Blockchain and crypto technology is notoriously unforgiving for users who don’t know how to work it. This is doubly true if they also aren’t aware of the different risks in the space posed by hackers, scammers, and other malicious events. The novelty and complexity of NFTs are some of the main reasons why individuals open themselves up to the various risks posed by the nascent crypto-based technology. Individuals should remember that there are also outside threats that increase the risk of buying, selling, and owning NFTs.

This guide aims to help to minimize the risks by informing users what they could potentially be faced with when dealing with NFTs.

Simply put, non-fungible tokens (NFTs) are digital certificates of ownership that cannot be copied because of their cryptographic signature — even if they appear to look similar. They cannot be traded one for one or tokenized due to the ERC-721 cryptographic standard they are built on. NFTs gained popularity by becoming non-fungible art pieces and avatar icons — some of which are priced in the millions — and have since exploded in pop culture and trading volume.

Any type of data can be stored as an NFT, they can be associated with images, videos, audio, physical objects, memberships, and countless other use cases. NFTs typically give the holder ownership over the data or media the token is associated with, and are commonly bought and sold on a specialized marketplace. The rights to the item are stored on the blockchain but the data or file is most hosted somewhere else on a server or IPFS. The reason for this is that multimedia files would be too big to store on the blockchain and in most cases, multimedia items are larger than all the transaction data stored on a block.

The usual process to buy an NFT

Buying an NFT is easy:

• Set up a cryptocurrency wallet
• Purchase cryptocurrency
• Choose an NFT marketplace
• Create an account on there
• Link wallet to the marketplace
• Browse the available NFTs
• Purchase or bid on NFT
• Complete transaction

The risks come in navigating the buying process of the NFT and vetting collections to prevent poor investments.

Is it possible for NFT to act as a virus/malware?

Since an NFT is only an address to a location on the web or IPFS where the actual item is stored, just buying and owning an NFT won’t be able to give you a virus or expose a user to malware. Legitimate marketplaces have vetting processes that don’t allow a circumstance to occur even if it could. The most likely case is that a user connects their wallet to a phishing scam posing as an official NFT marketplace and gets their wallet private key compromised. Another similar scenario is a website posing as an NFT marketplace where a new user could be sold a virus disguised as an NFT or some sort of scam.

External risks

Avid investors in the space stay safe by following the best practices for investing in NFTs ie. vetting a project, understanding how marketplaces work, understanding how to realistically value an NFT etc. There are many things to keep in mind when one wants to trade and collect NFTs as safely and securely as possible. According to Chainalysis scams were once again the largest form of cryptocurrency-based crime by transaction volume, with over $7.7 billion worth of cryptocurrency taken from victims worldwide.

A rug pull typically involves a new project that markets an NFT collection, spends a lot of time on marketing and gets as many investors as possible. By the time the project is supposed to launch the owners of the projects stop all communication and run off with the investor funds. There are a few telltale signs of a rug pull that investors need to look out for, i.e the project seemingly appeared out of nowhere or the project team stays anonymous.

Wash trading is a sneaky trick to artificially increase the value of NFTs in the market to make an NFT look much more valuable than it actually is. This is done by executing a transaction in which the seller is on both sides of the trade in order to paint a misleading picture of an asset’s value and liquidity. This method is mostly used to close sales with unsuspecting buyers who believe the NFT they’re purchasing has been growing in value, sold from one distinct collector to another. Investors should be aware as to not buy an NFT that has an artificially inflated value.

Tips to avoid phishing scams and NFT stealing malware:

• Always check the URL of the site and make sure it says “HTTPS”, which means it is a secure website. Also, always ensure you are using the official site for the project.
• Do not follow links posted on Discord or Telegram groups from non-official users.
• Some phishing scams disguise themselves as an official website check spelling and grammar on the website as well as the URL
• Use a dedicated e-mail account or computer for crypto-related activities to ensure safety from malware and viruses.
• Do not download or frequent untrusted sites as browser wallets are targeted by malware and viruses.
• Be on the lookout for fake NFT marketplaces

At the end of the day, investors in the NFT space need to be vigilant and follow the best practices to secure their own wallets and ensure they are not caught out by malware or viruses by treading cautiously on official marketplaces.

Can a compromised NFT lead to a total wallet hack?

If a hacker gets into your wallet your NFT is compromised. To this extent, everything stored in the entire wallet will be compromised. Wallet security and safety is extremely important and it is up to the user to secure their crypto wallet as best they can.

How to check NFT is not compromised while purchasing on the secondary market?

• By design, every NFT is unique by its cryptographic hash; however, the same image could be listed on another blockchain’s marketplace. At a minimum, users should check if the NFT they’re interested in is being sold on other marketplaces. If it is — it’s usually a red flag and the safest bet is to move on because that means the seller is listing multiple copies.
• Use Google’s reverse image search to see if there are any other variations of the image on the web and possibly gain insight into how long it’s been available.
• Search the seller’s name and the NFTs name on social media like Twitter and Reddit to determine if anyone has flagged or complained about either. Typically burned buyers have little recourse and turn to social media to blow the whistle on bad actors and projects.
• Social media is a good tool to gauge the authenticity of a project. Investors looking to buy into a project can check out their socials and those of the team. If the team is anonymous it’s usually a bit of a black flag as they could simply attempt a rug pull.
• Social media can also be used to try and determine the “backstory” of the image to see if the seller is the actual artist.
• Follow the classic saying and do-your-own-research (DYOR)

Users can also use Twitter’s NFT verification service. It allows users of the platform to upload NFTs for verification and when approved it can be used as a profile image. The Twitter posting feature assures all viewers that the profile image was authenticated by the NFT solution. When potential investors see a seller or creator with the NFT they’re interested in featured as their Twitter profile, that’s a pretty good indicator it’s legitimate.

Another NFT authenticity tool comes from Adobe, which launched its content credentials feature last October. It enables collectors to confirm that the wallet used to create an asset was indeed the same one used to mint the NFT asset, indicating if it’s fake or not. Now digital artists can add their social media profiles and wallet addresses to the metadata of an NFT artwork before it’s completed and downloaded from Adobe photoshop, allowing creators to add mechanisms for verification into the asset upon minting.

This article has been provided by Hacken as part of the security campaign for the PAID Network community.

About Hacken

Hacken is a fully-fledged cybersecurity ecosystem founded in August 2017 by cybersecurity experts, Big Four professionals, and white hat hackers. Hacken provides B2C, B2B, and B2G cybersecurity services to clients belonging to the blockchain, DeFi, and NFT ecosystems from Europe, Asia, and North America.

Hacken in figures:

>800 clients, including THORSTARTER, ConstitutionDAO, XTblock, Paribus, to name a few

>80 partners including Avalanche, Polkastarter, CoinMarketCap, Weld Money, CoinGecko, Solana Foundation, Simplex, to name a few

23/50 top crypto exchanges are Hacken clients

>$10B in users’ assets saved from being stolen by hackers

Strategic goal: get a 20% share in the Web 3.0 cybersecurity market by 2024.

Discord: Hacken

Telegram: @HackenClub

Twitter: @HackenClub

About PAID

PAID Network seeks to redefine the current business contract, litigation, and settlement processes by providing a simple, attorney-free, and cost-friendly DApp for users and businesses to ensure they #GetPAID wherever they are in the world.

PAID technology leverages Plasm to operate on both Ethereum and Polkadot ecosystems. PAID makes businesses exponentially more efficient by building SMART Agreements through smart contracts to seamlessly execute DeFi transactions and business agreements.

For any questions for the PAID network, please feel free to reach out to us on:

• Website: PAIDNetwork.com
• Telegram: @PaidNetwork
• Twitter: @PAID_Network
• Medium: @PAIDNetwork