Can NFTs Be Hacked?

20 Jul 2023

Learn to Neutralize the Risks of NFT Hacks and Scams

NFTs are minted using cryptography and blockchain networks. So, aren’t they a safe and secure way to store your tokenized assets? Unfortunately, in many cases, scammers and hackers can put a damper on security and your NFT assets become at risk. Let’s delve into the hackability of NFTs, starting with a little backstory. 

What is an NFT?

Non-Fungible Tokens (NFTs) use blockchain technology to offer digital representations of ownership and authenticity for unique items. Non-Fungible means that each NFT is its own distinct token, provable as an original on the transparent blockchain ledger.

A fungible token would be like most cryptocurrencies, including Bitcoin, Ethereum, or Doge. All units of each type of crypto asset are identical and interchangeable - the exact opposite of non-fungible.

the letters NFT inside a matrix of digital networks

But what about blockchain security?

The bedrock of cryptocurrencies and NFTs is blockchain—a decentralized, transparent technology famous for its robust security features. Blockchains like Ethereum, where most NFTs are minted, use cryptography to keep transactions secure. Once data is added to the blockchain, it's extremely difficult to alter without consensus from the network.

This foundation offers NFTs a high level of security. 

  • The decentralized nature of blockchains means there isn't a single point of failure. 
  • For a hacker to tamper with an NFT, they would need to overpower more than half of the blockchain's network, a feat that is, theoretically, extremely challenging and costly.

These unique digital assets have carved a niche for themselves in an expanding list of industries, including art, music, gaming, metaverse, and real estate. Many NFTs have also become extremely valuable, something that has drawn nefarious actors into the space. 

Which begs the question: When you buy, sell, or trade an NFT, how secure is that digital asset? Can NFTs be hacked?

NFTs: Impenetrable or Not?

In the purest sense, the NFTs themselves, thanks to their blockchain underpinnings, are secure. However, that doesn't mean they are entirely immune to all vulnerabilities.

A hacker who overtook a projectFake Discord account scamming NFT investors - Source: CoinTelegraph

  • Back in 2021, Amicoa Brands fell victim to an NFT scam through Discord. The Discord Server of one of its subsidiary’s games, PhantomGalaxies, lost control of the server to scammers who used malicious bots to compromise the Admin’s 2FA. Once in, they banned all the team members and moderators and began announcing their fake NFT minting event. They proceeded to charge all participants a minting fee of 0.1 ETH. And, you guessed it, they never got their highly anticipated PhantomGalaxies NFT. 
  • In 2022, investors bought $1.3 million in Frostie NFTs after being promised by the team that they’d receive staking rewards and other benefits. Imagine their shock when the team, after selling 8,888 Frosties NFTs, pulled the rug! Without a moment’s notice, they closed their website and socials and disappeared with the money (Update: later they got caught by the Justice Department!).
  • The next year in January of 2023, the founder of PROOF Collective, Kevin Rose, lost $1 million in high-value NFTs in a phishing scam. Rose was participating in an airdrop but was lured to a malicious website where he activated his hardware wallet, which got drained of his precious “Memes by 6529” NFTs.

How do NFTs get hacked?

The examples above are only the tip of the iceberg. NFT scams and hacks can take on many different forms:

Platform Vulnerabilities: While NFTs reside on a secure blockchain, they are often bought, sold, and displayed on online platforms or marketplaces. If these platforms have vulnerabilities, hackers can exploit them. For instance, if an NFT marketplace does not implement proper security measures, hackers might access users' accounts and transfer NFTs without their consent.

Phishing Attacks: The age-old trick of deceiving individuals into providing their sensitive data, like private keys or passwords, remains a threat. Once these details are obtained, unauthorized access to one's digital wallet or NFTs becomes possible.

Smart Contract Flaws: NFTs operate using smart contracts—self-executing contracts with the terms of agreement directly written into code. If there's a loophole or flaw in the contract, it could be exploited. Though smart contract auditing has become a norm, human error can sometimes overlook potential vulnerabilities.

There are multiple other ways that hackers can separate you from your NFT assets, such as with NFT spoofs (or fakes), or Man-in-the-Middle attacks, where communications between an investor and a website are compromised due to lack of encryption. 

Two major risk vectors you can solve for with Gridlock

Overall, most of the vulnerabilities that threaten your NFTs stem from two access points: your private keys and transaction signing. Scammers want to either gain access to your private keys so they can take control over the assets, or get you to sign a transaction that may lead to a malicious website where your assets get drained. 

A tweet warning of the danger of transaction signing during an NFT transaction

Source: @Ricerd on Twitter

How to protect your NFT investments so they don’t get hacked

While the risks associated with NFTs might seem daunting, there are steps you can take to ensure your digital assets remain safe:

  • Regular Updates: Ensure that all software, especially wallets and applications associated with NFTs, are updated. Developers frequently release patches to address vulnerabilities.
  • Be Ultra-Cautious: Don't click on suspicious links or share your private keys. Always triple-check the URLs of sites you are interacting with during NFT transactions to ensure you're not on a counterfeit website.
  • Distributed Key Storage: Use Gridlock Wallet, which empowers NFT users to eliminate the greatest access point for scams and hacks - your private keys. By distributing private keys into key shares (or shards) that have no knowledge of each other, Gridlock Wallet owners have peace of mind knowing their private keys cannot get hacked. 
  • Threshold Signatures: Again, Gridlock Wallet is the place for your NFTs when signing transactions. Threshold Signature technology empowers you to secure your assets by requiring multiple parties to sign for transactions.
  • Verify: Be on guard during every stage of an NFT minting or sale event. Cross-check announcements on 2-3 official sites, such as a project’s website, Twitter and Discord, to make sure the event is legit. 
  • Be on the Alert: It is relatively easy to mimic a browser application like MetaMask - but remember: MetaMask or any legitimate project or person WILL NEVER ASK FOR YOUR SEED PHRASE UNLESS YOU INITIATE WALLET RECOVERY.

Moral of the story? Play it safe with Gridlock’s hyper-secure NFT wallet, where distributed private keys and threshold signatures provide the highest level of security for your precious non-fungibles.  

Download Gridlock today and rest easy tonight, knowing your NFTs are safe.

- - -

Written by Reid Zedkongor

a6 (1).jpg

Reid Zedkongor is peeling away layers of confusion around blockchain and cybersecurity. With a computer engineering background, he can dive into the details of crypto complexities to make crypto adoption easy for everyone. In his free time, he often reads fiction or enjoys a good laugh over a beer.

Don't miss out on new features and special events