Hackers Want Your NFTs

We're starting to see more security incidents around NFTs. Prepare accordingly!
Mar 15, 20213 min read

Dear Bankless Nation,

We’re starting to see an influx of really talented people around the NFT ecosystem as these digital assets become more popular.

Unfortunately, a small but growing number of these newcomers are hackers who have the means, knowledge, and incentives to profit around NFTs in whatever ways they can.

This is why it’s so important in the ongoing NFT boom to circle and highlight the security basics over and over again. What are the threats that NFT users face, and how can we fight them?

In this Metaversal write-up, then, we’ll be exploring some of the main ways hackers can approach the NFT ecosystem and the best measures you can undertake to defend your NFTs against them. 🔐


Hackers Want Your NFTs

Whenever the cryptoeconomy heats up, it attracts the attention of people from all walks of life. This includes blackhat hackers, who are starting to show up in greater numbers to capitalize on nefarious digital heists.

NFTs, which have been breaking into the mainstream lately, have increasingly become targets for blackhats accordingly. And unfortunately, these attackers have a range of techniques they can use to steal your NFTs if proper precautions aren’t taken. Attack vectors include:

  • Command & control attacks, which let hackers deploy files to computers in order to steal login info and beyond.
  • Keylogging incidents, which entails malware that records keystrokes to hunt for passwords.
  • Screenscrapings, where malware is used to record sensitive data visually scraped from device screens.
  • DNS compromises, where hackers take control of a website’s domain and then manipulate it, e.g. creating an interface that authoritatively asks for users’ wallet seed phrases.

Incidents on the Rise

In recent days, there have been a number of security incidents that have affected NFT-centric projects or have the ability to affect certain NFT users. Again, NFTs are increasingly valuable and more hackers are probing for illicit ways to capitalize on them.

Just within the last week we’ve seen:

  • Social token platform Roll’s hot wallet acutely compromised, which led to an attacker selling-off some of the supply of NFT-based social tokens like $WHALE and $SKULL.
  • Attackers targeting Nifty Gateway users who don’t have 2FA security enabled, with a handful of users having their accounts — and thus their NFTs — taken over so far via password compromises.
  • Some DeFi projects like C.R.E.A.M. Finance temporarily lost control of their DNS names, which allowed the culprits to surreptitiously request users’ wallet seed phrases directly from app.cream.finance for a time. More than a few NFTers also user DeFi apps like C.R.E.A.M., so if any followed through with the seed request, then any NFTs in their addresses would be jeopardized.

Defending Your Digital Assets

So what can we do in the face of these blackhat threats?

Fortunately, there’s a combo of defensive measures we can take to capably defend our crypto and NFTs from talented attackers. Justin Ouellette, an NFT creator and collector among other things, had a slam dunk tweet earlier today covering some of the basics of these measures.

The first point, on password reuse, is really key. I suspect some of the MetaMask and NiftyGateway compromises we’ve seen lately have been from previously breached passwords that are reused. So that’s a big no-no. Additionally, relying on 2FA is a must if you’re building up a considerable NFT collection on centralized platforms like Nifty Gateway. The importance of never giving out your seed phrase can also never be overstated!

I’d lastly just add a few things. One, a hardware wallet is one of the single best security investments you can make for your NFTs. These “cold wallets” put you in decisive control of your NFTs and are virtually impossible to attack in most conditions, so consider them the foundation for any safe NFT vault.

Other points to consider are spreading out your NFT activities across multiple wallets, so you never have all your digital eggs in one basket, and avoiding sketchy sites and files at all costs. We never want to make things any easier for hackers, right, especially if we sometimes move NFTs through more vulnerable hot wallets!

Action Steps

  • Set aside some time to review the security around your NFT activities. Make improvements wherever applicable!

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

Account Light mode Log Out