NFT keyword searches have surpassed cryptocurrencies, this is the latest announcement from Google in December 2021. Digital design is on a roll!
According to a report by DappRadar, last October, NFTs reportedly generated $148 million more compared to September. How can you not be greedy when you see so many dollars being generated?
It was obvious that cyberattackers were going to take a close interest in the subject and that the abuses related to this new concept would soon become known.
NFTs are “THE” new playground for attacks against various crypto-currencies and groups like Lazarus Group are fond of them.
We won’t go into the intricacies of the crypto sphere, but we will try to unravel the mystery of NFTs, that acronym that we now see in all the media and look at the new cyber threats that could arise from it.
NFT: What are we talking about?
Let’s start with the basics. What is an NFT? And what exactly does it mean? NFT stands for Non Fungible Token.
Very nice, but it doesn’t really shed any light on the situation…
Created since 2014, the NFT is a unique digital or physical asset, whose value is unique to it i.e. it cannot be exchanged for any other asset or property of the same value.
“Non-fungible.” therefore means that “is unique and cannot be replaced by anything else.”
For example, a bitcoin is fungible: you can exchange it for another bitcoin, and you will get exactly the same thing.
However, a one-of-a-kind trading card is not fungible. If you exchange it for another card, you get something (completely) different.
And because it carries its own value, that value can only fluctuate depending on various phenomena.
How NFT works?
Most NFTs are part of the Ethereum blockchain. Ethereum is a crypto-currency, like bitcoin or dogecoin, but its blockchain also supports these NFTs, which store additional information.
It is a unit of value representing an object, a title deed, a virtual certificate attached to a work and registered on a blockchain.
It should be noted that other blockchains may implement their own versions of NFT.
What makes an NFT authentic is its digital certificate made up of “metadata” that will prove that it is indeed the author’s original work, that the author has indeed sold it, that the buyer is such and such a person, and that he bought it for such and such a price, on that day, etc.
We thus obtain a unique identifier. This identifier corresponds to a series of unique numbers specifically associated with an NFT.
Finally, the fact that it is attached to a blockchain guarantees the security of transactions and transactions are made on marketplaces, in cryptocurrency.
Thus, a five-euro bill is fungible, because it can easily be exchanged for another five-euro bill of the same value, which is not the case with an NFT.
On the other hand, this Tweet from Jack Dorsey, founder and CEO of Twitter is one and is valued at $2.5 million.
Concretely an NFT can be:
- songs
- domain names
- works of art
- movies
- photos
- tweets
- GIFs
- …
This can concern all sectors:
- art
- video games
- events
- insurance
- music
- finance
- real estate
- …
In summary, an NFT is:
- unique
- rare
- traceable
- indivisible
- programmable
NFT and Cybercrime?
The upcoming of this new concept brings with it new types of crime. Fake websites, identity theft, phishing and luring are all techniques used by hackers.
Why is it so attractive? Because it remains a simple and quick way to make money, and above all, because this type of attack leaves few traces.
Usurpation of Accounts
Nifty Gateway (“an online digital art auction platform for non-fungible symbolic art”) was the first to report the theft from NFT. Over the course of a weekend, the hackers allegedly stole thousands of dollars’ worth of art. To do this, they hacked into users’ accounts, stole passwords, bank accounts and certificates of authenticity and resold them.
Another and more direct way is to sell fake NFTs. The criminal then sells works that do not belong to him.
In October 2021, this was the case of a fake Banksy. The criminal inserted a link on Banksy’s official website, to sell a fake NFT, and thus benefit from the fame of the artist’s website. The scam worked as a buyer came forward and lost $380,000. The story has a happy ending as the victim named Pranksy was reimbursed.
The artist was also a victim of domain theft. Thus, were registered domains such as: banksynft[.]com and banksynfts[.]com
The comic creator Derek Laufman, the animator Milos Rajkovic alias Sholim can be added to the long list of victims of these unscrupulous criminals, pretending to be artists.
Fake Sites
A fairly common tactic is to create fake sites that look exactly like legitimate ones. Users log in, give their credentials or credit card number.
The Fractal website was the victim of an attack in December 2021. The criminals used a decoy, hacking the Discord server. They relied on an online sales ad from NFT. The victims saw it as a bargain, clicked on the offer and were redirected to a fake Fractal account. This is how 373 people fell victim to this scam with a loss of 150,000 dollars. While the number of victims is not huge, it proves that the threat is real.
Scammers can also create fake NFT stores and sell NFTs that do not exist. This type of attack based on typosquatting is becoming legion, as cyber criminals use domain names that impersonate popular platforms (artists are not the only victims, as seen above) to make their attacks more credible.
A common tactic is to create fake sites that look exactly like legitimate ones. Users log in, give their credentials or credit card number.
Phishing Campaign
A phishing campaign (RedLine infostealer campaign) was also revealed in June 2021. Cybercriminals posed as companies, and then canvassed numerous artists to offer them partnerships. Once the relationship was established, a malicious link was injected and escaped the vigilance of antivirus software.
The artist FVCKRENDER was one of these victims and was robbed of 137 000 euros.
Exploit
With all the buzz around non-fungible tokens (NFTs), another, darker side has emerged in recent months: the auctioning of cybersecurity exploits.
For example, a zero-day denial-of-service attack was sold, with all ownership rights transferred to the successful bidder.
While this may seem harmless, the idea of selling a cyber exploit obviously raises questions of ethics and identity when it gets into the wrong hands.
This makes NFTs an ideal way for hackers to buy and sell exploits and other hacking tools.
One of the most high-profile examples of an exploit attack was the one that hit the Poly Network platform in August 2021, a crypto-currency transfer company behind a decentralized finance platform (DeFi). A seasoned hacker managed to exploit a vulnerability on the platform’s systems and steal nearly $600 million from it. The story has an exceptionally happy ending, as the hacker returned almost all the funds.
Other attacks
Other scams that could be mentioned include:
- counterfeit NFTs
- fake airdrops: these are fake tokens that are “parachuted” into cryptocurrency wallets and if approved by users, the repercussions can be irreversible and result in the theft of all the users’ funds in their wallets
- sim swapping: this involves hackers taking control of your phones
- social media accounts that pretend to be affiliates, or pretend to be members of a community, as in the example below.
- Bots: scalpers, which we already talked about in our previous article, use bots to manipulate NFT prices, or to sell fake projects. These bots can spot both consumers and NFT artists.
- …
The list is likely to grow with the growth of the phenomenon and the ingenuity of our attackers.
This new form of scam being recent, there is still too little protection possible, so let’s be vigilant and see some recommendations
Recommendations
The purchase of NFT requires basic safety hygiene
Make sure you have proper security, for this we advise you:
- to have a multi-factor authentication
- tokenize your tweets
- to secure your wallets: buy a hardware wallet directly on the site
- check the number of subscribers of the person you are talking to
- check the links: make sure that the site where you buy the NFT is legitimate.
- pay attention to fake communities
- be careful if your contact is strangely absent from social networks
- be careful if the amount proposed for a possible partnership seems inconsistent
- be dubious if there is no contract
- …
It is by doing these checks that a South Korean photographer: Jong Chan Han was able to avoid the worst; and immediately secure his accounts.
Of course, to this long list we can add education and awareness.
Finally, a solid regulatory framework will have to be put in place and adapted to NFTs and it is still in its infancy.
The future of NFTs
The Web 3 phenomenon will be NFT, or it won’t be!
The global NFT market reached 40 billion dollars last year. Even manufacturers are getting involved, such as Samsung, which announced that NFTs would be integrated into its new connected TVs.
The NFT market is a new Eldorado for cybercriminals who want to launder assets. An increase in attacks and, with them, extortion is highly probable.
Cybercriminals are inventive, creative, their approaches are diversifying, becoming more complex and sophisticated. Twitter, Facebook, Telegram, Discord, … are the perfect channels for cybercriminals.
It is necessary to take the train and specially to anticipate these new threats. It is imperative to measure the stakes and the risks.
Let’s not wait any longer, let’s act!
[1] DappRadar Report, October 2021
[2] https://en.wikipedia.org/wiki/Nifty_Gateway