Published on June 24, 2022
NFT Security: How to Keep Crypto and Digital Assets Safe
Best practices for keeping your NFTs safe. Learn how to protect your digital assets and spot common NFT scams.
12 min read
In this day and age, it's more important than ever to keep your digital assets safe. Whether you're holding cryptocurrencies, NFTs, or any other digital asset, you must take precautions to protect yourself from hackers and scammers. This guide will discuss some of the best ways to keep your digital assets safe and secure. We'll also review some of the more common phishing scams to help prevent your NFTs from being stolen.
What is an NFT?
An NFT, or Non-Fungible Token, is a digital asset tracked on a blockchain. NFTs serve as a certificate of authenticity around a digital asset. They are distinct and unreplicable, making them valuable to collectors and investors. There are many different types of NFTs, including art, collectibles, games, and more.
How to Purchase NFTs
NFT security risks largely stem from how we buy, sell, and store NFTs. NFTs are typically bought and sold on NFT marketplaces like OpenSea. OpenSea is the largest NFT marketplace (by volume) and home to trading activity for some of the biggest brands in the space, such as Bored Ape Yacht Club, Azuki, Doodles, and Cool Cats. Some projects, like CryptoPunks, have their own marketplace.
Purchasing an NFT begins with connecting your cryptocurrency wallet to a marketplace, browsing the NFTs for sale, and making a purchase. After making a purchase, the NFT is stored in your wallet. But to protect your digital assets from being stolen or hacked, it's essential to understand the fundamentals of a crypto wallet.
What is a Crypto Wallet (Hot Wallet vs. Cold Wallet)?
A cryptocurrency wallet is a digital wallet that allows you to store cryptocurrencies, NFTs, and other digital assets. Unlike a physical wallet, a crypto wallet is secured by storing your public and private keys, so that no one can gain access to your digital assets without your permission. There are two different types of wallets to store your digital assets. Hot wallets and cold wallets!
Hot Wallet 🔥
Hot wallets are the most common type of crypto wallet because they are simple to set up and easy to use. A hot wallet is a digital wallet that is connected to the internet. They allow you to conveniently access your digital assets from a browser extension or mobile app. Some of the most popular hot wallets include MetaMask, Trust Wallet, and Coinbase Wallet.
Because hot wallets are so convenient, they're more vulnerable to hacking, NFT-related scams, and theft. It's not advisable to store tons of digital assets (like NFTs) in your hot wallet. Instead, it is better to use a hot wallet for day-to-day transactions and transfer any digital assets of value into a cold wallet for enhanced security.
Cold Wallet 🥶
A cold wallet is a digital wallet that is not connected to the internet. Cold wallets can be briefly connected to the internet when you want to make a transaction. Because cold wallets largely remain offline, they are much less prone to hacking or theft.
Cold wallets are physical hardware devices that typically come in the shape of a USB stick. They store your wallet's private keys, making it much more difficult for hackers and malicious parties to get ahold of your digital assets. Some of the most popular cold wallet devices include Ledger and Trezor.
What is a Private Key? 🔑
A private key is a piece of information that gives you control over the digital assets in your wallet. Private keys are like passwords, but they're much more secure. Anytime you create a blockchain address, a private key and public key are auto-generated for you.
What's The Difference Between a Public and Private Key?
Public and private keys work together in authenticating transactions to and from your wallet. Think of the public key as your home address, and your private key as the key to open your mailbox.
It is okay to share your public key openly. It serves as a public address so that others can send digital assets to your wallet. You should never share or reveal your private key. This is a smoke signal for hackers who want to steal your digital assets.
Private keys aren't very user-friendly for people just getting started with crypto wallets; that's why the same information is encoded in a more user-friendly format—a recovery phrase.
What is a Recovery Phrase (or Seed Phrase)?
A recovery phrase is a string of words that can be used to recover your digital assets if you:
Recovery phrases are typically 12, 18, or 24-words long and are generated by special software from the BIP-39 standard Word List when you set up your wallet.
A recovery phrase is absolutely vital to the security of your wallet. It should be seen as the master key that backs up your crypto assets. We highly recommend keeping your recovery phrase offline and hidden, storing it somewhere only you know the whereabouts. Never take screenshots of your recovery phrase or save it to the cloud.
Never share your recovery phrase with anyone. A legitimate project or company will never ask for your seed phrase.
What Are The Most Common NFT Scams?
Although there are a variety of ways for scammers to weasel their way into your crypto wallet, there are several common tactics they frequently like to use.
One common scam is phishing, where scammers create a fake URL appearing similar to an official NFT project, marketplace, or tool. Often, scammers bid on the Google Adword of an NFT project so that they appear at the top of search queries on Google.
If clicked, the fake URL will lead you to a website that appears to be legitimate, but is actually part of the scammer's deception. This website could trigger a signature to your hot wallet, and the scammer would immediately receive access to your digital assets.
As a best practice, always look for the official website link of a project, typically located in the bio of their verified social media account.
Another common scam is impersonation, where scammers will pose as someone else in order to try to steal your NFTs. Impersonation often takes place within Discord and Twitter. For example, a scammer could pose as a support representative from OpenSea, direct message you, and ask for your recovery phrase to help retrieve your NFTs.
It's essential never to disclose your recovery phrase to anyone online, even if it is a support rep. Many crypto companies state that they will never ask you for your recovery phrase or private keys. Beware of impersonators!
Fake Social Media Accounts
Fake social media accounts frequently pop up to resemble a popular NFT project or a founder of a project. Fake social media accounts are especially prevalent on Twitter. In some cases, hackers will purchase a verified Twitter account and change the name to look similar to an NFT project. Before clicking a crypto-related link on Twitter, be sure to double-check that it is coming from the official source.
Discord is a communication platform for gamers that has quickly become popular in the NFT space. Many NFT projects have their own Discord server to communicate with holders and investors.
As with any online community, there are bad actors on Discord who will try to scam you out of your NFTs or digital assets. Be wary of any private message or link you receive on Discord. Do not click on any links from people you do not know, and do not give out your personal information to anyone online.
If a Discord server admin is DM'ing you out of the blue, this is typically a red flag that their account has been hacked and the scammer is on the prowl. As a rule of thumb, remain highly skeptical when interacting with others on Discord.
5 Tips for Keeping Your NFTs Safe
With millions of hot and cold wallets actively being used in the world, malicious actors have shrewdly thought up creative ways to steal your digital assets. The best way to protect yourself from NFT scams is to be aware of the most common scam tactics. Additionally, never share your private keys or recovery phrase with anyone. If someone asks you for your private keys or recovery phrase, it's a scam!
Stay Vigilant Online
Awareness of the most common NFT scams gives you a leg up in protecting your digital assets. It is a best practice to generally be skeptical when operating in the crypto space. URL links might be fake, social media accounts might be fake, and a support rep in your DM's could be an impersonator. Always keep that in the back of your mind when navigating online.
Purchase a Cold Wallet
Using a cold hardware wallet like a Ledger or Trezor will provide magnitudes more security around your digital assets. Because they exist off the internet, it is much more difficult for hackers to gain access to your digital assets. More often than not, scammers will go after someone's hot wallet, which is much more vulnerable. By moving most of your NFTs into a cold wallet, you can effectively mitigate a lot of the risk associated with losing digital assets to a hot wallet attack.
Use Two-Factor Authentication (2FA)
Single password crypto wallets are the most vulnerable. Two-factor authentication adds an additional layer of security to the login procedure, typically involving an SMS text, email, or authentication app. One of the benefits of carrying a cold wallet, like a Ledger, is the ability to enable two-factor authentication.
Keep Your Wallet Safe in Discord
Scammers love Discord. It's one of their favorite vectors to deploy crypto scams. Why Discord? Most Discord servers have weak verification processes where virtually anyone can become a community member. Here are a few things you need to keep an eye out for on Discord:
Anyone DM'ing you with a link to an "exciting new project" or an "opportunity that cannot be missed"...avoid! If something seems too good to be true, it probably is. You should probably keep DM's turned off as rarely anything of value comes through vs. the likelihood of a message being a scam.
Community bot needs your recovery phrase/seed phrase
If you're looking for help with a question and see a DM come through from a bot or what appears to be a member of the dev team...keep an eye out 👀. No matter who is contacting you, never divulge your recovery phrase.
Signing a contract with your crypto wallet
Let's say you're engaging with the community and things seem to be going well. One day one of your new friends sends you a link to a new NFT project that is supposed to be amazing. You click the link and your hot wallet pops up, asking you to sign/verify to enter the site. Many crypto beginners will naively sign smart contracts without realizing they just granted a spam site access to their wallet. This is a more sophisticated attack from spammers, but always be careful of blindly signing smart contracts with your crypto wallet.
There have been many occurrences of official Discord accounts being hacked, so always stay vigilant and know how to spot suspicious behavior. If a project you have been following for a while has a surprise mint all of a sudden, and many communication channels are shut down, it's definitely a scam. Don't let FOMO get the better of you. If something seems too good to be true, it probably is. As unfortunate as it is, you must act as if everyone on Discord is a potential scammer.
Protect Your Recovery Phrase
Lastly, protect your recovery phrase at all costs. Here are some of the best methods to protect your recovery phrase:
Keep it offline
Do not store your recovery phrase on your Notes app, Google Sheet, or anywhere on your computer. If your computer was ever hacked or infected by malware, your recovery phrase could be located by the hacker.
Keep it free from damage
If you're going to write down your recovery phrase in a journal or sheet of paper, be sure it cannot be damaged by fire or water. If there was ever fire or flooding in your house, and you lose your recovery phrase, there is no getting it back.
Luckily there are weather-proof products like the Crypto Steel Capsule that can withstand physical threats and keep your recovery phrase secure.
Keep it hidden
Remember to keep your recovery phrase in a place only you know about. Storing your phrase in something like a home safe is another great option to keep it from falling into the wrong hands.
Staying safe in Web3
Digital assets and NFTs are becoming more popular every day, and with that comes an increased risk of cybercrime. Hackers and scammers are constantly evolving and becoming more sophisticated as the NFT community becomes privy to their tactics.
The best way to protect yourself from losing your crypto, NFTs, and digital assets is to consider adding an additional layer of security with a hardware wallet, use two-factor authentication, keep your recovery phrase safe and hidden, and remain educated on common scams in the crypto space. By following these tips, you can feel confident that your digital assets will remain safe and sound.