Unlike your favorite baseball card, a thief can’t snatch an NFT from your hand. But let’s talk about the very real security risks in the world of digital collectibles.
Spoiler alert: if you came here just to find out if an NFT can be stolen, the short answer is yes.
But what we mean when we say “steal” in the context of blockchain-backed collectibles is something very, very different from, say, a 1952 Mickey Mantle Topps or a pair of Yeezy prototypes you can fit in your hands.
In most (not all!) cases, we can break non-fungible token theft into two broad categories (or a combination of both):
- The deceptions by which users are tricked into transferring their assets or providing access to their entire cryptocurrency wallets.
- Exploiting security vulnerabilities in an NFT platform or other online community.
- It is essential to note that user error or negligence can contribute to the theft of crypto assets in both cases – and not just in the first – although the two cases are not identical.
There are a lot of things to sort out. Fortunately, you have questions and Boardroom has answers.
Can hackers steal my NFTs?
It all depends on your definition of the term “hacker”.
Due to the distributed and decentralized principles that are the basis of cryptographic technology, it is not possible to “hack” the entire blockchain network that your NFTs rely on in the same way as one hacks your email. or your Amazon account. It would probably take a paradigm shift in how we understand information security and digital threats – and perhaps mind-boggling computing power – to internalize what this hypothetical Web3 hacker is and does.
For now, the most accurate term for the NFT thief is a colloquial term: scammer.
Specifically, one that tricks a user into opening their own wallet.
Trick users into giving access to their cryptocurrency wallets
You don’t have to hack a Discord channel to grab an NFT that isn’t yours. Some users have been deceived by fake potential buyers in a much more blatant way:
Elsewhere, plenty of chat channels have inevitably sprung up posing as “OpenSea support” or other seemingly useful services for NFT owners of all kinds.
Why is Discord such a frequent target for this kind of deception? Because these tight-knit island communities may be the last place a cryptocurrency collectible enthusiast feels the need to be on their toes.
Many of these communities have realized these possibilities and have adapted rules, privileges and protections accordingly. But risks remain.
Can an NFT be stolen without trapping its owner first?
Overall, the majority of NFT “theft” cases you’re likely to see are the product of scams and deceptions that are much, much older than the world of blockchain technology – and in some cases, than the Internet itself. But that’s not the whole story.
SCENARIO 1: Cybersecurity issues on NFT platforms
Nifty Gateway, a popular digital marketplace owned by cryptocurrency exchange Gemini, suffered a full-scale hack in March 2021, in which several users had their accounts stolen, got locked out, and watched the looting their NFT assets in an old fashioned robbery.
This is not what we will see next on Discord, but at least one principle is the same: it is not a question of directly hacking into someone’s cryptocurrency wallet, but rather of exploiting a separate platform to which many cryptocurrency wallets are linked.
To this day, the idea that a malicious actor could hack an entire blockchain as if it were a government computer network or a power grid remains inconceivable.
But the bottom line is that he or she doesn’t have to.
Nifty’s cybersecurity issues that led to last year’s event have been resolved. But the fact that it happened is surprising and speaks to one of the major stumbling blocks in the transition from Web2 to Web3.
SCENARIO 2: The bad guys got your seed phrase
You need two things to access an e-wallet. Specifically, two cryptographic keys – a public key that encrypts data and a private key that decrypts it.
Each wallet also has a corresponding “Seed Phrase”, also known as a “Recovery Phrase”, a string of 12 or 24 words that allows a user to recover the crypto assets they own on a blockchain even if they lose. access to his wallet. In other words, the bootstrap phrase generates the cryptographic keys needed to confirm the identity of the “true” owner.
That’s why seed phrases aren’t supposed to be stored on your phone, in your email inbox, or anywhere else that isn’t totally secure (which is why many choose to write them down on a sheet of plain paper). But if someone got their hands on your seed phrase by hacking into your phone or email or simply taking a picture of the piece of paper you wrote it on…it’s over.