12/08/2022 NFT Heists: Are Recent Attacks the First of Many to Come?

NFT Heists: Are Recent Attacks the First of Many to Come?

NFT heists are hitting the news. Here how you can protect yourself, saysIndrėViltrakytė, co-founder of theThe Rebels.

Phishing attacks are not new. Sometimes, they are easy to spot. Like when the prompts come with a request to send your banking information to a prince from a far-away foreign land. But sometimes, they are harder to spot. Like when a request to approve the release of your assets comes from a seemingly trustworthy source.

NBA legend Shaquille O’Neal signs $11M Astrals NFT settlement
NFTs weekly sales surge 94% as crypto market continues bullish run
Epik Prime Partners With Gameloft for Brands to Launch Exclusive, In-Game NFT Tournament

This is what happened recently in an NFT phishing theft case. Users trusted a scheme that involved thePremint platform. The users agreed to a prompt to approve an unknown entity to control their assets.

On July 17, 2022, a popular NFT platform, Premint NFT, was hacked. 314 NFTs worth $430,000 were stolen. Perpetrators were able to plant malicious code on Premint’s official website. The code instructed users to “set approvals for all” when connecting their digital wallets to the site. This allowed the attackers to access their crypto assets and steal their NFTs.

The new world of NFTs – digital art collection – may be in line for more phishing attacks.

NFT heists: What are being stolen?

Typically when we hear the word NFT, we think of a digital image that is unique and connected to the blockchain. It is, however, more elaborate than that. When talking about NFTs, the ownership tracking and uniqueness are always accented. But nowhere in the NFT standard, it is stated what the unique tokens represent. In its essence, the tokens are only unique numbers. It’s the authors of the NFT collection who define what these tokens represent.

Furthermore, images are usually never “uploaded into thecrypto wallet.” They are not part of the NFT contract. A hash of the image might be written into the contract to create a connection with the thing that the NFT represents. Also, NFT as a standard doesn’t concern itself about the value or the buying and selling operations of the NFTs. It only supplies standard methods to transfer the NFT ownership. It’s the marketplaces and the community who build on top of that and treat the NFTs as merchandise.

As merchandise, NFTs are mostly purchased as collectibles, often used for investment purposes. They have developed practical use cases only recently. An example isdigital fashion wearablesin the Metaverse.

NFT heists

What can be done in the future?

Who’s to blame? Is it the user? Or the platform, which allowed an attacker to initiate a fraudulent transaction?

In this particular case, the attackers were able to display content to trick the user into signing the fraudulent transaction.

A vague, plausible-sounding reason for the transaction in combination with trust in the website was enough to fool many. That said, it is unreasonable to expect that the average Web3 user could skirt it. Most didn’t have a strong enough tech background to notice that the transaction was actually giving someone access to his or her NFTs.

It’s possible to trick users into signing transactions if it’s initiated by a trusted website. The assets in the users’ wallets are only as safe as ALL the decentralized applications (dapps) that the user interacts with put together. Identical cases are likely to happen in the future.

The wayssecuritycan be improved:

1. Wallets could display more human-oriented information for known contract interaction types. For example, a huge red message saying, “Hey, you’re giving control for all of your NFTs to someone!” That would be much better than the current all caps “SET APPROVAL FOR ALL” in gray in the MetaMask’s transaction confirmation window.

2. Websites could list and publish the contract interactions that they might initiate. The providers likeMetaMaskcould refuse any non-standard transactions.

NFT heists: How can users protect themselves

– Review the transaction details before signing. This won’t protect the user 100% of the time. But reviewing what method on what contract is crucial.

– Separate NFTs (and other crypto assets) into multiple wallets. If the users are tricked into giving someone control of their assets in onewallet, at least the assets in other wallets are safe. This is as long as you don’t share your private key or the seed phrase.

– Use different wallets for different dapps. It’s not always practical to do so when the dapp is meant to interact with other assets in the wallet. However, it’s important to try keeping only what’s relevant.

About the Author

Indrė Viltrakytėis the co-founder of the Web3 fashion ventureThe Rebels. It has 10101 unique characters based on the controversial “Jesus, Maria” ad campaign. The campaign was banned but later found justice in the European Court of Human Rights, which ruled in favor of the brand. The case is now held as a precedent in cases related to freedom of expression in the EU. Indrė Viltrakytė has 10+ years of experience in the fashion industry.

Arts

https://beincrypto.com/nft-heists-attacks-many-to-come/

Interesting NFTs
Who is Satoshi Nakamoto?
"Who is Satoshi Nakamoto?" is dedicated to the mysterious creation of Bitcoin, and acts as the showcase artwork within Javier ArrĂ©s’ exploratory series "Bitcoin, The Origin". "Who is the creator of Bitcoin?" The artist, ArrĂ©s, explores this question, and the feelings of doubt and mystery that accompany it, through his unique artistic language. An unknown, an enigma. It should be remembered that the name Satoshi Nakamoto is a pseudonym of Bitcoin's author or authors and gives us little insight into its true creator. For this Visual Toy, ArrĂ©s uses the signature claw machine, his famous half-operation, to symbolize our collective ignorance and unconfirmed belief: As soon as it has the stuffed animal within its grasp and appears to have solved the puzzle, the animal escapes again, and again. At present, there are three more public and studied possibilities who are either believed to be the creators of the currency or who directly claim the creation of it. It may be all or none of them, yet these three personalities leave us clues which are an important part of this interesting enigma. For this moment, it will remain unknown... In this artwork, ArrĂ©s elevates the claw machine from the apparatus, to an iconic pop art object serving as an important element to the Bitcoin creation narrative. Action is everywhere, with each movement serving an iconographical or metaphorical purpose related directly to cryptocurrency: Various ups and downs, roller coasters, mining points, robot, coins and more speak to a sense of hope, risk, mystery, randomness and possibility of pay out. Hundreds of manically thought out details make this creation one of the artist’s most complex Visual Toys to date. ------- "Bitcoin, The Origin" is a set of two Visual Toys, titled "Who is Satoshi Nakamoto" and "It’s Alive!" which reflect and explore the mystery and enigmas behind the creation of Bitcoin. ArrĂ©s presents these proposals to us in his signature style, full of iconography, fantasy, maniacal animations and a panoply of details (both subtle and overt) which simultaneously fascinate, hypnotize, and narrate this historical milestone through the singular vision of the artist. Through this series, ArrĂ©s freezes a crucial moment of cryptocurrency history, taking a still photo under his vision and turning it into two unique crypto artworks. ---- More info about Javier ArrĂ©s: https://javierarres.com/about.html
Plateskin
A character from The Beacon
Tactical Cats
Tactical Cats Practical cats, dramatical cats.. Experience the lighthearted inner smile when you are purrfectly purrrple. The cat's meow of pick-me-up paints with swirling tails of joy as vivid as the swirling magentas, blues and purple. I was able to with this work quietly paint a tribute to memories of meeting fans and revisiting "old friends" within the paint itself. All while pretending to paint a version of catwoman for the audience. More on that in bonus material. This is an alternate animation made specifically for crypto art collectors. This NFT depicts the rare, unused in media: verified image. Mixed Media: Bio/Digital. Glycerin on 5'9" human skin 10-14 hours Performance art. Shot on Canon EOS RP. 16 + hours Photoshop and DaVinci Resolve. All Works are SFW. Art has been Seen on the front page of Reddit, Featured in the New York Times, Galileo.tv, and multiple other promotions including Twitch.tv, Disney Interactive, RIOT games, WB games, AMD and more! More on how this art is unique and potentially explosive in the NFT world: https://youtu.be/CXbNF2Y6srs ------------------------- The purchase of this NFT Grants the buyer unique bonus material. Physical mail Bonus Package: A Physical Art Print. Autographed from the Artist in 12x16. Please allow a few weeks for Delivery. Digital Bonus Package: This image in .mp4. An "About the Art" Video and an "From the Artist" introduction. A README.txt about the artwork with some personal notes and Links relevant to the artwork.
Art Is The Currency of the Infinite
This still-life, titled after one of Pablo Picasso's infamous quotes, was made solely using 3D softwares and apps, in an attempt to bring this often forgotten artistic genre into the 21st century through the use of new artistic mediums and technologies. This piece is also an invitation to meditate on the role of "value" throught the ages and how it's been radically altered by the coming into existence of technologies and concepts like cryptocurrencies and digital scarcity.
CryptoPunk #9052
The CryptoPunks are 10,000 uniquely generated characters. No two are exactly alike, and each one of them can be officially owned by a single person on the Ethereum blockchain. Originally, they could be claimed for free by anybody with an Ethereum wallet, but all 10,000 were quickly claimed. Now they must be purchased from someone via the marketplace that's also embedded in the blockchain.