The non-fungible token (NFT) industry is often described as the “Wild West” due to the prevalence of hacks and scams. NFTs are an experimental technology, and regulations are unclear, yet they can also be enormously valuable, making them a prime target for cybercriminals.
A case in point occurred last month when Ethereum co-founder Vitalik Buterin’s account on X (formerly known as Twitter) was taken over by malicious actors, who promptly leveraged it to steal a large number of NFTs from his followers.
The account posted a malicious link advertising a way to obtain a free “Proto-Danksharding” NFT offered in partnership with Consensys, creator of the popular MetaMask wallet. However, when users clicked on the link and connected their wallets to collect the NFT, it injected malware that promptly transferred the digital assets within to the hacker’s possession.
According to X user @ZachXBT, the scam lifted more than $690,000 worth of NFTs, including CryptoPunk #3983, valued at around $244,000 in ETH.
The incident underscores the dire need for users to properly secure their digital assets. What follows are some essential tools to ensure your NFTs never end up in the wrong hands:
A hardware wallet is the most secure wallet around. It’s commonly known as a “cold wallet” that stores digital assets offline, providing an extra layer of protection.
With hardware wallets such as Ledger and Trezor, users must sign each transaction locally, on the device, using their private key. The private key is stored on the device too, and the device itself can be disconnected when not in use, ensuring it is rarely exposed to the internet. In this way, no transaction can be enabled without the user’s permission. Hardware wallets are much more difficult to hack than software wallets, so they make sense for anyone storing valuable assets. However, users should note that their hardware wallet won’t save their assets if they inadvertently approve a malicious transaction themselves.
In addition to using a hardware wallet, you can use a specialist tool known as a lockbox, such as Crypt Keeper or Cryptosteel, to secure your seed phrase.
The seed phrase acts as a password to gain access to your crypto wallet. Whenever you create a software wallet, it will generate a seed phrase for you and ask you to keep this safe. Depending on the wallet, the seed phrase will be a string of 12 or 24 random words. You can use this phrase to restore your wallet on any PC or smartphone. Crypt Keeper and Cryptosteel are flash drive-like devices that can be used to store any seed phrase. They’re made from extremely durable materials such as high-grade steel and deeply engraved tiles to ensure protection against data degradation, water and fire damage, and mechanical or electrical shock.
The takeover of Buterin’s X account was an example of a so-called “phishing” attack, where users are enticed to click on a malicious link. Hackers will tempt users with the promise of free tokens or access to NFT airdrops, but the moment they click the link and connect their wallet, a malicious smart contract will try to obtain permission to spend the assets inside it. If the user then grants permission, their NFTs will immediately be sent to the hacker’s address. Once this happens, they’re irretrievable.
You can prevent this with a browser extension like Blockfence, which serves as a critical last line of defense that alerts users anytime they’re about to interact with a suspect URL or smart contract. It works by using AI and community-based knowledge to identify suspicious links and known scammer’s wallet addresses. Whenever it detects something risky, it will throw up a red alert to notify you of the danger.
Recognizing that hacks and scams can always happen in the crypto space, FairSide is a decentralized wallet theft protection service that anyone can use to insure their digital assets.
FairSide offers its policies to any crypto user, covering any type of digital asset they hold within their wallet up to a maximum value of 100 ETH ($163,000 at the time of writing). Should your digital assets be stolen via a phishing attack, you can immediately request compensation. Third-parties will verify the legitimacy of the claim, with most being paid out within just 72 hours.
The great thing about FairSide is it’s relatively affordable. Policy holders are charged a flat rate of just 1.95% of the value of the assets held within the protected wallet. For those with assets worth more than 100 ETH, they can contact FairSide to obtain a bespoke policy.