While securing a non-fungible token (NFT) might sound like a good idea, doing so comes with cybersecurity risks for buyers. Anyone getting into this alternative investment type should understand the cyberthreats they’re up against.

1. Reentrancy Attack

A reentrancy attack exploits a vulnerability to force smart contracts into infinite loops. Since these self-executing agreements execute imperatively — meaning each line of code must finish executing before moving on to the next one — they effectively unquestioningly hand over control when making external calls.

If the called contract is malicious, it can make recursive callbacks. Since the caller must pause its code execution until its call returns, it’s forced to execute the original line of code repeatedly without updating its balance. Bad actors can exploit this function to steal NFTs within moments, potentially allowing their attack to go unnoticed initially.

2. Technical Support Scam

Since NFTs are unregulated and decentralized, owners must rely on others in the community for help. Many who experience technical issues they can’t figure out go to Discord, Reddit, or Telegram for assistance. Unfortunately, some individuals on those platforms are there for the wrong reasons. They take advantage of people’s trust and lack of knowledge to steal their assets.

3. Marketplace Hack

Centralized platforms can be hacked like any other third-party marketplace, making them significant cybersecurity risks for NFT buyers. Although up to 95% of today’s NFTs are worthless, the ones that have retained their value are worth a lot — meaning those looking to buy one will inevitably become targets for bad actors.

Marketplace hacks have happened before and will likely happen again. For instance, a hacker stole thousands of dollars in NFTs from Nifty Gateway in 2021. Even popular sites like OpenSea have admitted to experiencing security breaches. People interested in owning NFTs must understand the risks of operating on such platforms.

4. Denial of Service

A denial of service attack is among the most significant cybersecurity risks for NFT buyers. It involves an attacker using recursive callbacks to block smart contracts from returning to the state they were in before the transaction began to execute. This results in unlimited resource usage and permanently blocks the function.

5. Rug-Pull Scam

In a rug-pull scam, a bad actor convinces others they’ll get a great return on investment if they buy into a certain stock, cryptocurrency, or NFT project. Once they get enough people to fund their idea, they disappear. This type of con has happened multiple times in this community because it’s unregulated.

In 2022, Ethan Nguyen and Andre Llacuna created Frosties, an ice-cream-themed NFT collection. Reportedly, they made roughly $1.1 million after their 8,888 items sold within one hour of their public launch. Shortly afterward, they transferred their funds into various digital wallets and disappeared.

Although the two men were later arrested for fraud and money laundering, the people who had bought into Frosties were still out their hard-earned money — and their NFTs were virtually worthless. Rug-pull scams are common, even if most aren’t as lucrative. If an investment sounds too good to be true, it probably is.

6. Oracle Manipulation

When smart contracts access or receive data from an outside source via an oracle — a third-party service that connects the blockchain to external systems — they become vulnerable to hacks. An attacker can forcibly trigger transactions to steal an NFT before the owner realizes something is wrong.

7. Counterfeit NFTs

Scammers can easily plagiarize or steal artwork. Their item’s URL and wallet address won’t align with the original, but it may still be convincing enough. People who think they’ll never fall for such a thing are mistaken — even the most widely used platforms are full of fakes. In 2022, OpenSea announced over 80% of the NFTs created with its free toolset were counterfeits.

8. Phishing Attack

In a two-part phishing attack, an attacker takes over a social media account by tricking a well-known figure in the industry to click on a malicious link or attachment. When they gain control, they post about a limited-time deal or a live drop alongside a second malicious link. A large percentage of followers will likely believe it’s legitimate.

As soon as they click on the link, the attacker can view their credit card information as they type it in, take over their social media account, or empty every NFT from their digital wallet. In the worst-case scenario, all three possibilities occur — meaning no one can comment on the post warning others that it’s a phishing attack.

9. Fraudulent Marketplace

Fraudulent marketplaces are either fake and made to look real or are convincing copies of legitimate platforms. Since there are zero regulations for NFT buyers or sellers, anyone with enough technical knowledge can set one up. They’re usually designed to inject malware into unsuspecting devices or trick visitors into giving up their credentials.

10. Pump-and-Dump Scam

A pump-and-dump scam is one of the biggest cybersecurity risks for NFT buyers. It involves a bad actor artificially inflating their collection’s value. They make it look like a great investment, prompting real people to buy into it. From there, the value increases exponentially — but only temporarily. Once it peaks, they suddenly sell everything, rendering the rest valueless.

11. Digital Wallet Vulnerabilities

Since NFT digital wallets are supposed to store assets, any vulnerabilities can put an owner’s entire collection at risk. Unfortunately, they’re not as secure as many people think. For instance, web-based versions connected to the internet are vulnerable to man-in-the-middle attacks. Those on mobile devices can also be hacked.

Whether a digital wallet stores tokens or holds a private key that gives the owner access to their items on the blockchain, it serves as their last line of defense. Unless they keep their app updated, stay off public Wi-Fi, and keep their device in their possession, hackers can exploit vulnerabilities and steal their collection.

NFT Buyers Must Remain Vigilant for Cyberthreats

There are tons of cybersecurity risks for NFT buyers — especially those who are new to the community and don’t know the common cyberthreats. They must remain vigilant and wary of anything they’ve never encountered to protect their digital wallet and personal data.