Unlike your favorite baseball card, a thief can’t snatch NFTs right out of your hand. But let’s talk about the very real security risks in the world of digital collectibles.
Spoiler alert: If you came here simply to learn whether an NFT can be stolen, the short answer is yes.
But what we mean when we say “steal” in the context of blockchain-backed collectibles is something very, very different than, say, a 1952 Topps Mickey Mantle or pair of Yeezy prototypes you can hold in your hands.
In most (not all!) cases, we can break down non-fungible token theft into two main buckets (or a combination of the two):
- Deceptions by which users are tricked into transferring their assets or providing access to their entire crypto wallets
- Exploitation of an NFT platform or other online community’s existing security vulnerabilities
Critically, a user’s own oversight or error can and does contribute to crypto asset theft in both cases — not just the former — though no two cases are created equal.
It’s a lot to sort through. Fortunately, you have questions and Boardroom has answers.
Can Hackers Steal My NFTs?
Well, that ultimately depends on your definition of what a “hacker” is.
Due to the distributed, decentralized principles fundamental to crypto technology, one cannot simply “hack” the whole damn blockchain network upon which your Bored Ape NFTs live in the same way they’d hack your email or your Amazon account. It would likely require a paradigm shift in the way we understand information security and digital threats — and possibly a mind-boggling amount of computing power — to internalize what this hypothetical Web3 hacker is and does.
For now, the more accurate term for the common NFT thief is a familiar one: scammer.
Specifically, one who deceives a user into opening up their own wallets.
SCENARIO 1: Hacking Digital Communities Like Discord via Webhooks
Let’s talk about what happened over at Fractal in December.
The short version: A number of NFT enthusiasts clicked a link from a convincing-but-fake Discord bot and were robbed of upwards of $150,000 in crypto assets.
Webhooks are API features that permit programs to monitor information sent to a specific web address and produce an action as a result — they basically “listen” for certain conditions to be met that trigger responses frequently taking the form of notifications. But webhooks can be hijacked for malicious purposes within communities that don’t take proper authentication safeguards.
In the case of the Fractal event, their Discord channel lacked the anti-spoofing measures that would have prevented a webhook from fraudulently impersonating a Discord bot post.
Something similar occurred on the Monkey Kingdom Discord around the same time:
Webhook deception is just one method for gaining access to an unsuspecting target’s blockchain-backed assets, however.
SCENARIO 2: Conning Users into Providing Access to Their Crypto Wallets
You don’t need to hack a Discord channel to abscond with an NFT that isn’t yours. Some users have been tricked by fake would-be buyers in much more blatant fashion:
Elsewhere, numerous chat channels have inevitably popped up impersonating “OpenSea Support” or other seemingly helpful services for NFT owners of all stripes.
Why is Discord such a frequent target for these sorts of deceptions? Because such insular, close-knit communities might just be the last place a crypto collectibles enthusiast would feel the need to keep their guard up.
Many of these communities have gotten wise to such possibilities and adjusted rules, privileges, and safeguards accordingly. But risks still remain.
Can an NFT Be Stolen Without Tricking its Owner First?
By and large, the majority of instances of NFT “theft” you’re likely to see are the product of scams and deceptions that are much, much older than the world of blockchain technology — and in some cases, the internet itself. But that’s not the whole story.
SCENARIO 1: Cybersecurity Issues on NFT Platforms
Nifty Gateway, a popular digital marketplace owned by cryptocurrency exchange Gemini, experienced a straight-up hack in March of 2021 in which several users had their accounts stolen, found themselves locked out, and watched as their NFT assets were pilfered in an old-fashioned smash-and-grab.
It’s not what we would go on to see at Discord, but at least one principle here is the same: it’s not about hacking someone’s crypto wallet directly, but rather exploiting a separate platform to which many crypto wallets are linked.
To this day, the idea that one malicious actor could hack an entire blockchain like it was a government computer network or a power grid remains inconceivable.
But the key is that he or she doesn’t have to.
Nifty’s cybersecurity issues that led to last year’s event have been resolved. But the fact that it happened at all was startling, and a signal of one of the key stumbling blocks as the world makes the grand transition from Web2 to Web3.
SCENARIO 2: The Bad Guys Got Your Seed Phrase
You need two things to access a crypto wallet. Specifically, two cryptographic keys — a public key that encrypts data and a private key that decrypts data.
Each wallet also has a corresponding “seed phrase,” also known as a “recovery phrase” — a string of 12 or 24 words that allows a user to recover owned crypto assets on a blockchain even if they lose access to their wallet. In other words, the seed phrase generates the cryptographic keys needed to confirm the “true” owner’s identity.
For this reason, seed phrases are not meant to be, say, stored on your phone or in your email inbox or in any place under the sun that isn’t utterly secure (many choose to write them out on a piece of plain ol’ paper as a result). But if someone did get their hands on your seed phrase through hacking your phone or your email or simply snapping a photo of the piece of paper you wrote it on… game over, man.
SCENARIO 3: When Totally Unforced User Error Costs $297,000
This isn’t theft. But it did happen, and you need to know about it.
Sometimes, you want to list your Bored Ape for 75 ETH, which was about $300,000 at the time. And sometimes, you take your eye off the ball and list it for 0.75 ETH instead, or about $3,000.
We salute you, Bored Ape #3547.
Stay safe out there, crypto collectors.