What would it take for you to quit crypto, NFTs, and blockchain entirely?
How much money would you need to lose before you got up from your computer and developed a new hobby? How about $2.2 million?
People are Losing Their NFTs
Without knowing it, he’d signed a fake contract purporting to come from a legitimate NFT dApp. The contract offered a hacker open access to his OpenSea wallet, and the hacker promptly sucked it for all it was worth. The collection comprised 16 NFTs: Eight Bored Apes, seven Mutant Apes, and a CloneX NFT — whose total valuation at the time was estimated at $2.2 million (593 ETH).
Unabridged digital ownership — the fundamental tenet of non-fungible tokens — is an attractive idea. And it’s dangerous. With unquestionable and unbreakable possession over your digital assets, you have the power to do whatever you want, without anyone else standing in your way. You also have the power to screw up massively, without anyone else to save you. So it was for Todd Kramer.
So it was two months later when, in the span of a few hours, 17 other investors signed over hundreds of their NFTs to cybercriminals.
When I covered the OpenSea phishing attack in February, I came across a number of different perspectives from the NFT community. Some blamed the victims. Some blamed the platform’s cybersecurity. Some simply basked in schadenfreude. But one side to the story was simply ignored.
Because February’s OpenSea heist was also a proof of concept, and a demonstration of just how cuttingly effective phishing is — and will continue to be — in stealing NFTs and cryptocurrency for years to come. Because the very nature of these assets make them incredibly vulnerable. Not even cybercriminals could have imagined an easier target. So it’s likely that the worst NFT phishing stories are still to be written.
If you don’t want to be the subject of such a news story, you’ll need to understand how phishing works, and how to protect yourself.
How Phishing Works
The first ever phishing campaign against a financial system took place many years ago, against a different kind of “digital gold.”
An unlikely inventor had crafted this digital gold — a payment network where anyone could anonymously invest, store, and transact coins with anyone they chose. All of it occurred outside of the typical fiat system, on an immutable online ledger.
This was, of course, e-gold.
E-gold was invented by a middling oncologist, run by a bank — Gold & Silver Reserve Inc. (G&SR) — and pseudonymous. And yet, it reached crypto levels of exponential growth. In the year 2000, for example, digital gold’s trading volume rose from 1,250 per month (about $350,000 in value) to over 450,000 (approximately $125 million). By 2006, it was worth $2 billion. By 2004, there were a million e-gold account holders. Five years on, there were five million.
The most enthusiastic adopters were criminals. Scammers ran rampant in e-gold-based auctions — lying, shilling, posting fake reviews — and created phony “escrow” services that disappeared as soon as you’d handed over your money. The most common approach, starting in June 2001, involved blasting emails to investors that claimed to come from e-gold.com. These emails all shared the same core characteristics:
Phishing is effective in all kinds of settings, from corporate IT to personal banking, but there were certain characteristics of e-gold that made it uniquely vulnerable:
E-gold died in 2009, the same year that another, even more popular form of digital gold, was invented. But our newer blockchain-based assets, Bitcoin included, share all the same characteristics that made e-gold vulnerable to phishing attacks. In fact, crypto and NFTs are even more anonymous and irreversible, not to mention unregulated, and consequently even more at risk.
How Phishing Works on the Blockchain
It was a Saturday evening in February when NFT owners started to panic.
Gradually, a few OpenSea users noticed items disappearing from their wallets without apparent explanation. Theories abounded. Maybe it had something to do with the recent token airdrop from a knockoff marketplace called X2Y2. Or maybe OpenSea had been hacked. Even users who hadn’t lost anything yet started to worry that their wallets were next.
Nobody knew what had happened because, when you realize you’ve been phished, it’s already too late. The attack, it turned out, wasn’t so sophisticated after all — mostly rehashing the same old tricks we’ve been seeing for decades:
What’s most remarkable, in retrospect, is the low-grade nature of the campaign: A copy-pasted email and a (mostly) copy-pasted landing page — all designed by a single hacker. The reason it worked so well is because the blockchain leaves users to fend for themselves:
17 investors ended up clicking on “Sign.” In total, they lost 254 tokens worth millions of dollars.
How to Protect Yourself
Whenever a major, newsworthy phishing campaign occurs, you’ll hear the same advice.
You’ll hear a lot about cybersecurity best practice. For example, “pay extra attention to where and when you sign a transaction,” Check Point wrote in their blog, adding “we don’t recommend clicking on links from emails no matter who is the sender, always try to find the same information on the website provider.”
You’ll also hear a lot about education. “When individuals get more educated, it prevents the likelihood of phishing attacks taking place,” Jake Fraser of Mogul Productions told me last month. “It is crucial that they know how to identify the red flags when a phishing attack is taking place.”
You’ll hear a lot about awareness. Like from the CTO of GameFi company Bluzelle who, in an interview with Cointelegraph, could only offer platitudes. “Users need to be super aware of the risks of responding to and acting upon emails they receive,” he said. “Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”
Basic cybersecurity, education, and awareness are all good principles, but they don’t stick. The average person receives well over a hundred emails every day. How can you be “aware” for every single one of them, every day, for the rest of your life? How many of us are going to spot a small discrepancy in an otherwise perfectly copied email, especially when we’re tired or multitasking or listening to music?
Ultimately there’s only one reliable way to protect your NFTs against cyberattackers. It’s something Todd Kramer learned the hard way.
Luckily — and controversially — OpenSea was able to pause the sale of some of his assets before they were sold off. But after a still-seven-figure loss, he got the message. Five hours into the worst night of his life, he tweeted:
Update.. All Apes are frozen,,. Waiting for opensea team to get in,,,lessons learned. Use a hard wallet…
A hardware wallet — offline storage — won’t outright prevent you falling victim to a cyberattacker, but it might mitigate the impact if you do. The extra steps involved in transferring a token to your offline wallet will give your brain extra time to scrutinize any discrepancies in an email or landing page. More importantly, hackers can’t move laterally within an offline wallet. That is to say, they can’t use one entry point — one software vulnerability, one login, one stolen NFT — to get to everything you’ve got (unless that one entry point is your private key).
If Todd Kramer had stored his NFTs on a physical device, his hacker would’ve needed access to that device in order to sell off its contents. If the victims of February’s OpenSea attack used offline storage, there simply would’ve been no NFTs to steal from their accounts. And, while we’re at it, cold storage could’ve saved Waka Flocka Flame 19,000 dollars.
In the months and years to come there will be more stories of NFT phishing. Blockchain-based assets are just too juicy for cyberattackers to pass up. But will that deter collectors? Kramer is still an active member of the community even after his seven-figure loss. How much would it take for you to give up this hobby?
Hopefully, with the knowledge you have now, you’ll never have to reckon with that question.
Nate Nelson is a freelance writer for some of the world’s leading technology companies, dev teams and crypto YouTubers. He writes and produces “Malicious Life,” a Top Tech podcast on Apple and Spotify, and co-hosts “The Industrial Security Podcast,” the leading show in its field. You can find his work on Forbes, Medium, and publications around the web.