed strategy description.
Bugs in the market and security holes
The protocols used for NFT smart contracts feature flaws and flexibility that NFT thieves have taken advantage of. In one strategy, like ice phishing, the hackers left blank fields in intelligent contracts and filled them in after the targets had signed them. Another method attempted to take advantage of a flaw in the transfer history of OpenSea. Certain users had moved NFTs from one wallet to another. Users allegedly did this to avoid paying the gas fees required to validate transactions on the blockchain, as reported by The Verge. This had malicious intent, even if it wasn’t a hack.
Since these users hadn’t updated the smart contracts for their NFTs, they were vulnerable to an OpenSea flaw. Accordingly, the transaction history and gasoline surcharges were no longer visible. When these users sent their NFTs back to their old wallets for listing, the NFTs were automatically listed at the last price verified on the blockchain. However, the previous listing was still visible to everyone on the blockchain.
Popular NFTs were purchased at discounted prices and then sold for exorbitant prices. For one malicious OpenSea user, this led to a rapid profit of over $904,000 worth of ETH in a single day. This reignited discussions about the decentralized, ungoverned Web3’s accountability structures. We’ll discuss that again.
Why Web3’s transparency hasn’t prevented NFT theft
Any thief in the Web3 area requires a reliable exit strategy, regardless of the method. Since everyone can see every transaction on the blockchain, it is hard to steal NFTs. An NFT thief has various choices after selling a stolen NFT collection and earning cryptocurrency, primarily ETH:
- Sell cryptocurrency as quickly as you can for money on an exchange.
- Transfer ETH to co-conspirators’ wallets in return for fiat
- Attempt to disappear, then wait a while.
The trail becomes more challenging if the NFT crooks successfully convert their cryptographic treasure into fiat money. From there, they can employ money laundering, an antiquated criminal strategy. Put the illegal funds into a legitimate enterprise and combine them with legal funds. Many early Web3 adopters placed a high value on privacy because NFT burglars and other hackers are known to use these features to hide their tracks. However, by taking advantage of Web3 privacy improvements, criminals can combine cryptography to make their actions appear legal. As a result, there has recently been discussion about cryptocurrency mixers like Tornado Cash, UniJoin, and Blender.io.
Cryptocurrency mixers offer intelligent contracts that let users add pre-set amounts of ETH to pools with up to 60,000 transactions. After a certain amount of time, the deposited ETH can be moved to other wallets using a token from the smart contract. Transaction tracking is nearly impossible due to the pooling mechanism. A shocking amount of crypto-laundering has been connected to Tornado Cash. Because of this, the U.S. Treasury Department told people they couldn’t use Tornado Cash and shut down the Tornado Cash website.
Roman Semenov, a co-founder of Tornado Cash, was also expelled from GitHub. The open-source mixing protocol can still be used, and a cryptography professor even published it again on Github to gauge the site’s tolerance for free expression. Microsoft owns GitHub. So, it is unclear if laws will stop criminals from using cryptocurrency or if they will hurt the privacy of regular users.
Also read: NFTs Are Going To Be More Than Art Tokens In Coming Time.
How NFT theft undermines the core principles of Web3
The motto of Web3 up until this point has been “code is the law.” A transaction is a fact after it has been validated on a blockchain. The foundation of Bitcoin, the first peer-to-peer cryptocurrency, is this. And it was this strategy that allowed Web3 to be developed without the aid of regulators or centralized authorities. But Web3 might have trouble if many people who don’t know much about technology use it. When NFT theft and “unintended discounts” happened, the people who owned NFTs often made themselves easy targets.
This could be a red flag that a conviction in self-detention and accountability doesn’t drive those who possess NFTs and read up on the code as part of their research. If the NFT community isn’t flexible, regulators and markets working to stop NFT theft might have to change the core of Web3. There are already warning signs:
- The victims of celebrity NFT theft have pleaded for assistance.
- Authorities have deactivated websites and detained open-source developers.
- Markets like OpenSea’s stolen item policy advised victims to notify the police while freezing accounts and NFTs.
- MetaMask, a popular cryptocurrency wallet, now explicitly advises users to read the small print.
Numerous more user-friendly and regulated initiatives might emerge to serve less tech-savvy customers. This might signal the start of a Web3 fork as we now know it. Whether you think this is a good idea, let’s consider the best strategies to prevent NFT theft.
How to prevent NFT theft
After his cloud photo album was compromised, Danish IT journalist Nikolaj Sonne had his Bitcoin wallet emptied. Most of the time, the NFT holders’ actions (or lack of activities) made it more likely for them to be stolen. Here’s how to steer clear of being that person: Write down a copy of your recovery phrase. Yes, you may engrave it on a stone as well. However, create an analog, offline backup of your backup recovery phrase. Never post your crypto wallet’s recovery phrase online. Not even in the form of a picture of your handwritten paper backup.
Make two-factor authentication available (2FA)
It’s one thing to have your password stolen. However, protecting access to the device you use for the second authentication stage is a different type of theft. So use a hardware 2FA key like Google’s Titan Security Key or a 2FA program like Google Authenticator to protect your NFTs.
Keep your NFTs in cold wallets by themselves.
“Hot wallets” are digital currency online wallets. They can be hacked or disappear along with the firm that created them because they are online. Moving your NFTs and cryptocurrencies to an offline hardware wallet means they can no longer be stolen. Trezor, Ledger, and Ellipal are three well-known cold wallets.
Protect your neighborhood with Web3 authentication
The importance of content gating is growing as the NFT community develops. Only people who are allowed to should be able to see the information around your NFT. This can only be done with secure multi-tier access. We can easily protect this component of NFT ownership from would-be criminals over at SlashAuth.
Theft is likely to continue to go unpunished.
The unfortunate reality is that NFT theft is likely to continue to be a problem for a while. Some advancements raise the prospect of increased security, but there is a high possibility that the public will reject them or that thieves will find ways around them. There will probably be more rules and oversight in the future, but this is expected to hurt privacy. It might not be worth the cost for many people. Additionally, new programs like Verasity’s NFT authenticator are being developed. These could make a big difference in how safe users feel, but they could also encourage hackers to create new ways to take advantage of owners.
Asset protection ultimately depends on the individual. We all need to do our best to defend our belongings, and Web3 as a whole agrees with this view. You may do your best by remaining vigilant, informed, and up-to-date on the Web3 security procedures mentioned above.