Cyber security in the Web3, How to protect Your NFTs

[TL;DR]

• NFTs are increasing in adoption, hitting 30 thousand new users in September and a $70 billion trading volume in 2022.

• The asset’s success has attracted good and bad attention, drawing malicious actors who scam unsuspecting users.

• Web3 users who wish to escape loss must engage in certain practices to protect their NFTs from scams and attacks.

• One of these practices includes developing web3 literacy in order to detect fake and harmful transactions and deals.

• Another is properly storing wallet keys and seed phrases safely in offline wallets.

Overview of Web3, and NFT growth this year.

As web3 finds its feet in the global marketplace, NFTs play a significant role in this adoption. At the time of writing, the unique digital assets record a total traded volume high of $68 billion. This is a whopping 75% increase from the $17 billion beginning of the year. And although macroeconomics dealt crypto and web3 a staggering blow this year, NFTs adoption continues to rise. According to crypto insights firm Intotheblock, as of September, 30 thousand new addresses used NFTs. Furthermore, above one thousand new NFT collections hit the market around the same time. Indeed, as Kevin O’Leary of shark Tank predicted, it seems the online asset will, in time, beat Bitcoin in market capitalization.

Source: Forbes

Why You Need To Learn How To Protect Your NFTs

Just as numerous creators, artists, collectors, and investors have gravitated toward Non-Fungible tokens, so have malicious actors. These entities employ all sorts of sophisticated antics to get platforms and users to release info that grants access to their hard-earned funds and assets. Consequently, even as people make profits in web3, some are losing significant funds due to security issues. Some of these exploits include rug pull scams, employee thefts, and, more often the case, phishing attacks, and hacking. Let us look briefly at the last two as they are more rampant in the NFT space.

Two Major Cyber Security Threats in Web3

Source: AAG - AAG Ventures

Phishing Attacks

In this form of a security breach, malicious entities create a fake website using a link similar to a legitimate one. Next, they would make a social engineering scenario encouraging unsuspecting NFT holders to click their phony link. These usually come in the form of too-good-to-be-true opportunities such as once-in-a-lifetime airdrops or an early or exclusive token launch. Sometimes they may even lie that their intended victim’s account has experienced a security breach and need to change their password etc.

Whatever form it takes, these offers are always time-bound, playing on users’ fear of missing out (FOMO.) They always require users to click on suspicious links, which leads to phishing websites. These, in turn, give the scammers access to wallet holders’ private keys and, by extension, any funds and digital assets contained therein.

A notable example of this happened in February this year to a prominent NFT platform, Opensea. Users lost over 1200 ETH ($3.4 million) worth of NFTs in a phishing attack on the NFT marketplace. Another similar attack took place in may involving Moonbird NFTs worth close to $1.5 million (750 ETH).

Hacking Attacks

This is when hackers break into legitimate and trusted platforms giving them access to users’ info, funds, and assets. It can happen on web3 and web2 platforms, including Twitter, Instagram, Discord, and even websites. Like phishing scams, hackers rely on speed to get, cash out, and get out before anyone suspects. There have been many such exploits since the beginning of this year. These scammers target prominent names like Bored Ape Yacht Club and Opensea, among others. An excellent example of such an attack was when Alethea Al’s Discord got hacked in March. Its users lost 840 ETH, approximately $1.8 million at the time. Also, the biggest this year was a hot wallet hack that impacted ten wallets on Lympo, a sports-based NFT brand. The victims lost a whopping $18.7 million in LMT tokens in that single hack that took place in January.

According to Comparitech data, The web3 space lost $36.5 million worth of NFTs in phishing and hacking attacks in Q1 2022. Although most platforms are working tirelessly to guard against possible security breaches, it is painfully evident that they are inevitable. Hence, you must learn to protect your assets by yourself or fall victim to the many scammers out there.

How Do I Protect My NFTs?

Now that you know why you need to pay attention to the security of your non-fungible tokens, the question is how? Below are the most important practices to adopt to keep your assets safe from exploiters:

Keep Your Keys Safe: If you are not constantly buying, selling, or exchanging your NFTs, Keep your keys offline in Cold wallets. Yes, hot wallets (online storage) make accessing your private keys and confirming transactions easy and faster. However, these keys that confer ownership are vulnerable to hacks as long as you store them online. The better option is to keep them safe in offline hardware wallets. This makes it impossible for hackers to get a hold of your keys. Remember, as long as it is online, no wallet is impregnable.

Watch Where You Click: As mentioned above, Malicious actors clone legitimate links to deceive unsuspecting users. But no matter how subtle it is, there will always be a sign that marks it as illegitimate. So, always double-check the links you click and ensure the URL is real.

Resist FOMO Deals: the greatest killer in investing will always be greed. As the saying goes, if something seems too good to be true, it’s usually. Therefore be careful of the deals you accept. This especially applies to ones that put pressure on you to act immediately. Verify from multiple sources. The legitimate page offering you a deal might be compromised; check their other platforms. If the offer is on Twitter, check the company’s Discord for extra verification. Resist the urge to take action out of fear of missing out (FOMO). It rarely ever ends well.

Don’t Sign Blindly: Don’t sign smart contracts based on trust. Do due diligence by using a wallet that reveals all the necessary details of the contracts you sign. Scammers will usually disguise their actions with innocuous prompts. If the wallet you use habitually restricts parts of smart contract details, it might be tempting to sign blindly, but don’t. You might be giving away your hard-earned money unknowingly. Make sure you know all the details of what you are signing.

Avoid DM deals: Protocols will typically announce any incentives, offers, or deals on their websites or social media platforms. It is uncommon, even impossible, that they approach their users individually. Hence, if a platform seems to offer you a deal in your DM, it is better to run. It is more than likely a malicious actor looking to fleece you of your NFTs. The sage thing to do is disregard any offer that does not come via the proper channels.

Understand Smart Contract Functions Before Signing: Many web3 users have difficulty understanding the elements of smart contracts they sign. It is one thing not to sign blindly, and it is another thing to comprehend what you are seeing. This is where understanding the functions of your smart contract is imperative to avoid being exploited by bad actors. Take the step of educating yourself on critical web3 elements such as smart contract functions. It will help you distinguish between a transaction and a confirmation, etc. And that makes it difficult for you to fall victim to disguised attacks.

Your Seed Phrase is Yours, Never Share It: Your seed phrase or recovery phrase is the only thing standing between you and losing your wallet should you lose your key. It is the backup information to access your tokens and funds. It is meant exclusively for your use. Therefore, It would be best to keep your seed phrase safe and offline, like your wallet keys.

To Wrap Things Up,

Since no system is utterly infallible, you can protect your Non-Fungible tokens and other digital assets reasonably safe by taking caution. As security breaches continue to rage through the world of web3, you can do something about the safety of your assets. These are the major precautions to see you through most hacking and phishing exploits. You will be among the few savvy web3 users with well-protected assets if you practice them.

Author: M. Olatunji, Gate.io Researcher

Disclaimer:

* This article represents only the views of the observers and does not constitute any investment suggestions.

*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.