As crypto markets evolve, cybercriminals are exploiting them through a variety of schemes.
Just when you think you’ve begun to get the hang of cryptocurrency and the digital world, newer concepts such as non-fungible tokens (NFTs) and the metaverse start to dominate the conversation. If you grew up in an era of cassette tapes, drive-in movies and pay phones, these evolving frontiers may seem foreign—and a bit overwhelming.
But even though you may not dabble in NFTs or the metaverse at the moment, you might in the future. NFTs recently set a monthly sales record with $4 billion in trade activity.1 Meanwhile, Gartner, a leading research and consulting firm, predicts that 25% of the population will spend at least an hour a day in the metaverse for work, shopping, education, social media or entertainment by 2026.2
With that in mind, it’s important to at least have a basic understanding of NFTs and the metaverse, as well as an awareness of some cybersecurity threats associated with them.
Let’s start with the name.
An asset that’s fungible can easily be exchanged for another item of equal value in its same class. For example, a dollar bill can be exchanged for another dollar bill. Or, in the cryptocurrency world, one Bitcoin (BTC) can be swapped for another BTC. There’s nothing different about these items within their asset category in terms of appearance, identity or value.
Meanwhile, a non-fungible asset has unique properties or values from other items in its class, and it can’t be directly replaced or exchanged. For example, you couldn’t trade your airline ticket for your next-door neighbor’s airline ticket. Each ticket contains different information (such as passenger name, flight number and arrival/departure times) and may be valued differently. Baseball cards are another example of non-fungible assets.
Where there’s money to be made, cybercriminals will be looking for opportunities to exploit it.
NFTs contain a unique signature (that’s typically digital) or identity which makes them a one-of-a-kind item of varying value that belongs exclusively to the owner. Some popular NFT categories include artwork, collectibles, sports memorabilia, music, videos, domain names, video game assets and even memes.
NFTs can exist on several different blockchains, but Ethereum (ETH) holds the majority of NFT projects. You can buy and sell NFTs on separate exchange platforms that function more like an auction house than a brokerage application or directly from the creator through an action known as minting.
Let’s think of the metaverse as a shared, interactive virtual space—almost like a 3D version of the internet. It’s a place that can be a stage for a wide range of activities, and you’ll be able to experience them through avatars, shared screens, remote meetings and more.
Similar to the internet, the metaverse as a whole won’t be owned by any organization. In terms of financial transactions, Gartner expects the metaverse will have a virtual economy that’s enabled by digital currencies and NFTs.3
While technology giants continue to invest heavily in the metaverse—and Bloomberg predicts that metaverse-related exchange-traded funds could accumulate $80 billion in assets by 2024—no one can say with certainty how things will unfold.4
And that brings us to cybersecurity concerns. Where there’s money to be made, cybercriminals will be looking for opportunities to exploit it.
Pump-and-dump schemes: The price of NFTs can be manipulated. With this scam, a group of fraudsters work in harmony to buy select NFTs to pump up the demand for them—which causes the price to rise. When the price reaches their target, the cybercriminals will cash out. Without the artificial demand from the fraudsters, the price of the NFTs plummets—leaving newer buyers with a sharply devalued or worthless asset.
If you’re interested in an NFT, review its transaction history and wallet records before buying. If you notice unusual activity—such as a large number of transactions within a short timeframe—it could be due to scammers trying to inflate the value of the NFT.
Phishing sites, ads and pop-ups: In a twist on typical phishing scams, fraudsters will create NFT sites that closely replicate authentic sites in appearance. As a result, it’s easy for eager buyers to end up purchasing worthless, counterfeit NFTs on these bogus sites.
Additionally, phony ads or pop-ups may lure you to fake login pages for legitimate NFT sites. And, if you enter your information, cybercriminals will capture it. So, make sure to verify the URL of any NFT site before logging in or making a purchase. For additional safety, type the URL directly into your browser instead of relying on a search engine result. Also, don’t click on any ads, pop-ups or links for NFT sites. Always go directly to the verified site instead.
Fake social media profiles: Unfortunately, fraudsters are also adept at creating social media accounts that seem to represent legitimate NFT organizations. They use these platforms to hawk counterfeit NFT artwork, hype fake NFT endorsements from celebrities/influencers and promote phony NFT giveaways.
While it’s not foolproof, look for a blue verification tick on the profile to verify the authenticity of the account and check to see if reputable personalities follow the page.
Another rule of thumb is to not link your social media to any Crypto or NFT exchange. This provides a way for fraudsters to create tailored phishing messages based on your portfolio.
If you’re interested in an NFT, review its transaction history and wallet records before buying.
Phony NFTs: Cybercriminals can take an image, photo or other piece of artwork belonging to the owner, copy it to create a counterfeit NFT, open a fake account and sell the NFT to you. Even if you later discover it’s a counterfeit, it’s almost impossible to get your money back.
Some cyber fraudsters will also create their own NFT, claim that traditionally only holders of very expensive NFTs can mint it, but that they are making an exception to allow a small selection of regular collectors to participate. These announcements are typically sent via fake airdrop messages to create the illusion of exclusivity and urgency.
In the NFT world, being impulsive isn’t a good idea. If you find an NFT you’d like to purchase, do some research first.
Conduct an online search to find a social media account or website associated with the artist. Ask the artist if the NFT belongs to them, and if you’re buying from the correct user account. Check popular NFT forums to see if there are any reports of illegal activity from the seller’s account. Do a “reverse- image” search on the NFT; if it appears in multiple marketplaces, it could be a sign that it’s a counterfeit.
Malicious NFTs: Cybercriminals may create NFTs and send them to your account without your permission. This may seem harmless (and to your benefit), but if a user interacts with these NFTs, it may allow the criminal to drain funds from the account. If you see an NFT in your account that you did not purchase and you can’t validate the creator, do not interact with it.
It’s important to be especially mindful of protecting access to your crypto wallet (a device or program that allows you to transfer and store cryptocurrency). Never give away your seed phrase (i.e., the password to your crypto wallet). It’s also best to use two crypto wallets: one for buying and selling NFTs, and a second one for storage. The second wallet should only ever interact with the first. For your storage wallet, purchase a reputable hardware wallet. A hardware wallet is a physical, small plug-in device that serves as a key to access your crypto assets safely from anywhere. Hardware wallets come with two-factor authentication, so if your account is compromised, the attacker still needs physical access to the hardware wallet to steal anything.
As with any type of investment—especially in a nascent, unregulated marketplace—do your research and act prudently before purchasing NFTs. And keep in mind that while NFTs and the metaverse present exciting new possibilities for e-commerce, entertainment, work and other activities, there will always be some individuals looking to take advantage of unsuspecting participants.