Non-fungible tokens (NFTs) are currently in vogue as crypto investors scramble to put money into the new novel investment instrument. Because NFTs are underpinned by blockchain, which utilizes sophisticated encryption technology, there is a common belief that these assets are “unhackable.”

So, can an NFT be hacked? The simple answer is Yes. 

Any blockchain asset that is accessible online can be hacked. In this article, we’ll explore the most common ways hackers steal NFTs and how you can protect your NFTs against hack attacks.

A Rise in Blockchain Hack Attacks

There has been a rise in blockchain network attacks over the past decade. According to the 2021 Crystal Blockchain report, approximately $12 billion worth of blockchain assets have been stolen since 2011. The published statistics indicate a consistent increase in attacks over the years.

In 2021, assets valued at approximately $7.1 billion were stolen. This was a substantial jump from the $4.8 billion recorded in 2020.

How Hackers Steal NFTs

Crypto Hackers leverage myriad techniques to pilfer NFT assets. The following is a breakdown of some common methods.

Exploiting Webhooks

Webhooks are customized API functions that allow monitoring of online properties and can be set up to deploy once certain conditions are met. Webbooks in online crypto and blockchain communities are commonly used to push live notifications and are regularly targeted by malicious actors looking to deceive gullible users.

Attackers hijack them to send deceptive notifications that are designed to trick users into revealing their NFT wallet keys or transferring their assets.

In December 2021, the Fractal marketplace Discord channel was targeted by hackers who exploited the channel’s webbook interface. The attackers were able to dupe members into giving away their Solana coins by posting a fake NFT mint announcement. The plot was successful due to the channel’s weak anti-spoofing protocols.

While the hack only lasted about 10 minutes, over 800 Solana coins valued at approximately $150,000 were stolen.

Monkey Kingdom, another Solana-based NFT project, also fell victim to a similar Discord webhook scheme in the same period. The perpetrators reportedly got away with approximately $1.3 million worth of Solana coins.  

Failure to Activate 2FA

Hackers are increasingly targeting NFT users without strong wallet security safeguards, especially users who store their assets on marketplace hot wallets. Going by recent analytic reports, a significant number of NFT investors neglect to activate standard security features such as two-factor authentication (2FA).

Without this additional security layer, hackers can easily break into NFT marketplace accounts using scraped login credentials and brute-force techniques.

One NFT platform that has had some of its user accounts breached concomitantly as a result of this oversight is Nifty.  The attack, which took place in March 2021, affected users who had failed to activate their account 2FA security feature. Investigations into the attack revealed that the hackers used valid login credentials to log into the accounts.

Most NFT marketplace accounts have the 2FA feature. The verification procedure requires users to enter a code that is sent to their linked phone number or email address. Each 2FA code is unique and for one-time use only.

Phishing Schemes

Cybercriminals sometimes use phishing schemes to purloin NFTs. The latest phishing methods not only target user credentials but also automate account access by modifying smart contract permissions.

Delving into the details of how phishing attacks work, hackers utilizing this method create a website resembling one that is regularly used by a target. Victims are usually hoodwinked into clicking a link to the website and entering their login credentials. This information is recorded using scripts embedded on the fake website and then used by hackers to access victims’ accounts on the real website.

Phishing schemes targeting NFT wallets also use a more advanced technique called ice-phishing. Instead of entering credentials on the fake website, users are simply beguiled into connecting their wallet to a customized app – usually to “receive a reward.” The app, however, modifies wallet permissions to allow a transfer of all assets from the wallet to an address controlled by the hacker.

Among the most uncanny aspects regarding this category of attacks is that the hacker can decide to wait until a wallet has enough funds before executing a transfer. This makes it difficult for inexperienced users to discern when and how an attack took place as no login details are given away. However, an analysis of signed permission logs will reveal these details.

The infamous February 2022 OpenSea hack is an example of an elaborate ice-phishing scheme. It led to hundreds of NFTs being stolen from dozens of platform users. Over 250 NFTs valued at approximately $1.7 million were looted. The hacker reportedly tricked victims into signing a smart contract approving a private sale of their assets to him at 0 ETH.

Centralized Keys

Some NFT networks are centralized. This means that an administrator handles network keys. Whoever has access to them can transfer assets from the system with minimal problems.

While a significant number of NFT projects claim to be decentralized, many of them are not, and this is a risk to investors because the keys are a central point of failure that could lead to significant losses if compromised.

In an NFT marketplace situation, hackers can target network keys to breach connected NFT wallets en masse.

How to Protect Your NFTs Against Hack Attacks

The following is an outline of some tried and tested ways to safeguard NFT assets.

Use a Hardware Wallet

NFT marketplaces provide clients with a hot wallet to hold and trade assets. Hot wallets are convenient for trading NFTs as most complex transactional procedures are automated.  

However, hot wallets are riskier to use compared to cold wallets because they are always online. This makes them more open to cyberattacks. As such, using a hardware wallet is ideal, especially for users with high-value assets.

Hardware wallets keep NFT wallet keys offline. This strategy prevents online interception of private keys by threat actors. Hardware wallets make use of advanced encryption technology reinforced with secure chip architecture for enhanced security.

That said, top-rated hardware wallets such as Ledger and Trezor are compatible with trusted third-party software wallet providers such as MetaMask and MyEtherWallet. The hardware wallets keep the private keys secure even when connected to these applications and unsecured devices.

In instances where software-based wallets are synced to hardware wallets, users can initiate trades via the software-based wallets, but approval using the hardware wallet is required.  

Use a Reliable NFT Marketplace

When dealing with NFTs, it is best to use marketplaces that are reliable and have a high trust score. Looking at background audits by certified third-party cybersecurity firms will reveal their weaknesses. Established NFT platforms typically have a high trust score.

This due diligence is crucial because NFT platforms rely heavily on code. Selling an NFT, for example, entails running several smart contracts to authenticate an ownership transfer. Badly coded smart contracts can lead to asset losses because they are susceptive to exploits.

Generally, marketplaces managed by verified teams are considered safer because they uphold accountability in the event of a hack attack and usually compensate users if funds are lost due to a systemic attack. They are also less predisposed to rug pulls.

Avoiding Phishing Attacks

Hackers usually use phishing attacks to obtain NFT account credentials. Among the most basic steps to take in preventing these types of attacks is installing antivirus software that has anti-phishing features. Anti-phishing systems are designed to discern and block phishing web domains using a variety of techniques.

Some anti-phishing tools are able to scan web content for malicious data collection scripts to determine if a website is safe.

It is also advisable not to click on links sent via email, social media, or instant messaging, especially if they are from an unknown source.

Additionally, websites using HTTP (Hypertext Transfer Protocol) should be avoided. This is because they are unencrypted, and malicious entities can intercept data entered on such websites.

Sites utilizing Hypertext Transfer Protocol Secure (HTTPS) protocol are the standard for safeguarding online information. They are able to thwart common data interception ploys such as man-in-the-middle (MitM) attacks.

Lastly, NFT users should get into the habit of rotating their account passwords. This prevents hackers from successfully using reused passwords to break into accounts.

Conclusion

Hackers are leveraging numerous attack vectors to hack NFTs. Fortunately, NFT marketplaces are starting to develop more secure trading environments and upgrading their systems to curb intrusions.However, experts predict that the number of blockchain attacks, including NFTs, will continue to go up in subsequent years in lockstep with increased adoption. If you’re an NFT marketplace and you want to know more about how to keep your platform safe from hacks, reach out to our NFT security experts at halborn@protonmail.com.

Rob Behnke
04.06.2022