An Existential Threat to the Nascent Art Market for NFTs

9 min readJan 17, 2023

What does the great art heist look like in 2022?

If you are following the dominant art news headlines, it is likely to involve a cyber-attack on an NFT marketplace or a hacked social media account resulting in stolen NFTs — and a whole fortune in cryptocurrency associated with it.

Recent research from Comparitech shows that NFT thefts are becoming more frequent than ever — and more profitable. The company has kept track of NFT thefts ever since the NFT standard was introduced and recorded the first stolen NFTs as early as in 2020. Since then, over $86.6M of NFTs have been stolen, worth over $896.5M at today’s prices.

In fact, some of the biggest names in the NFT art industry have fallen prey to cybercrimes in 2022:

Feb 2022: A phishing attack on the OpenSea marketplace resulted in NFT investors losing $1.7M
Apr 2022: Bored Apt Yacht Club’s (BAYC) Instagram account was hacked, and dozens of NFTs were stolen from users. With $13.7M stolen, the BAYC hack ranks as the third-largest NFT hack ever.
May 2022: Beeple’s followers lost $438K to a phishing scam after the NFT artist’s Twitter account was hacked.

The rapid expansion in the number of artists, collectors and companies dealing in NFTs in the last couple of years has been a boon to the overall size of the art trade and has attracted a whole new class of collectors. But it has also left many players exposed and vulnerable to cyber threats, as demonstrated by the growing frequency of NFT thefts this year.

One of the primary reasons for this disheartening trend is a lack of focus on security issues by those building the platforms and technology infrastructure for NFTs. One of the respected leaders in the crypto industry, Joe Lubin, the CEO of ConsenSys, alluded to this problem during a recent panel discussion at Christie’s annual Art + Tech summit.

When asked about protecting cryptocurrency exchanges, NFT marketplaces and Web3 platforms against bad actors, he acknowledged that, in the nascent phase of building these systems, security concerns typically take a back seat to functionality and feature development or monetization objectives with the following remark: “when you are building a system you are not thinking about how to break it. That’s the job of white hackers.”

As NFT-related cybercrime continues to grow in kind and number — encompassing NFT theft, phishing attacks and scams, sales of counterfeit NFTs, artificial wash trading on NFT marketplaces and hacked digital wallets — security concerns can no longer be overlooked. In this piece, we will zip through the most common cyber threats in the world of NFT art and scratch below the surface of the best strategies to confront them and make NFT platforms safer and more secure. So, if thwarting cyber-attacks is top of your agenda, I urge you to stick with me.

Types of Cybercrimes in the NFT Realm

Threats to Crypto Wallets

Perhaps the most “basic” threat here is stealing the details of the NFT platform member’s cryptocurrency wallet or exchanging their credentials. This type of attack typically involves malware. Mars Stealer is an example of a powerful new malware targeting cryptocurrency holdings. This malware can steal crypto stored in the user’s wallet by attacking the wallet’s browser extensions. As of February 2022, it has been found to have attacked 40+ different browser-based digital wallets.

Another type of malware designed to attack the crypto wallet where both NFTs and cryptocurrency are stored is the use of “crypto clippers” — malware that replaces the wallet address receiving crypto funds at the last second by manipulating the clipboard service. It works by monitoring the Windows clipboard and acting if it identifies a cryptocurrency wallet address being stored there. It can then replace the wallet address in the clipboard with one that the attacker controls and have the funds diverted to that wallet.

Identity Theft

Another layer where malicious actors can profit is conducting identity fraud. What might be the process, briefly? Once an NFT is minted or purchased, each individual NFT is stored within a digital wallet which might be accessed through a private key, an analogue of the traditional password.

Hackers can obtain access to this key — for instance, due to a NFT platform breach and credentials leakage — and effectively become the owners of a user’s NFTs. Once they transfer the NFT to a different marketplace, this data becomes integrated into the blockchain, making it all but impossible for the true owner to verify authenticity and ownership. This what happened to the NFT marketplace Nifty Gateway in 2021.

Alternatively, fraudsters may steal the artist’s identity to sell NFTs of their artwork, like the scammer who stole 2,000 NFTs from an English artist and pre-sold them on Discord. As a result, the fake artist has stolen about $140K in assets and affected 2,000 people by sending them a bunch of ordinary emojis instead of the authentic NFTs.

Buggy Contracts

Along with cybersecurity issues involving fraudsters, NFT platforms may suffer from technical issues which can be used by fraudsters as a back door letting them sneak in. Specifically, there are several issues related to smart contracts.

In reference to NFTs, the term “smart contract” does not mean an offer, acceptance, and consideration, but a collection of code and data at a specific address on the blockchain. Smart contracts tied to NFTs are therefore inherently “programmable,” and their programmable nature comes with benefits as well as risks: they can be exploited, broken, and hacked.

As for the benefits, smart contracts allow NFTs to be authenticated as the original asset, allowing users to verify and track the asset’s ownership on the blockchain. Also, smart contracts typically allow the original creator of an NFT to be paid a portion of royalties off each future asset sale. For example, digital artist Beeple laid down such condition with his NFT collection, Everydays: The First 500 Days, which was sold via auction at Christie’s for over $69 million last year, allowing the artist 10% in royalties from each sale.

However, once NFTs are moved away from their original marketplace, they become practically impossible to track, giving a buyer an opportunity to circumvent the royalty provision associated with the NFT merely by moving the NFT to a secondary marketplace site after purchase. And since NFT smart contracts comprise code as well as data, any issues or bugs in how that code is written can be exploited.

This is what happened in 2017 with the NFT digital art collection CryptoPunks, when a bug in the code of the smart contract prevented the transfer of Ethereum cryptocurrency into sellers’ digital wallets (the bug was traced back to a critical line in the code being incorrectly overwritten). As a result, fraudsters bought CryptoPunk NFTs and retrieved their Ethereum used for the purchase from the integrated contract. After that case, CryptoPunks had to relaunch with an updated and entirely new smart contract.

NFTs Storage Issues

Jason Bailey, a CEO of ClubNFT and passionate NFT enthusiast, shared shocking stats in his recent piece: the artwork and metadata for roughly 90% of all art NFTs are not stored on the blockchain. According to the study by YourNFT, only ~10% of NFTs are stored on chain, ~40% are on private servers, while ~50% use a peer-to-peer protocol called InterPlanetary File System (IPFS).

This raises fundamental questions that all NFT collectors should be asking but rarely do:

Where does the artwork and metadata for an NFT live if it is not on the blockchain?
Who is paying to store the artwork associated with an NFT asset?
What would happen to the value of an NFT if the artwork and metadata permanently disappeared?

Obviously, this requires that a platform or marketplace either ensure secure NFT storage solely within the blockchain (which could be an expensive proposition) or bring in solutions and protocols allowing NFT collectors to back up their assets to a secure repository.

On the topic of solutions and measures to ensure NFT marketplaces are safe and secure for collectors, artists, and all NFT enthusiasts, let’s review specific strategies that can protect them against some of the more common cyber-threats out there.

Strategies to Tackle Cyber-Threats

Security Code Reviews

This strategy is designed to identify potential weaknesses and flaws in the software code being used by NFT art platforms. While some industries mandate secure code reviews as a component of compliance requirements, every online platform would be wise to perform this assessment to ensure a secure environment. Some of the primary areas of the platform that a security code review focuses on include authentication, authorization, data validation, encryption, and error handling.

Moreover, security code reviews are crucial to eliminate risks in how smart contracts are implemented for NFTs. Understanding how the code is written and the quality of the code is of the utmost importance since a misstep, or an oversight can cause an unwanted action to occur and result in an NFT seller losing their assets. Additionally, smart contract security must be high quality because hackers can exploit even minor errors to steal assets, as with the CryptoPunk case mentioned in the previous section.

Combatting Social Engineering and Phishing Attacks

Humans are often the weak point in any system, and this certainly holds true for this type of threat rather than any specific technical flaws. Hence, to implement an effective strategy against social engineering attacks, a security team might need to simulate a phishing attack to evaluate the level of social engineering awareness among the platform’s users and customers.

The security team must think like a hacker to ensure an accurate simulation. The first attempt is to get malicious code past the set parameters so that opening an email attachment will release malware into the system. Phishing emails are often also intended to collect credentials from users to save for future attacks.

Using this strategy, a testing team might try a variety of phishing attacks, from simple and seemingly obvious messages to more complex and customized alternatives. Once the test is complete, the team analyzes vulnerabilities identified by the attacks to determine the most effective ways for the NFT marketplace owners to improve their security practices to protect their environment in the future.

Offensive Security Testing

Another vital practice to ensure effective protection from cyberattacks is “offensive security.” The aim of offensive security testing is to simulate a cyberattack to identify any exploitable vulnerabilities while determining the ability of a system and team to handle an attempted attack with minimal consequences.

This process allows the offensive security team to evaluate the state of a platform’s security before planning its strategy to eradicate the risks.

As a part of the assessment, the security team is gaining an understanding of which data is sensitive and the potential consequences of it being compromised. Then comes the laborious stage, which involves analyzing the platform’s weak points and assessing a team’s knowledge of cybersecurity practices. It is also vital to examine the potential threats that could come from third parties.

But at the core of the offensive security testing is the simulation of the attack. Once the simulation has been planned, the next step is to analyze how a target application responds to various types of attempted intrusions. Once this has been completed, any vulnerabilities found are put through every conceivable hack to determine the level of potential damage that could be caused in a real attack.

Finally, the team will attempt to maintain access via the vulnerabilities to determine if a long-term presence from hackers is a possible outcome.

Compliance Management

Security compliance strategy aims to gain a complete understanding of both the current and future security standards and cyber regulations to ensure full compliance by the platform owners and users in every component of a system. This process includes cyber risk management, security and regulatory compliance, third-party risk assessment, and cyber insurance management.

As a result, those running NFT platforms get a gap analysis and a ready-to-implement plan allowing them to address the gaps and hence allow to ensure compliance with standard security requirements.

Security Consulting

Last but not least, by consulting with external security experts, an NFT marketplace owner can be certain that every detail of their platform has been effectively analyzed and secured against all potential vulnerabilities and cyberattacks.

And although there is an expense incurred, using an external company is often much cheaper in the long run, as it prevents the exploitation of platform vulnerabilities which can lead to devastating financial losses and damage credibility, as the spate of NFTs thefts since 2020 and especially this year convincingly demonstrates.

Final Thoughts

The accelerating frequency and scale of cybercrimes targeting NFTs threatens the vibrancy and growth of the market for digital NFT art and collectibles, through the financial losses incurred by holders of these assets, and by undermining confidence among NFT platform users, digital NFT art enthusiasts and anyone interested in NFTs as an asset class. In this climate, prioritizing cybersecurity risks and investing in proven strategies to combat them will play a critical role in the ability of NFT platforms to retain customers, demonstrate their trustworthiness, and grow their future userbase.

Author: Doron Fagelson,
Vice President of Media and Entertainment Practice at DataArt

Originally published on https://www.dataart.com/blog.