Cybersecurity in Web3: Protecting Yourself (And Your Ape JPEG)

Profile picture
Decrypt
9w ago2022-08-02

Even though Web3 evangelists have long touted the native security features of blockchain, the torrent of money flowing into the industry makes it a tempting prospect for hackers, scammers and thieves.

When bad actors succeed in breaching Web3 cybersecurity, it's often down to users overlooking the most common threats of human greed, FOMO, and ignorance, rather than because of flaws in the technology.

Many scams promise big payoffs, investments, or exclusive perks; the FTC calls these money-making opportunities and investment scams.

Big money in scams

According to a June 2022 report by the Federal Trade Commission, over $1 billion in cryptocurrency has been stolen since 2021. And the hackers' hunting grounds are where people gather online.

"Nearly half the people who reported losing crypto to a scam since 2021 said it started with an ad, post, or message on a social media platform," the FTC said.

Although fraudulent come-ons sound too good to be true, potential victims may suspend disbelief given the intense volatility of the crypto market; people don't want to miss out on the next big thing.

Attackers targeting NFTs

Along with cryptocurrencies, NFTs, or non-fungible tokens, have become an increasingly popular target for scammers; according to Web3 cybersecurity firm TRM Labs, in the two months following May 2022, the NFT community lost an estimated $22 million to scams and phishing attacks.

"Blue-chip" collections such as Bored Ape Yacht Club (BAYC) are a particularly prized target. In April 2022, the BAYC Instagram account was hacked by scammers who diverted victims to a site that drained their Ethereum wallets of crypto and NFTs. Some 91 NFTs, with a combined value of over $2.8 million, were stolen. Months later, a Discord exploit saw NFTs worth 200 ETH stolen from users.

High-profile BAYC holders have fallen victim to scams, too. On May 17, actor and producer Seth Green tweeted that he was the victim of a phishing scam resulting in the theft of four NFTs, including Bored Ape #8398. As well as highlighting the threat posed by phishing attacks, it could have derailed an NFT-themed television/streaming show planned by Green, "White Horse Tavern." BAYC NFTs include licensing rights to use the NFT for commercial purposes, as in the case of the Bored & Hungry fast food restaurant in Long Beach, CA.

During a June 9 Twitter Spaces session, Green said that he had recovered the stolen JPEG after paying 165 ETH (more than $295,000 at the time) to a person who had bought the NFT after it was stolen.

"Phishing is still the first vector of attack," Luis Lubeck, a security engineer at Web3 cybersecurity firm, Halborn, told Decrypt.

Lubeck says that users should be aware of fake websites that ask for wallet credentials, cloned links, and fake projects.

According to Lubeck, a phishing scam may start with social engineering, telling the user about an early token launch or that they will 100x their money, a low API, or that their account has been breached and requires a password change. These messages usually come with a limited time to act, further driving a user's fear of missing out, also known as FOMO.

In Green's case, the phishing attack came via a cloned link.

Clone phishing is an attack where a scammer takes a website, email, or even a simple link and creates a near-perfect copy that looks legitimate. Green thought he was minting "GutterCat" clones using what turned out to be a phishing website.

When Green connected his wallet to the phishing website and signed the transaction to mint the NFT, he gave the hackers access to his private keys and, in turn, his Bored Apes.

Types of Cyber Attacks

Security breaches can affect both companies and individuals. While not a complete list, cyberattacks targeting Web3 typically fall into the following categories: