Can NFTs be hacked? If you’re also asking this question, read on as I explain NFT hacking in this NFT security awareness article.
An NFT usually can’t be hacked by itself as it’s simply a token that exists on the blockchain. However, scammers and hackers use nefarious methods to convince holders and collectors to hand over their NFT or crypto wallets keys. They can also exploit the contract behind an NFT and convince holders to sign transactions through social engineering.
Someone with an in-depth idea of NFT exchange security loopholes, wallet phishing tactics, and website programming, can also hack digital assets if a holder doesn’t take steps to secure their asserts.
Even those in the NFT space for a while can fall victim to hacking attacks. For instance, popular celebrity Seth Green was a victim of an NFT phishing scam and lost valuable NFTs like Doodles, Bored Ape Yacht Club, and Mutant Ape Yacht Club.
However, blockchain-based NFT hacking isn’t feasible. For that, a hacking group will need to own 51% of the nodes of the entire network that validates transactions. This is too costly and ineffective with robust NFT blockchains like Ethereum, Tezos, Solana, etc.
Table of Contents
The Common Methods of NFT Hacks
A potent mix of NFT wallet users’ apathy to cybersecurity, project negligence, and even greed enable hackers to wreak havoc on an individual’s NFT wallet. Here are some popular NFT hacking attack approaches to watch out for:
1. NFT Marketplace’s Security Vulnerability
Hackers can inject malicious JavaScript or other programming codes into an NFT website. Such codes usually show up in pop-ups and other notifications to the users and lure them into revealing their private wallet keys to the scammers.
Bitdefender reported that the popular allowlist platform, PREMINT, got hacked, and its users suffered a combined asset loss of $375,000. It was a JavaScript code hack that exploited a security weakness in PREMINT’s online portal.
2. Smart Contract Vulnerability
Some cheap, new or opportunistic NFT projects fail to secure the underlying smart contract codes that mint NFTs. Hackers can exploit these contract vulnerabilities to steal NFTs from a wallet and also take ETH from collectors.
3. Webhook Attacks
NFT marketplaces and social media apps use webhooks to monitor online platforms for news or updates. Once webhooks notice any keyword or news of interest, it automatically instructs the beneficiary websites and apps to send out pop-ups, emails, texts, etc., notifications to users.
For example, a hacked centralized wallet could notify you that someone has offered a bid price on your NFT, but the bid is actually fake.
Hackers exploit this webhook feature of apps and websites to send users misleading notifications. And, they do it on massive levels since webhooks work across many platforms. If you take any action based on such malicious updates, you might lose your entire NFT collection.
4. Social Media Channel Takeovers
For the NFT community, Twitter, Instagram, and Discords are the most popular meeting place. It has become an unofficial custom that all NFT projects must maintain a community server on Discord.
NFT hackers try to gain control over Discord servers of NFT projects and communities. If they gain access to the target Discord community as mods, they use automated bots to spread misleading pop-ups via direct messages and announcements.
Similarly, hackers may hack the Twitter or Instagram account of an NFT project and roll out fake minting events, drops, or promote NFT scams. The goal is to get members to sign transactions that drain their wallets or ETH.
5. NFT Phishing Attack
Phishing attempts to steal NFTs is a popular type of hack. Hackers send spam emails with OpenSea and other marketplace offers. Sometimes, these phishing emails may also tell you that your crypto wallet is in danger and needs fixing.
Click on the wrong link and approve a transaction, and a holder could inadvertently transfer the NFT or give hackers access to your digital wallet by handing over private keys or seed phrases.
6. NFT Wallet Hacks
Bad actors sometimes send malicious URLs to their target NFT collectors via emails, Discord messages, Telegram chats, etc. Such links take you to a clone of the actual NFT wallet login screen, NFT marketplace login screen, etc.
When you enter credentials on these duplicate interfaces, you’re not logging in to your Metamask wallet or wallet. Instead, you’re handing signing transactions hackers can use to steal ETH or transfer NFTs to their addresses.
7. Hacking Centralized Private Keys
Custodian online wallets store your NFT wallet’s private keys on the wallet app or NFT marketplace server. For instance, Nifty Gateway stores all the users’ wallet private keys in a centralized database, as mentioned in an article published by Nifty Gateway.
Expert cyber hacking groups can target NFT marketplaces, hack databases, and steal wallet private keys to siphon NFTs off somewhere else.
According to this Yahoo! Finance report, a few Nifty Gateway users suffered from NFT theft. Hackers gained access to some usernames and passwords stored on Nifty Gateway servers.
8. Lack of Strong Wallet Security
If you don’t activate two-factor authentication (2FA) for crypto marketplaces and exchanges, it becomes easier for hackers to gain access to your crypto wallet. From there, they could transfer any NFTs and crypto from your wallet to theirs.
Can NFTs Be Hacked? The Trend So Far
According to ZebPay, NFT-related cyber crimes caused up to $52 million in losses to the NFT industry till April 2022. And, there’s no indication of reducing such hacking attacks anytime soon. These are the buzzing hacks that hit the NFT industry hard:
- PeckShield pointed out the OpenSea Discord server hacking attack on May 6, 2022. The hack promoted scam NFT mints to defraud the OpenSea Discord members.
- According to a CoinDesk report, the Discord and Instagram accounts of the BAYC NFT project got hacked on Apr 25, 2022. BAYC officials claimed that the estimated losses of 6 Mutant Apes, 4 Bored Apes, and 3 Bored Ape Kennel Club (BAKC) NFTs are approximately $3 million in value.
How to Prevent NFT Hacks
- Use a cold wallet like Ledger Nano X, Trezor, etc.
- Set up 2FA on all of your custodian NFT wallet addresses!
- Choose NFT marketplaces that offer better security.
- Don’t fall prey to phishing scams.
- Never share crypto wallet private keys with anyone.
- Ignore NFT minting and trading offers from unsolicited persons via Telegram, Discord, spam emails, etc.
Every digital technology has loopholes, and NFTs are no different. Bad actors are there to exploit security vulnerabilities and steal your collectibles to earn easy money. For more safety tips, check out our guide to NFT rug pulls.
