Even though Web3 evangelists have long touted the native security features of blockchain, the torrent of money flowing into the industry makes it a tempting prospect for hackers, scammers and thieves.
When bad actors succeed in breaching Web3 cybersecurity, it's often down to users overlooking the most common threats of human greed, FOMO, and ignorance, rather than because of flaws in the technology.
Many scams promise big payoffs, investments, or exclusive perks; the FTC calls these money-making opportunities and investment scams.
Big money in scams
According to a June 2022 report by the Federal Trade Commission, over $1 billion in cryptocurrency has been stolen since 2021. And the hackers' hunting grounds are where people gather online.
"Nearly half the people who reported losing crypto to a scam since 2021 said it started with an ad, post, or message on a social media platform," the FTC said.
Although fraudulent come-ons sound too good to be true, potential victims may suspend disbelief given the intense volatility of the crypto market; people don't want to miss out on the next big thing.
Attackers targeting NFTs
Along with cryptocurrencies, NFTs, or non-fungible tokens, have become an increasingly popular target for scammers; according to Web3 cybersecurity firm TRM Labs, in the two months following May 2022, the NFT community lost an estimated $22 million to scams and phishing attacks.
"Blue-chip" collections such as Bored Ape Yacht Club (BAYC) are a particularly prized target. In April 2022, the BAYC Instagram account was hacked by scammers who diverted victims to a site that drained their Ethereum wallets of crypto and NFTs. Some 91 NFTs, with a combined value of over $2.8 million, were stolen. Months later, a Discord exploit saw NFTs worth 200 ETH stolen from users.
High-profile BAYC holders have fallen victim to scams, too. On May 17, actor and producer Seth Green tweeted that he was the victim of a phishing scam resulting in the theft of four NFTs, including Bored Ape #8398. As well as highlighting the threat posed by phishing attacks, it could have derailed an NFT-themed television/streaming show planned by Green, "White Horse Tavern." BAYC NFTs include licensing rights to use the NFT for commercial purposes, as in the case of the Bored & Hungry fast food restaurant in Long Beach, CA.
Thought I was minting GutterCat clones- phishing link looked clean
— Seth Green (@SethGreen) May 17, 2022
During a June 9 Twitter Spaces session, Green said that he had recovered the stolen JPEG after paying 165 ETH (more than $295,000 at the time) to a person who had bought the NFT after it was stolen.
"Phishing is still the first vector of attack," Luis Lubeck, a security engineer at Web3 cybersecurity firm, Halborn, told Decrypt.
Lubeck says that users should be aware of fake websites that ask for wallet credentials, cloned links, and fake projects.
According to Lubeck, a phishing scam may start with social engineering, telling the user about an early token launch or that they will 100x their money, a low API, or that their account has been breached and requires a password change. These messages usually come with a limited time to act, further driving a user's fear of missing out, also known as FOMO.
In Green's case, the phishing attack came via a cloned link.
Thought I was minting GutterCat clones- phishing link looked clean
— Seth Green (@SethGreen) May 17, 2022
Clone phishing is an attack where a scammer takes a website, email, or even a simple link and creates a near-perfect copy that looks legitimate. Green thought he was minting "GutterCat" clones using what turned out to be a phishing website.
When Green connected his wallet to the phishing website and signed the transaction to mint the NFT, he gave the hackers access to his private keys and, in turn, his Bored Apes.
Types of Cyber Attacks
Security breaches can affect both companies and individuals. While not a complete list, cyberattacks targeting Web3 typically fall into the following categories:
- 🎣 Phishing: One of the oldest yet most common forms of cyberattack, phishing attacks commonly come in the form of email and include sending fraudulent communications like texts and messages on social media that appear to come from a reputable source. This cybercrime can also take the form of a compromised or maliciously coded website that can drain the crypto or NFT from an attached browser-based wallet once a crypto wallet is connected.
- 🏴☠️ Malware: Short for malicious software, this umbrella term covers any program or code harmful to systems. Malware can enter a system through phishing emails, texts, and messages.
- 👾 Compromised Websites: These legitimate websites are hijacked by criminals and used to store malware that unsuspecting users download once they click on a link, image, or file.
- 🪤 URL Spoofing: Unlink compromised websites; spoofed websites are malicious sites that are clones of legitimate websites. Also known as URL Phishing, these sites can harvest usernames, passwords, credit cards, cryptocurrency, and other personal information.
- 🤖 Fake Browser Extensions: As the name suggests, these exploits use fake browser extensions to dupe crypto-users into entering their credentials or keys into an extension that gives the cybercriminal access to the data.
These attacks usually aim at accessing, stealing, and destroying sensitive information or, in Green's case, a Bored Ape NFT.
What can you do to protect yourself?
Lubeck says the best way to protect yourself from phishing is to never reply to an email, SMS text, Telegram, Discord, or WhatsApp message from an unknown person, company, or account. "I will go further than that," Lubeck added. "Never enter credentials or personal information if the user did not start the communication."
Lubeck recommends not entering your credentials or personal information when using public or shared WiFi or networks. In addition, Lubeck tells Decrypt that people should not have a false sense of security because they use a particular operating system or phone type.
"When we talk about these kinds of scams: phishing, webpage impersonation, it doesn't matter if you're using an iPhone, Linux, Mac, iOS, Windows, or Chromebook," he says. "Name the device; the problem is the site, not your device."
Keep your crypto and NFTs safe
Let's look at a more "Web3" action plan.
When possible, use hardware or air-gapped wallets to store digital assets. These devices, sometimes described as "cold storage," remove your crypto from the internet until you are ready to use it. While it's common and convenient to use browser-based wallets like MetaMask, remember, anything connected to the internet has the potential to be hacked.
If you use a mobile, browser, or desktop wallet, also known as a hot wallet, download them from official platforms like the Google Play Store, Apple's App Store, or verified websites. Never download from links sent via text or email. Even though malicious apps can find their way into official stores, it's more secure than using links.
After completing your transaction, disconnect the wallet from the website.
Be sure to keep your private keys, seed phrases, and passwords private. If you are asked to share this information to participate in an investment or minting, it's a scam.
Only invest in projects you understand. If it's unclear how the scheme works, stop and do more research.
Ignore high-pressure tactics and tight deadlines. Often, scammers will use this to try and invoke FOMO and get potential victims to not think about or do research into what they are being told.
Last but not least, if it sounds too good to be true, it probably is a scam.