Hackers are starting to target NFTs, please keep this NFT anti-theft primer

Learn to store your NFT assets safely and avoid scams.

Original title: "NFT Anti-Theft Guide: How to Protect Assets?" "

As the number of NFT users, transaction volume, and market value continue to rise, criminals such as phishers and hackers have also begun to target this market, further threatening the security of the NFT ecosystem.

A table compiled by PeckShield, a blockchain security and data analysis company, shows that in a phishing attack, 254 NFTs with a total value of approximately US$1.7 million were stolen; Jay Chou’s NFT BAYC#3738 was stolen on April Fool’s Day. It is a typical case where mint is induced by a phishing website to obtain user NFT operation rights; a project called MoonManNFT stole nearly 400 NFTs under the name of free mint...

Generally speaking, hackers will lock collectors through Discord and Telegram, and steal users' NFT assets by inducing mint and phishing attacks. With current technological developments, it is imperative that NFT investors and collectors stay abreast of the latest methods of protecting their assets.

Please keep in mind:

• Your NFT is not stored on your computer or mobile device, but in a decentralized space like IPFS or Arweave.

• Owning the private key gives you full access to the blockchain/your assets.

• Shamir's private key splitting scheme can provide secondary protection for mnemonic words.

1. Where is your NFT stored?

NFTs are not stored in cold wallets, PCs or hot wallets. NFT is a token on the Ethereum blockchain, carried by more than 2,400 running network nodes around the world. NFT is supported by a fully decentralized system that ensures the normal functioning of the NFT ecosystem and verifies online transactions. When you transact an NFT, the actual activity that happens is the database makes a change to the address of that NFT.

2. Where are your pictures, GIFs and music?

The URI (Uniform Resource Identifier) of the NFT marks the location of the image. NFTs are generally located in decentralized storage spaces like IPFS or Arweave. In Web2, there is also a centralized storage like AWS.

3. wallet

A wallet is a piece of software that stores private keys and supports transactional activities. There are two types of wallets: hot wallets (software wallets) and cold wallets (hardware wallets).

Hot wallet (software wallet): software that can run on general-purpose devices, can connect to Web3, and can receive assets with just a click of the mouse.

Cold wallet (hardware wallet): dedicated to hardware devices, which can connect with Web3 and receive assets. The main difference between it and a hot wallet is that the mnemonic phrase of a cold wallet is never connected to the Internet, and transactions must be approved by physical means (such as a touch screen).

After choosing the right wallet, you need to understand its features:

First, hot/cold wallets will ask you to create a password, which is unique on a particular device. Access to the wallet is only possible if you know the password.

You are free to share your wallet's public address, which is no different from a Web3 email address, and anyone who knows your address can send you an NFT. This also gave rise to new hacking vectors. Hackers send people NFTs, and when people interact with the NFT (such as sending it to another wallet, or selling it), the hacker steals the assets in that person's wallet. Please remember, don't open unfamiliar NFTs! Also, people can use rogue signatures or approvals to get your IP address.

Phishing emails are also a common form of deception. The purpose of the email is to lure you to connect your wallet to a fake website so that hackers can steal your assets. So, don't click on unfamiliar links! Always check the website name. The current method of hacking is relatively simple, and can only start from public addresses and emails, as long as they are ignored.

You need to keep the private key well. It is the password to access your public address. The functions of the private key are:

(1) Move your NFT out of the address.

(2) Sign a contract to prove that you own the private key of the address (similar to verifying that you own the public address).

The biggest difference between a public address and a private key is that you can never reveal your private key to anyone. Otherwise, they can import your private key into their wallet and steal all your assets.

After clarifying the concept of private key and public address, let's look at the mnemonic again. Mnemonics typically consist of 12, 18 or 24 words and are used to retrieve wallets. If you lose your private key, you can use the mnemonic to create a new one. Like the private key, the mnemonic phrase can never be known by a second person, nor can it be stored in electronic storage devices or service providers (such as google drive, icloud, photo album, mobile phone notes and copies). The ideal way is physical storage, such as writing on paper. Iron is also used to store seed phrases, as it is more fire resistant. Other methods, such as passwords, can also increase wallet security. A password is a string of symbols or words that can be combined with a mnemonic to create a new wallet based on the original wallet. For example, to create a new wallet based on an existing wallet, just enter:

• Mnemonic + "NFTGo"

• mnemonic + any number

• mnemonic + any letter

• mnemonic + any phrase

Any of the above methods can create a new wallet with a different private key public address, but the password function is only applicable to cold wallets.

4. Add a second layer of protection

Purchasing a cold wallet is an effective way to improve security. Trezor, Ledger, and Keystone are some of the most popular hardware wallets, but each has advantages and disadvantages. Each cold wallet has its own characteristics. For example, Keystone uses QR codes for data transmission, which avoids the risk of Trojan viruses being transmitted to hardware wallets through USB interfaces or Bluetooth. It is also the first hardware wallet that supports ENS ( Ethereum Name Service), eliminating the need to check the original address. . Additionally, users can customize their 4-inch screens with NFTs.

We take Keystone as an example to set up.

(1) Purchase a Keystone wallet from the official website.

(2) Install the Keystone package.

(3) Start Keystone.

(4) Set the PIN of your wallet - a password unique to this device.

(5) If it is used by an enterprise, it is recommended to use the Shamir private key splitting scheme, divide 2 sets of mnemonic words into 3 groups, or divide 3 sets of mnemonic words into 5 groups, you can save these 3 sets of private keys in different places . If you have 3 of 5 Shamir backups and lose 2 of them, you can still use the remaining 3 backups to restore your wallet.

Let's take the transfer of a BAYC as an example to see the use of NFT hardware wallets. In Keystone, users can use the ABI data file uploaded in the microSD card to quickly confirm the authenticity of the address, and "Board Ape Yacht club" will appear in blue font next to the address. It is also necessary to confirm whether the transaction involves any malicious behavior, so as not to Sign your NFT to scammers or hackers.

1. Be sure to download the Web3 app or wallet from the official website

The main cause of crypto/NFT hacks is user visits to unofficial websites. The vast majority of such sites are created to scam and look very similar to official sites. Do not download Web3 apps from Google Play, they may not be obtained from the original source. You can refer to the following suggestions to identify the official website:

(1) Focus on the URL bar. Only click on URLs starting with https:// (do not click http://!), "s" stands for "safe", which means that the data of this website is encrypted and transmitted, which can prevent hacker attacks.

(2) Check the domain name. A favorite tactic of hackers is to create fake websites with domain names so similar to the genuine ones that only a double-click can tell the difference. For example, a fake version of the website https://wobble.com could be https://w0oble.com. Remember to double-click all the letters of the domain name every now and then.

(3) Watch out for spelling mistakes. Most fake websites are crudely crafted, with errors in spelling, pronunciation, capitalization, and grammar.

2. Only browse official channels, official twitter and official links

As mentioned earlier, you can only trust official websites, twitter accounts, and discord. You can refer to the following suggestions to verify:

(1) Check account activity.

(2) Check the number of followers.

(3) Check account history.

(4) Check comments and engagement.

3. Do not share login credentials or private keys with anyone

There is a saying that is very popular in the encryption circle: "If there is no key, there is no coin, and the coin and key are one." Once your private key or mnemonic is shared, the account no longer belongs to you. The best way is to prevent others from getting the private key.

4. Verify NFT before purchasing

Due diligence is always very important in the NFT ecosystem. Before buying or minting an NFT, it is important to check the reputation of the team involved in the project, organic interactions in its community, and what people think about the project.

5. Mint NFTs using multiple wallets

For example, the Burner wallet is a secondary wallet created specifically for NFT minting. These wallets are created and funded with the amount of gas required to mint coins. After the minting is complete, the minted NFT is sent to another wallet, which is used to store the NFT. This reduces the risk of the main wallet interacting with vulnerable websites. You can create multiple burner wallets and discard it as soon as a vulnerability is discovered.

6. Be wary of clicking on links from unfamiliar accounts

A common trick for hackers is to send giveaways or whitelist links through unfamiliar Discord accounts or cold emails. Be sure to set Telegram, Discord and email to not receive messages from unfamiliar accounts or unofficial addresses, and please beware of users pretending to be the group owner or official DM you.

7. Check token approval & revoke unused tokens

People interact with different protocols and links every day, giving them access and permissions based on information on smart contracts. It is important to review and revoke access from time to time. The https://revoke.cash/ website can help you revoke access.

8. Before proceeding to the next step, carefully read and verify the transaction terms of the smart contract

Before confirming the transaction, make sure you carefully read every detail in the smart contract. Many hackers use smart contracts to spoof permission to access the funds in your wallet at will. You should read carefully to make sure that the details in the contract do not pose a threat, nor do they contain loopholes.

9. Keep up with the news and learn about new vulnerabilities

With the growing interest in the NFT market, criminals are also lurking in it, using tricks to steal works and funds from collectors and investors, make sure your valuable assets, wallets and funds do not fall into the hands of hackers.