NFT Theft Prevention Guide: How to Protect Asset Security?

Author: NFTGo

As the number of NFT users, trading volume, and market value continue to rise, phishers, hackers, and other criminals have begun to target this market, further threatening the security of the NFT ecosystem.

A table compiled by blockchain security and data analysis company PeckShield shows that in a phishing attack, 254 NFTs worth approximately $1.7 million were stolen; on April Fool's Day, Jay Chou's NFT BAYC#3738 was stolen, which is a typical case of phishing websites inducing minting to gain user NFT control; a project called MoonManNFT stole nearly 400 NFTs under the guise of free minting…

Generally speaking, hackers lock onto collectors through Discord and Telegram and steal users' NFT assets through inducement to mint, phishing attacks, and other methods. With the current technological developments, NFT investors and collectors must stay updated on the latest methods to protect their assets.

Basic Knowledge of NFT Secure Storage

Please remember:

• Your NFTs are not stored on your computer or mobile device, but in decentralized spaces like IPFS or Arweave.
• Having the private key means you have complete access to the blockchain/your assets.
• Shamir's secret sharing scheme can provide secondary protection for your mnemonic phrases.

1. Where are your NFTs stored?

NFTs are not stored in cold wallets, PCs, or hot wallets. NFTs are tokens located on the Ethereum blockchain, supported by over 2,400 operational network nodes worldwide. NFTs are backed by a fully decentralized system, ensuring the normal operation of the NFT ecosystem and validating online transactions. When you conduct an NFT transaction, the actual activity is a change in the database regarding the address of that NFT.

2. Where are your images, GIFs, and music?

The URI (Uniform Resource Identifier) of the NFT marks the location of the images. NFTs are generally located in decentralized storage spaces like IPFS or Arweave. In Web2, there are also centralized storage solutions like AWS.

3. Wallets

A wallet is software that stores private keys and supports transaction activities. Wallets are divided into two types: hot wallets (software wallets) and cold wallets (hardware wallets).

Hot Wallet (Software Wallet): Software that can run on general devices, connects to Web3, and allows asset reception with just a click.

Cold Wallet (Hardware Wallet): Specifically designed hardware devices that connect to Web3 and receive assets. The main difference from hot wallets is that the mnemonic phrase of a cold wallet is never connected to the internet; transactions must be approved through physical means (like a touchscreen).

After choosing the right wallet, you need to understand its functions:

First, hot/cold wallets will require you to create a password, which is unique to that specific device. Only by knowing the password can you access the wallet.

You can freely share the public address of the wallet; this address is no different from an email address in Web3. Once someone knows your address, they can send you NFTs. This has also given rise to new hacking vectors. Hackers send NFTs to people, and when individuals interact with that NFT (such as sending it to another wallet or selling it), hackers can steal assets from that person's wallet. Please remember, do not click on unknown NFTs! Additionally, people may use rogue signatures or approvals to obtain your IP address.

Phishing emails are also a common scam method. The purpose of these emails is to lure you into connecting your wallet to a fake website so that hackers can steal your assets. So, never click on unknown links! Always check the website name. Currently, hackers' methods are relatively singular, only targeting public addresses and emails; as long as you ignore them, you should be fine.

You must keep your private key safe; it is the password to access your public address. The functions of the private key are:

(1) To move your NFTs out of the address.

(2) To sign contracts to prove you own the private key of that address (similar to verifying you own that public address).

The biggest difference between a public address and a private key is that you should never disclose your private key to anyone. Otherwise, they can import your private key into their wallet and steal all your assets.

With a clear understanding of the concepts of private keys and public addresses, let's look at mnemonic phrases. Mnemonic phrases typically consist of 12, 18, or 24 words used to recover a wallet. If you lose your private key, you can create a new one using the mnemonic phrase. Like the private key, the mnemonic phrase must never be known by a second person and should not be stored on electronic storage devices or services (like Google Drive, iCloud, photo albums, mobile notes, and copies). The ideal method is physical storage, such as writing it down on paper. Some people also use metal products to store mnemonic phrases because they are more fireproof. Other methods, such as passphrases, can also enhance wallet security. A passphrase is a string of symbols or words that, when combined with the mnemonic phrase, can create a new wallet based on the original. For example, to create a new wallet based on the original, you can input:

• Mnemonic phrase + "NFTGo"
• Mnemonic phrase + any number
• Mnemonic phrase + any letter
• Mnemonic phrase + any phrase

Any of the above methods can create a new wallet with a different private key public address, but the passphrase function only applies to cold wallets.

4. Adding a Second Layer of Protection

Purchasing a cold wallet is an effective way to enhance security. Trezor, Ledger, and Keystone are some of the most popular hardware wallets, each with its advantages and disadvantages. Each cold wallet has its features. For example, Keystone uses QR codes for data transmission, avoiding the risk of Trojan viruses being transmitted to the hardware wallet via USB or Bluetooth, and it is also the first hardware wallet to support ENS (Ethereum Name Service), eliminating the hassle of verifying original addresses. Additionally, users can customize their 4-inch screen with NFTs.

Let's take Keystone as an example for setup.

(1) Purchase the Keystone wallet from the official website.

(2) Install the Keystone suite.

(3) Start Keystone.

(4) Set your wallet's PIN------a passphrase unique to this device.

(5) If used for business, it is recommended to use Shamir's secret sharing scheme to split 2 sets of mnemonic phrases into 3 groups or split 3 sets of mnemonic phrases into 5 groups; you can store these 3 private keys in different places. If you have 3 of the 5 Shamir backups and lose 2, you can still use the remaining 3 backups to recover your wallet.

Let's take transferring a BAYC as an example to look at the use of NFT hardware wallets. In Keystone, users can quickly verify the authenticity of an address using the ABI data file uploaded on a microSD card; a blue font "Board Ape Yacht Club" will appear next to the address, and you also need to confirm whether the transaction involves any malicious activity to avoid signing your NFT over to scammers or hackers.

Ways to Avoid NFT Scams

1. Always download Web3 apps or wallets from the official website

The main reason for crypto/NFT hacking attacks is users accessing unofficial websites. The vast majority of such sites are created to scam, looking very similar to official websites. Do not download Web3 apps from Google Play, as they may not be sourced from original channels. You can refer to the following suggestions to identify official websites:

(1) Pay attention to the URL bar. Only click on URLs that start with https:// (do not click on http://!), where "s" stands for "secure," indicating that the website's data is encrypted during transmission, preventing hacking.

(2) Check the domain name. A common trick used by hackers is to create counterfeit websites with domain names that are very similar to the legitimate site, only noticeable upon double-clicking. For example, the counterfeit version of https://wobble.com could be https://w0oble.com. Always remember to double-click on all letters of the domain name.

(3) Watch for spelling errors. Most fake websites are hastily made, with errors in spelling, pronunciation, capitalization, and grammar.

2. Only browse official channels, official Twitter accounts, and official links

As mentioned earlier, you can only trust official websites, Twitter accounts, and Discord. You can refer to the following suggestions to verify:

(1) Check account activity.

(2) Check follower count.

(3) Check account history.

(4) Check comments and engagement.

3. Do not share login credentials or private keys with anyone

A popular saying in the crypto circle is: "No key, no coin; the coin and key are one." Once your private key or mnemonic phrase is shared, that account no longer belongs to you. The best practice is to ensure no one else has access to your private key.

4. Verify NFTs before purchasing

Due diligence is always very important in the NFT ecosystem. Before buying or minting NFTs, make sure to check the reputation of the team involved in the project, the organic interactions within its community, and people's opinions on the project.

5. Use multiple wallets to mint NFTs

For example, Burner wallets are secondary wallets created specifically for NFT minting. These wallets are created and funded based on the gas amount required for minting. Once minting is complete, the minted NFTs are sent to another wallet, which serves to store the NFTs. This reduces the risk of the main wallet interacting with easily attacked websites. You can create multiple burner wallets and immediately discard them once a vulnerability is discovered.

6. Be cautious when clicking links from unknown accounts

A common scam tactic used by hackers is to send giveaways or whitelist links through unknown Discord accounts or cold emails. Be sure to set Telegram, Discord, and email to not receive messages from unknown accounts or unofficial addresses, and be wary of users impersonating group owners or DMing you as officials.

7. Check token approvals & revoke unused tokens

People interact with different protocols and links daily, granting access and permissions based on information on smart contracts. Regularly reviewing and revoking access is very important. The website https://revoke.cash/ can help you cancel access rights.

8. Carefully read and verify the terms of smart contract transactions before proceeding

Before confirming a transaction, ensure that you have carefully read every detail in the smart contract. Many hackers exploit smart contracts to gain permissions, allowing them to access the funds in your wallet at will. You must read carefully to ensure that the details in the contract do not pose a threat or contain vulnerabilities.

9. Stay updated with news and be aware of new vulnerabilities

Conclusion

As people's interest in the NFT market continues to grow, criminals are lurking within, using tricks to steal works and funds from collectors and investors. Please ensure that your valuable assets, wallets, and funds do not fall into the hands of hackers.