The explosion of interest in NFTs has brought a whole new cohort of users into the crypto space. That interest is often driven by FOMO which when combined with inexperience provides fertile ground for scammers and hackers. Given NGRAVE’s focus on crypto security, we’ve summarised the best ways to protect your NFTs.
Investing in NFTs is a risky business as the valuations aren’t really grounded in fundamentals. So even before you get to the point of worrying about how to safely store the NFTs you own, you should ensure you’ve done enough due diligence in the buying process.
Plagiarism, fake provenance, uncancelled listings and Rug Pulls are just a few of the risks posed during the buying process, which we’ve covered in a separate article in the NGRAVE Academy.
Understanding NFT Storage
Once you have negotiated the minefield of buying an NFT you cannot drop your guard because depending on how you store your newly purchased digital asset can expose it to the risk of loss and theft.
When we talk about the risks of how you store an NFT there are two distinct components:
The physical location of the asset itself e.g a JPEG, Song or Document
The token recorded within a blockchain that proves ownership of an asset
The asset itself is very rarely stored within the blockchain because of the storage issues that would create in bloating the blockchain. Instead, the token points to its actual location on the web, so it is important to check how robust and decentralised that storage process is. If it sits on a single server outside of your control that NFT could simply be moved or deleted.
The most common decentralised approach is to use IPFS (InterPlanetary File System) but even this doesn’t guarantee that your NFT is hosted across a network of server nodes.
This Coindesk article does a good job of explaining why that is, but the bottom line is that before buying NFTs you check how and where the file of an NFT reference is actually stored.
From here on, when this article talks about safe NFT storage we are referring to the storage of the token; the digital record of ownership within a blockchain protected by a Private Key.
Storing NFTs On Marketplaces & Exchanges
The most common way to acquire NFTs is through marketplaces like Opensea or Rarible. They facilitate the minting and exchange of NFTs charging a fee for the service, functioning like centralised crypto exchanges but with one key difference.
When you buy an NFT on a marketplace you are transacting directly with the underlying blockchain. The marketplace simply facilitates the transaction and never takes possession of the NFTs. Instead of creating an account directly with the marketplace, you connect to it using a crypto wallet like MetaMask.
This means that hot wallets like MetaMask are the single point of failure once you’ve bought an NFT on a marketplace because that is where they will be stored after purchase.
Though you access MetaMask on a day-to-day basis through the normal security features of your browser/device, such as a password and/or biometrics, the ultimate failsafe against loss or theft is a single piece of information, called a Seed.
Your MetaMask Recovery Seed is a collection of 12 mnemonics, memorable phrases, that when recorded in a specific order, are a convenient way to represent the much longer random string of numbers and letters called Private Keys associated with individual assets.
In the event of losing regular access to either the app or your device, your Seed is your only fallback. If your Seed ends up in the hands of thieves you can kiss everything in your wallet goodbye.
So if you store your NFTs on a hot wallet, you have to learn how to protect your Seed.
Given the explosion in interest in NFTs, exchanges like Coinbase, Binance and Crypto.com are increasingly offering marketplace functions but their centralised model means they directly custody your assets. This means the risks to your NFTs on exchanges are twofold; you have to trust that exchange won’t get hacked, which is unfortunately common, and you also have to protect your login credentials from hackers.
In both cases - protecting your Seed and login credentials - you are at risk simply for being online and the safety of your NFTs is, therefore, only as good as your general OpSec - Operations Security.
The threat from poor OpSec
The subreddit dedicated to the subject of OpSec does a great job of defining what that means: “OPSEC is the process and practice of Operations Security…[it] is a mindset of critical thinking and safe habits.”
Critical thinking requires you to constantly consider how your information might be at risk thinking from the perspective of a hacker, which is quite a steep learning curve. Safe habits are a bit easier to summarise:
Automatically update your browser & operating system
Browsers and operating systems aren’t foolproof. They are constantly updating and patching to improve both user experience and security. Given wallets like MetaMask work through your browser, that can create a direct threat.
Make sure to set both to update automatically. Chrome announced three zero-day exploits in the first four months of 2022 alone. Zero-day means a vulnerability hasn’t been communicated or is public knowledge but with no fix.
Always enable 2FA for account-based services using an App or hardware device, not text messages
If you store your NFTs on a centralised service be certain to use two-factor authentication and don’t use text-based services. Scammers have become unbelievably sophisticated in the ways in which they can replicate your SIM, in order to intercept the verification code - known as SIM Swapping.
You can mitigate that risk by using App-based 2FA services like Google Authenticator or Authy, better still use 2FA hardware devices like Google Titan or Yubico.
Use strong passwords that are unique to each site and a specific email address just for crypto activities. Not only will this reduce the risk of unauthorised access, but also make SIM Swapping harder. Getting hold of a copy of your SIM is just one part of the process of gaining access to a centralised account storing your NFTs. The attackers also need your account and email credentials.
There is a huge underground market for login credentials that have been harvested from data hacks. You may not even be aware that your details were exposed - go check on https://haveibeenpwned.com/.
You might not care if some crumby forum you once used years ago got hacked but hackers will use that information and assume that it might also work elsewhere. They will also harvest anything that data tells them about you in order to more successfully impersonate you. As Reddit says, security is a mindset. You have to think like a hacker.
Consider using a second wifi only mobile just for crypto activity at home. This will limit the risk that your phone is lost or stolen and can minimise the online threats because the only activity you’ll be doing is specific to crypto.
Don’t identify yourself as an NFT owner on social media. Flexing might be part of the attraction of owning NFTs but you are putting a target on your back.
Subscribe To The NGRAVE Academy
Knowledge for all levels. Join our newsletter to receive the latest articles.
Use reliable anti-virus software, schedule regular scans & make sure the virus library automatically updates. Most virus software will guard against unsafe downloads and attachments and fake sites, as well as scan your wi-fi but don’t assume that your virus software will make you bulletproof.
Bookmark the official websites and services you regularly use to minimise the chance that you can be tricked into using a spoofed site, or downloading a fake app that will harvest your credentials or sweep your wallet.
Don’t click on random links or attachments. Assume that every click or tap you make could be opening the door to an online attack and exposing your NFTs to risk.
Man In the Middle Attacks
By being online you are constantly exposed to malware with a wide range of intents but one that is of specific danger to NFT transactions is the Man In The Middle Attack.
In order to send or receive wallet transactions, you need to share address details, often using chat services and/or your device clipboard. The Man In the Middle attack relies on compromising the clipboard module - on a laptop or smartphone - and using the remote access to intercept/replace the shared address details with details of their own choosing. A Trojan called Cryptoshuffler was doing the rounds in 2017, to achieve precisely this.
Mitigating the threat
Always double-check the recipient address to ensure it is correct by scanning the first/last few characters.
If your hot wallet allows it, use address Whitelisting, which puts a 24hr restriction on using newly added withdrawal addresses; note MetaMask doesn’t enable this feature.
The risks of Social Engineering
Finding your way around the NFT space and understanding how to transact can be confusing for a beginner. It is frighteningly easy to expose your Metamask Seed requiring just three clicks, Settings > Security & Privacy > Reveal Secret Recovery Phrase and your password.
Scammers will try and exploit inexperienced users through what is known as Social Engineering; using psychological manipulation to trick you into revealing your Seed.
One of the most common approaches is listening for requests for help from NFT holders - whether within a Metaverse platform, official Discord or external Social Media.
Scammers will pretend to be part of the official support team, and engineer a reason for you to expose your Seed under the pretence of fixing the issue.
They may go as far as creating fake Discord servers and using what looks like official support accounts, to coerce users into sharing their Seed to help resolve their issue.
Social Engineering works because of well-rehearsed manipulation. Several scammers will work together trying to disarm the target with friendliness then suddenly change pace and create a sense of urgency which is designed to push users to act without thinking.
The scammers will try and convince you that sharing your screen will speed things up and within moments your NFTs will be gone.
Even experienced users can be convinced to act against their best instincts because making money from investing in NFTs can often come down to speed and scammers know this.
Opensea, the largest NFT marketplace, had its Discord server hacked in May 2022 allowing the intruders to promote a fake Youtube partnership in a series of posts that ramped up the FOMO claiming that 70% of the supply of the fake project had already gone.
Opensea is just one of several high-profile NFT marketplaces and projects to have had their Discord or Social Media hacked, including Bored Ape Yacht Club, Doodles and KaijuKings.
With access to your Seed a scammer can drain all the funds already in your wallet, but if there is little value, they might try and use a malicious script to intercept transactions.
If they can successfully infect your wallet with the so-called Sweeper Script without you knowing,they will patiently wait to divert future transactions to their address, rather than the genuine recipient.
Other forms of Social Engineering may try and convince you to transfer NFTs as part of some promised exchange, before disappearing or offering a wallet recovery service for anyone who loses their Seed.
Mitigating the threat
There is no legitimate reason why any person, or service, should ever ask you to reveal your Seed. Knowing this should make it easy to detect scams, but here are some things to be aware of:
Only ever use official support channels - double-check account details
Be very suspicious of anyone approaching you out of the blue, especially via DM
Unprofessional language is another red flag
Scammers may create dApps that look harmless enough but will ask for your Seed
How to have convenience & offline security
If all the threats posed to storing your NFTs on hot wallets or exchange accounts leave you in a cold sweat, this is the unfortunate reality of the internet, and in particular, the allure that crypto has for hackers.
You have to balance the convenience against the risks. Fortunately, there is a middle ground, because a crypto hardware wallet like the NGRAVE ZERO provides cutting-edge offline security AND the ability to store, send and receive NFTs without exposing your Seed.
The clever use of QR codes, and a companion mobile App - LIQUID - give you the best of both worlds: the convenience of online transactions but with the security of offline storage.
Like MetaMask, hardware wallets are non-custodial so one of the most important security steps to add to your list of best practices is to store your Seed offline somewhere safe. We have a whole separate article about how to safely store your Seed.
It might seem like a natural thing to do but storing your Seed online ramps the security threat to your NFTs right up. If hackers get access to your devices from any of the methods listed above, they know where to look to find Seeds and what to look for in terms of file names and formats.
Unfortunately, there is a steady flow of people who don’t store their Seed offline, lose access to their wallets and then become victims of the Social Engineering mentioned above. Scammers will monitor via social media for targets, using multiple stooge accounts to create an air of credibility, then request upfront payment, and disappear without delivering any service.
No Hot Wallet or crypto exchange can ever be 100% safe because being online automatically means you are vulnerable. You can mitigate the risk through due diligence, security best practices and simply being vigilant, but the simple truth is that there is no better way to protect your NFTs than cold storage.