Cybersecurity always lags behind the digital innovations it’s designed to protect — and therein lies the problem. The faster technology innovation becomes, the bigger the window of opportunity for cybercriminals to swoop in and exploit the vulnerabilities. Brands are destroyed, chief executive officers (CEOs) fired, customer identities swiped and sold on the dark web, bank accounts raided, and credit destroyed.
While many recent innovations serve to illustrate that point, few match the non-fungible token (NFT) for the breathtaking speed with which it went mainstream. The global market for NFTs grew by more than 500x, from $78 million to over $40 billion in 2021 and attracted stars like Jay-Z and Jimmy Fallon and big brands like Coca-Cola and Nike. Meanwhile, many consumers are still trying to figure out what NFTs are and why they exist in the first place.
With NFTs, we’re seeing seven primary ways cybercriminals are exploiting the situation.
1. Celebrity/Brand impersonation: A scammer sets up a social media group or website using the name of a brand or celebrity. They then sell fake or non-existent NFTs to people or use a fake NFT as a lure to swipe someone’s credentials.
2. Counterfeit NFTs: Just like counterfeit currencies, a brand’s NFTs can be reproduced without their knowledge or consent and then traded online. In some cases, artists and brands have discovered thousands of fake reproductions of their property in online marketplaces. Some marketplaces have developed tools to spot fakes, but it’s still a tangled mess of copyright issues given all the visuals, music and logos involved.
3. Unprotected marketplaces: Putting aside the irony of relying on centralized players like marketplaces to execute decentralized transactions, these third parties can also introduce significant risk. In the short span that NFTs have existed, more than 150 marketplaces have sprung up and many lack the security needed to handle the impressive ingenuity of the attackers. In one scam, attackers targeted marketplace users lacking two-factor authentication and used smart contracts to transfer ownership to their accounts.
4. Fake platforms: There are so many NFT marketplaces that it’s relatively easy for cybercriminals to build new ones, hide in plain sight, and sell fake NFTs. Another tactic in this category is to create identical replicas of existing NFT marketplaces and use social media or emails to lure people in.
5. Untraceable payments: Because of the nature of cryptocurrencies, payments are very difficult to follow. In addition to circumventing tax, the problem with untraceable transactions is that they can be used for illegal activities — a vulnerability that cybercriminals exploit. By the time a company, artist or celebrity realizes that something is amiss, the money is safely in the cybercriminal’s bank account. It’s nearly impossible to trace and even harder to reverse.
6. Cryptocurrency scams: Crypto coins, predominantly Ethereum, are the key currency used in NFT transactions and cryptocurrency scams are incredibly common. This is especially the case around highly anticipated NFT releases that generate a lot of buzz. In the inevitable buying frenzy, scammers create scam-minting sites that request users’ private wallet keys. When customers, often the most fervently loyal and valuable, fall victim to these scams, they may sour on the brand.
7. Text or email scams: A cybercriminal sends a malicious email notifying a person of “suspicious behavior” on one of their accounts. As that person logs in and enters their credentials, they are asked for their private wallet keys or 12-word security seed phrases. The scammers then use those credentials to hack into the user’s digital wallet and deplete all of the crypto and NFTs stored therein.
NFTs represent a great opportunity for brands to build lasting loyalty with their customers. Some experts even predict they will become the central digital touchpoint between brands and their consumers. The possibilities are exciting and perhaps by then, NFTs will be mostly safe. But in this chaotic, early window where vulnerabilities are everywhere, they do pose serious risks.
Companies and executives would be wise to allocate resources to monitoring and mitigating these types of threats. Employees who handle digital assets should also be trained to avoid phishing attacks that target them specifically. But brands need a more comprehensive protection program that can monitor many marketplaces and platforms for keywords and images simultaneously, analyze potential threats, detect phishing, and discover online brand abuse, TM infringements and counterfeit sales.
Someday it’ll be safer to play with NFTs, but until then, we’re living in the wild wild west. Both brands and celebrities should be vigilant to ensure sites and listings promoting NFT for sale are legitimate and not being used as an instrument by fraudsters to swindle fans out of money.