Share Dialog
Share Dialog
Subscribe to lover
Subscribe to lover
As the number of NFT users, transactions and market capitalization continue to climb, phishers, hackers and other miscreants have begun to target the market, further threatening the security of the NFT ecosystem.
Tables prepared by blockchain security and data analytics firm PeckShield show that 254 NFTs with a total value of approximately $1.7 million were stolen in a phishing attack; Jay Chou's NFT BAYC#3738 was stolen on April Fool's Day, a typical case of a phishing site inducing mint to gain access to a user's NFT; a project called MoonManNFT, which stole nearly 400 NFTs in the name of free mint ......
Generally, hackers target collectors through Discord and Telegram and steal users' NFT assets through baiting mint, phishing attacks, etc. With today's technology, it is important for NFT investors and collectors to stay up to date on the latest methods to protect their assets.
NFT Secure Storage Basics Keep in mind.
Your NFT is not stored on a computer or mobile device, but in a decentralized space like IPFS or Arweave.
With a private key, you have full access to the blockchain / your assets.
The Shamir private key partitioning scheme provides a second level of protection for helper words.
Where are your NFTs stored?
NFT is not stored in a cold wallet, PC or hot wallet, it is a token located on the Ethernet blockchain and hosted by over 2400 active network nodes worldwide. When you make an NFT transaction, the actual activity that happens is that the database makes a change to the address of that NFT. 2.
where are your images, motion pictures and music?
The NFT's URI (Uniform Resource Identifier) marks the location of the image. the NFT is typically located in a decentralized storage space like IPFS or Arweave. In Web2, there are also centralized stores like AWS.
wallet
A wallet is a piece of software that stores private keys and can support transactional activity. There are two types of wallets: hot wallets (software wallets) and cold wallets (hardware wallets).
Hot wallets (software wallets): software that can run on a universal device, can Web3 connect, and receive assets with a single mouse click.
As the number of NFT users, transactions and market capitalization continue to climb, phishers, hackers and other miscreants have begun to target the market, further threatening the security of the NFT ecosystem.
Tables prepared by blockchain security and data analytics firm PeckShield show that 254 NFTs with a total value of approximately $1.7 million were stolen in a phishing attack; Jay Chou's NFT BAYC#3738 was stolen on April Fool's Day, a typical case of a phishing site inducing mint to gain access to a user's NFT; a project called MoonManNFT, which stole nearly 400 NFTs in the name of free mint ......
Generally, hackers target collectors through Discord and Telegram and steal users' NFT assets through baiting mint, phishing attacks, etc. With today's technology, it is important for NFT investors and collectors to stay up to date on the latest methods to protect their assets.
NFT Secure Storage Basics Keep in mind.
Your NFT is not stored on a computer or mobile device, but in a decentralized space like IPFS or Arweave.
With a private key, you have full access to the blockchain / your assets.
The Shamir private key partitioning scheme provides a second level of protection for helper words.
Where are your NFTs stored?
NFT is not stored in a cold wallet, PC or hot wallet, it is a token located on the Ethernet blockchain and hosted by over 2400 active network nodes worldwide. When you make an NFT transaction, the actual activity that happens is that the database makes a change to the address of that NFT. 2.
where are your images, motion pictures and music?
The NFT's URI (Uniform Resource Identifier) marks the location of the image. the NFT is typically located in a decentralized storage space like IPFS or Arweave. In Web2, there are also centralized stores like AWS.
wallet
A wallet is a piece of software that stores private keys and can support transactional activity. There are two types of wallets: hot wallets (software wallets) and cold wallets (hardware wallets).
Hot wallets (software wallets): software that can run on a universal device, can Web3 connect, and receive assets with a single mouse click.
Cold wallet (hardware wallet): dedicated to a hardware device that can connect to Web3 and receive assets. The main difference between it and a hot wallet is that the cold wallet's helper is never connected to the internet and to make a transaction, it must be approved by physical means (e.g. a touch screen).
Once you have chosen the right wallet, you need to understand its functionality.
First of all, hot wallets / cold wallets will ask you to create a password, which is unique on a particular device. Only if you know the password, you can access the wallet.
You can freely share the wallet's public address, which is no different from a Web3 email address, and knowing your address, anyone can send you an NFT. this also gives rise to new hacking vectors. Hackers will send NFTs to people, and when they interact with that NFT (for example, by sending it to another wallet, or selling it), the hacker will steal the assets in that person's wallet. Remember, don't click on unfamiliar NFTs! In addition, people can also use rogue signatures or approvals to get your IP address.
Phishing emails are also an unusual form of scam. The purpose of the email is to lure you into connecting your wallet to a fake website so that hackers can steal assets. So don't click on unfamiliar links! Be sure to check the name of the website from time to time. Currently there is a single method of hacking, only from public addresses and emails, just ignore them.
You have to keep the private key, which is the password to access your public address. The functions of the private key are.
(1) Move your NFT out of the address.
(2) Sign a contract to prove that you have the private key for that address (similar to verifying that you have the public address).
The big difference between a public address and a private key is that you can never reveal your private key to anyone. Otherwise, they can import your private key into their wallet and steal all your assets.
With the concepts of private keys and public addresses clarified, let's look at mnemonics. A mnemonic is usually made up of 12, 18 or 24 words and is used to retrieve your wallet. If you lose your private key, you can create a new one using a mnemonic. Like a private key, a mnemonic can never be known by a second person, nor can it be stored in an electronic storage device or service provider (such as google drive, icloud, photo albums, cell phone notes, and copies). The ideal way is physical storage, such as writing on paper. Some people also use iron products to store mnemonics because it is more fireproof. Other methods, such as passphrases, can also increase wallet security. A passphrase is a string of symbols or words that can be combined with a mnemonic to create a new wallet based on the original one. For example, to create a new wallet based on an existing wallet, simply enter
mnemonic + "NFTGo"
mnemonic + any number
mnemonic + any letter
mnemonic + any phrase
Either of these methods will create a new wallet with a different private key public address, but the passphrase feature is only available for cold wallets.
Add a second layer of protection
Purchasing a cold wallet is an effective way to increase security; Trezor, Ledger, and Keystone are some of the most popular hardware wallets, but each has advantages and disadvantages. Each type of cold wallet has its own characteristics. Keystone, for example, uses QR codes for data transfer, avoiding the risk of Trojan viruses being transmitted to the hardware wallet via the USB interface or Bluetooth, and is the first hardware wallet to support ENS (Ethereum Name Service), eliminating the need to verify the original address. In addition, users can customize their 4-inch screen with NFT.
Let's take Keystone as an example for setup.
(1) Purchase the Keystone wallet from the official website.
(2) Install the Keystone package.
(3) Launch Keystone.
(4) Set your wallet's PIN - a password that is unique to this device.
(5) For enterprise use, it is recommended to use the Shamir private key splitting scheme, where you split 2 sets of helpers into 3 sets, or 3 sets of helpers into 5 sets, and you can keep the 3 sets of private keys in different places. If you have 3 of the 5 Shamir backups and lose 2 of them, you can still use the remaining 3 backups to recover your wallet.
Let's look specifically at the use of NFT hardware wallets by transferring a BAYC as an example. In Keystone, users can quickly confirm the authenticity of the address using the ABI data file uploaded on the microSD card, which will appear next to the address in blue font as "Board Ape Yacht club", and also confirm if the transaction involves any malicious behavior to avoid signing your NFT to a scammer or hacker.
Ways to avoid NFT scams
Always download the Web3 app or wallet from the official website
The main cause of crypto / NFT hacks is user access to unofficial websites. The vast majority of these sites are created for scamming purposes and look very similar to the official website. Do not download Web3 apps from Google Play, they may not be obtained from the original source. You can refer to the following suggestions to identify official websites.
(1) Pay attention to the URL bar. Only click on the URLs starting with https:// (not http://!) The "s" stands for "secure", which means that the data of the website is transmitted encrypted and can prevent hackers from attacking it.
(2) Check the domain name. The most popular trick of hackers is to create torrents with domain names that are so similar to the genuine website that the only way to detect the difference is to double-click. For example, a torrents version of the website https://wobble.com could be https://w0oble.com. Remember to double click on all the letters of the domain name at all times.
(3) Watch out for spelling errors. Most fake websites are crudely crafted, with spelling, pronunciation, capitalization and grammar errors. 2.
Only browse official channels, official tweets and official links
As mentioned before, you can only trust official websites, Twitter accounts and discord. you can refer to the following suggestions to verify.
(1) Check the account activity.
(2) Check the number of followers.
(3) Check the account history.
(4) Check comments and engagement. 3.
Don't share login credentials or private keys with anyone
There is a popular saying in crypto circles: "No key means no coin, coin and key are one". Once your private key or helper word is shared, the account no longer belongs to you. The best practice is to keep the private key out of the hands of others. 4.
verify NFT before you buy
In the NFT ecosystem, due diligence is always important. Before buying or minting an NFT, be sure to check the reputation of the team involved in the project, the organic interactions in its community, and what people think of the project.
Use multiple wallets for casting NFTs
For example, the Burner wallet is a secondary wallet created specifically for NFT minting. These wallets are created and funded with the amount of gas needed to mint a coin. When the minting is complete, the minted NFT is sent to another wallet, which serves to store the NFT. this reduces the risk of the primary wallet interacting with vulnerable sites. You can create multiple burner wallets and discard it as soon as a vulnerability is discovered.
Be careful about clicking on links to unfamiliar accounts
A common scam of hackers is to send giveaway or whitelist links through unfamiliar Discord accounts or cold emails. Be sure to set Telegram, Discord and email to not receive messages from unfamiliar accounts or unofficial addresses, and beware of users pretending to be group owners or official DMs you.
Check token approval & revoke unused tokens
People interact with different protocols and links every day, giving them access and permission based on the information on the smart contract. It is important to review and revoke access rights from time to time. https://revoke.cash/ website can help you revoke access rights.
Read and verify the terms of the smart contract transaction carefully before proceeding to the next step
Make sure you have read every detail of the smart contract before confirming the transaction. Many hackers use smart contracts to fraudulently obtain permission to access the funds in your wallet at will. You need to read carefully to make sure that the details in the contract do not pose a threat and are not flawed.
Keep up with the news and learn about new vulnerabilities
Conclusion With the growing interest in the NFT market and unscrupulous individuals lurking in it, using tricks to steal works and funds from collectors and investors, make sure your valuable assets, wallets and funds don't fall into the hands of hackers.
Cold wallet (hardware wallet): dedicated to a hardware device that can connect to Web3 and receive assets. The main difference between it and a hot wallet is that the cold wallet's helper is never connected to the internet and to make a transaction, it must be approved by physical means (e.g. a touch screen).
Once you have chosen the right wallet, you need to understand its functionality.
First of all, hot wallets / cold wallets will ask you to create a password, which is unique on a particular device. Only if you know the password, you can access the wallet.
You can freely share the wallet's public address, which is no different from a Web3 email address, and knowing your address, anyone can send you an NFT. this also gives rise to new hacking vectors. Hackers will send NFTs to people, and when they interact with that NFT (for example, by sending it to another wallet, or selling it), the hacker will steal the assets in that person's wallet. Remember, don't click on unfamiliar NFTs! In addition, people can also use rogue signatures or approvals to get your IP address.
Phishing emails are also an unusual form of scam. The purpose of the email is to lure you into connecting your wallet to a fake website so that hackers can steal assets. So don't click on unfamiliar links! Be sure to check the name of the website from time to time. Currently there is a single method of hacking, only from public addresses and emails, just ignore them.
You have to keep the private key, which is the password to access your public address. The functions of the private key are.
(1) Move your NFT out of the address.
(2) Sign a contract to prove that you have the private key for that address (similar to verifying that you have the public address).
The big difference between a public address and a private key is that you can never reveal your private key to anyone. Otherwise, they can import your private key into their wallet and steal all your assets.
With the concepts of private keys and public addresses clarified, let's look at mnemonics. A mnemonic is usually made up of 12, 18 or 24 words and is used to retrieve your wallet. If you lose your private key, you can create a new one using a mnemonic. Like a private key, a mnemonic can never be known by a second person, nor can it be stored in an electronic storage device or service provider (such as google drive, icloud, photo albums, cell phone notes, and copies). The ideal way is physical storage, such as writing on paper. Some people also use iron products to store mnemonics because it is more fireproof. Other methods, such as passphrases, can also increase wallet security. A passphrase is a string of symbols or words that can be combined with a mnemonic to create a new wallet based on the original one. For example, to create a new wallet based on an existing wallet, simply enter
mnemonic + "NFTGo"
mnemonic + any number
mnemonic + any letter
mnemonic + any phrase
Either of these methods will create a new wallet with a different private key public address, but the passphrase feature is only available for cold wallets.
Add a second layer of protection
Purchasing a cold wallet is an effective way to increase security; Trezor, Ledger, and Keystone are some of the most popular hardware wallets, but each has advantages and disadvantages. Each type of cold wallet has its own characteristics. Keystone, for example, uses QR codes for data transfer, avoiding the risk of Trojan viruses being transmitted to the hardware wallet via the USB interface or Bluetooth, and is the first hardware wallet to support ENS (Ethereum Name Service), eliminating the need to verify the original address. In addition, users can customize their 4-inch screen with NFT.
Let's take Keystone as an example for setup.
(1) Purchase the Keystone wallet from the official website.
(2) Install the Keystone package.
(3) Launch Keystone.
(4) Set your wallet's PIN - a password that is unique to this device.
(5) For enterprise use, it is recommended to use the Shamir private key splitting scheme, where you split 2 sets of helpers into 3 sets, or 3 sets of helpers into 5 sets, and you can keep the 3 sets of private keys in different places. If you have 3 of the 5 Shamir backups and lose 2 of them, you can still use the remaining 3 backups to recover your wallet.
Let's look specifically at the use of NFT hardware wallets by transferring a BAYC as an example. In Keystone, users can quickly confirm the authenticity of the address using the ABI data file uploaded on the microSD card, which will appear next to the address in blue font as "Board Ape Yacht club", and also confirm if the transaction involves any malicious behavior to avoid signing your NFT to a scammer or hacker.
Ways to avoid NFT scams
Always download the Web3 app or wallet from the official website
The main cause of crypto / NFT hacks is user access to unofficial websites. The vast majority of these sites are created for scamming purposes and look very similar to the official website. Do not download Web3 apps from Google Play, they may not be obtained from the original source. You can refer to the following suggestions to identify official websites.
(1) Pay attention to the URL bar. Only click on the URLs starting with https:// (not http://!) The "s" stands for "secure", which means that the data of the website is transmitted encrypted and can prevent hackers from attacking it.
(2) Check the domain name. The most popular trick of hackers is to create torrents with domain names that are so similar to the genuine website that the only way to detect the difference is to double-click. For example, a torrents version of the website https://wobble.com could be https://w0oble.com. Remember to double click on all the letters of the domain name at all times.
(3) Watch out for spelling errors. Most fake websites are crudely crafted, with spelling, pronunciation, capitalization and grammar errors. 2.
Only browse official channels, official tweets and official links
As mentioned before, you can only trust official websites, Twitter accounts and discord. you can refer to the following suggestions to verify.
(1) Check the account activity.
(2) Check the number of followers.
(3) Check the account history.
(4) Check comments and engagement. 3.
Don't share login credentials or private keys with anyone
There is a popular saying in crypto circles: "No key means no coin, coin and key are one". Once your private key or helper word is shared, the account no longer belongs to you. The best practice is to keep the private key out of the hands of others. 4.
verify NFT before you buy
In the NFT ecosystem, due diligence is always important. Before buying or minting an NFT, be sure to check the reputation of the team involved in the project, the organic interactions in its community, and what people think of the project.
Use multiple wallets for casting NFTs
For example, the Burner wallet is a secondary wallet created specifically for NFT minting. These wallets are created and funded with the amount of gas needed to mint a coin. When the minting is complete, the minted NFT is sent to another wallet, which serves to store the NFT. this reduces the risk of the primary wallet interacting with vulnerable sites. You can create multiple burner wallets and discard it as soon as a vulnerability is discovered.
Be careful about clicking on links to unfamiliar accounts
A common scam of hackers is to send giveaway or whitelist links through unfamiliar Discord accounts or cold emails. Be sure to set Telegram, Discord and email to not receive messages from unfamiliar accounts or unofficial addresses, and beware of users pretending to be group owners or official DMs you.
Check token approval & revoke unused tokens
People interact with different protocols and links every day, giving them access and permission based on the information on the smart contract. It is important to review and revoke access rights from time to time. https://revoke.cash/ website can help you revoke access rights.
Read and verify the terms of the smart contract transaction carefully before proceeding to the next step
Make sure you have read every detail of the smart contract before confirming the transaction. Many hackers use smart contracts to fraudulently obtain permission to access the funds in your wallet at will. You need to read carefully to make sure that the details in the contract do not pose a threat and are not flawed.
Keep up with the news and learn about new vulnerabilities
Conclusion With the growing interest in the NFT market and unscrupulous individuals lurking in it, using tricks to steal works and funds from collectors and investors, make sure your valuable assets, wallets and funds don't fall into the hands of hackers.
<100 subscribers
<100 subscribers
No activity yet