Even though Web3 evangelists have long touted blockchain’s native security features, the torrent of money flowing through the industry makes it a tempting prospect for hackers, scammers and thieves.
When bad actors succeed in breaching Web3 cybersecurity, it’s often because users ignore the most common threats of human greed, FOMO, and ignorance, rather than because of flaws in technology.
Many scams promise big payouts, investments, or exclusive perks; the FTC calls these lucrative opportunities and investments scams.
Lots of money in scams
According to a June 2022 report from the Federal Trade Commission, more than $1 billion in cryptocurrency has been stolen since 2021. And hacker hunting grounds are where people congregate online.
“Almost half of people who said they lost crypto to a scam since 2021 said it started with an ad, post, or message on a social media platform,” the FTC said. .
Although the fraudulent appearances seem too good to be true, potential victims may suspend their disbelief given the intense volatility in the crypto market; people don’t want to miss the next big thing.
Attackers targeting NFTs
With cryptocurrencies, NFT, or non-fungible tokens, have become an increasingly popular target for scammers; according to cybersecurity firm Web3 MRT Laboratoriesin the two months following May 2022, the NFT community lost an estimated $22 million to scams and phishing attacks.
Blue chip collections such as Bored Ape Yacht Club (BAYC) are a particularly popular target. In April 2022, the BAYC Instagram account was hacked by scammers who diverted victims to a site that emptied their Ethereum wallets of crypto and NFTs. Some 91 NFTs, with a combined value of over $2.8 million, were stolen. Months later, a Discord exploit saw NFTs worth 200 ETH stolen from users.
High-level BAYC holders have also been scammed. On May 17, actor and producer Seth Green tweeted that he had been the victim of a phishing scam resulting in the theft of four NFTs, including Bored Ape #8398. In addition to highlighting the threat posed by phishing attacks, it could have derailed an NFT-themed TV/streaming show planned by Green, “White Horse Tavern”. BAYC NFTs include license rights to use the NFT for commercial purposes, such as the Bored & Hungry fast food restaurant in Long Beach, California.
I thought I was making clones of GutterCat – the phishing link looked clean
During a Twitter Spaces session on June 9, Green said he recovered the stolen JPEG after paying 165 ETH (over $295,000 at the time) to someone who purchased the NFT after it was stolen.
“Phishing is still the number one attack vector,” said Luis Lubeck, security engineer at Web3 cybersecurity firm Halborn. Decrypt.
Lubeck says users should be aware of fake websites that ask for wallet credentials, cloned links, and fake projects.
According to Lubeck, a phishing scam can start with social engineering, informing the user of an early token launch or that they will multiply their money by 100, a weak API or that their account has been hacked and needs a change. password. These messages usually come with a limited action time, which further reinforces the user’s fear of missing out, also known as FOMO.
In Green’s case, the phishing attack came via a cloned link.
I thought I was making clones of GutterCat – the phishing link looked clean
Clone phishing is an attack where a scammer takes a website, email, or even a simple link and creates a near-perfect copy that looks legitimate. Green believed he was making “GutterCat” clones using what turned out to be a phishing website.
When Green connected his wallet to the phishing website and signed the transaction to mint the NFT, he gave hackers access to his private keys and, in turn, his Bored Apes.
Types of Cyber Attacks
Security breaches can affect both businesses and individuals. Although not a complete list, cyberattacks targeting Web3 generally fall into the following categories:
🎣 Phishing: One of the oldest but most common forms of cyber attacks, phishing attacks usually come in the form of emails and include sending fraudulent communications such as text messages and social media messages that appear to come from a reliable source. This cybercrime can also take the form of a compromised or maliciously coded website that can drain crypto or NFT from an attached browser-based wallet once a crypto wallet is connected.
🏴☠️ Malware: Short for malware, this generic term covers any program or code that is harmful to systems. Malware can enter a system through emails, text messages, and phishing messages.
👾 Compromised websites: These legitimate websites are hacked by criminals and used to store malware that unsuspecting users download once they click on a link, image or file.
🪤 URL spoofing: Unlink compromised websites; Spoofed websites are malicious sites that are clones of legitimate websites. Also known as URL Phishing, these sites can collect usernames, passwords, credit cards, cryptocurrencies, and other personal information.
🤖 Fake browser extensions: As the name suggests, these exploits use fake browser extensions to trick crypto users into entering their credentials or keys into an extension that gives the cybercriminal access to data.
These attacks typically aim to access, steal, and destroy sensitive information or, in Green’s case, a Bored Ape NFT.
What can you do to protect yourself?
Lubeck says the best way to protect against phishing is to never respond to an email, text, Telegram, Discord or WhatsApp message from an unknown person, company or account . “I will go further than that,” added Lubeck. “Never enter credentials or personal information if the user has not started the communication.”
Lubeck recommends that you do not enter your credentials or personal information when using public or shared networks or Wi-Fi. Moreover, Lubeck recounts Decrypt that people shouldn’t have a false sense of security because they’re using a particular operating system or type of phone.
“When we’re talking about these types of scams: phishing, webpage impersonation, it doesn’t matter if you’re using an iPhone, Linux, Mac, iOS, Windows, or Chromebook,” he says. “Name the device; the problem is the site, not your device.”
Keep your crypto and NFTs safe
Let’s look at a more “Web3” action plan.
When possible, use isolated hardware or wallets to store digital assets. These devices, sometimes described as “cold storage”, remove your crypto from the internet until you are ready to use it. Although it is common and convenient to use browser-based wallets like Metamaskremember that anything connected to the internet can be hacked.
If you are using a mobile, browser or desktop wallet, also known as a hot wallet, download them from official platforms such as Google Play Store, Apple App Store or verified websites . Never download from links sent via SMS or email. Even though malicious apps may end up in official stores, it is safer than using links.
After completing your transaction, disconnect the wallet from the website.
Be sure to keep your private keys, seed phrases, and passwords private. If you are asked to share this information to participate in an investment or mint, it is a scam.
Only invest in projects you understand. If it’s unclear how the program works, stop and do more research.
Ignore high pressure tactics and tight deadlines. Often, scammers will use it to try to invoke FOMO and stop potential victims from thinking or researching what they are being told.
Finally, if it sounds too good to be true, it’s probably a scam.
Stay up to date with crypto news, get daily updates in your inbox.