Rob Behnke
March 21st, 2023
Digital assets are assets that are hosted on a blockchain or similar distributed ledger technology. Digital assets include both fungible assets — such as Bitcoin and Ether — and non-fungible tokens (NFTs) that are unique and track ownership of a digital or real-world item. Digital assets can be extremely valuable, and the total market cap of digital assets is over $1 trillion.
However, theft of digital assets is a common problem. To date, approximately $30 billion in digital assets have been stolen via DeFi hacks alone. This number doesn’t include the direct theft of personal digital assets, such as when a consumer falls for a phishing attack that exposes their private key and results in the theft of the cryptocurrency and NFTs held in the compromised wallet.
Digital asset theft can occur in various ways and due to numerous potential factors. An error in personal cybersecurity could lead to the theft of a private key. Alternatively, a breach of a trusted DeFi project could cause the digital assets deposited there to be lost.
Eliminating risk in the digital asset space is impossible. However, implementing the following best practices can help to dramatically reduce your chances of losing a prized NFT or a trove of cryptocurrency.
Blockchain accounts are secured and managed via private keys. If an attacker has access to the private keys associated with a blockchain account, they can generate digital signatures and blockchain transactions on its behalf.
A compromised private key can be used to transfer cryptocurrency or NFTs out of a wallet or abuse the access and permissions granted to a blockchain account. For example, an attacker might use a compromised key to authorize a malicious transaction, as occurred in the Ronin Network hack.
Private key security is essential to digital asset security. Some best practices that can help to protect blockchain private keys include:
Multisignature Wallets: Multisignature wallets require digital signatures generated using multiple private keys to approve a transaction. This reduces the risk that an attacker could steal a private key and use it to perform malicious actions.
Cold Storage: Cold storage involves storing private keys on an offline device, such as a hardware wallet. If a device is not connected to the Internet, it is more difficult for an attacker or malware to access it and steal secret keys.
Secure Backups: If a private key is lost, then the digital assets it secures are lost forever. Making a secure backup of private keys provides the ability to recover from the loss of a primary copy.
Self-Custody: Third-party services for storing private keys can make them more accessible. However, this increases the risk of phishing, compromised passwords, and other attacks that could result in the keys being stolen.
Many people purchase digital assets with the intent of using them to interact with various DeFi projects. However, this can come with certain risks. For example, a crypto project may be a scam where the creators intend to steal any value deposited into the smart contract.
Before depositing tokens into a smart contract, do some research and look for the following warning signs:
Potential Rugpulls: Some DeFi projects intend to do great things, while others are rug pull scams designed to trick users into making deposits before the owners run away with the money. Before investing in a project, it’s important to research it for warning signs of common crypto scams.
Risky Investments: Even if a crypto project isn’t a scam, it might have a low probability of success or carry legal risks. When researching potential projects, consider the risk that your investment may be lost if the project collapses for some reason.
Poor Security: Some projects are able to make their users whole after a hack, but this isn’t always the case. Before depositing digital assets into a project, verify that it has undergone a security audit and has addressed all of the significant findings.
New projects commonly perform airdrops, where they hand out free tokens to build interest and engagement in a project. While these can be legitimate, they can also be a security risk. While airdrops may seem like free money, you could end up paying for them with the contents of your wallet.
Some best practices regarding managing airdrops include:
Project Research: Just like other DeFi projects, projects that airdrop tokens may actually be scams. Before signing up for an airdrop or accepting airdropped tokens, do some research into the project to see if it looks legitimate.
Don’t Provide Private Keys: An airdropped token may require connecting a wallet to a website to accept the token. Verify the legitimacy of the site before providing it with a private key or seed phrase.
Don’t View Random Airdrops: Airdropped NFTs may be designed to contain malicious code. Be careful when viewing the image associated with an unsolicited NFT in case it is designed to deploy malware or steal private keys.
Malicious phishing sites can be used for various purposes. A website may be designed to steal a private key or deploy malware on a user’s device that could steal private keys and other sensitive information.
Malicious websites are used in various ways in the Web3 space. Some of the main threats to look out for include:
Fake Online Wallets: Tools like MetaMask are commonly used to connect users to the blockchain. Phishing sites may provide fake downloads of MetaMask or other software that are designed to harvest wallet keys and seed phrases.
Fake NFT Sites: When buying or selling an NFT, it’s common to use a site such as OpenSea. Some attackers will insist on using a malicious site that steals the tokens stored in a blockchain wallet when the wallet is connected to buy or sell an NFT.
Malicious Google Ads: Recently, Web3 attackers have begun using Google ads to promote malicious pages at the top of Google results. Downloading files from the site could install malware on a user’s device, which is how NFT God lost assets after downloading what appeared to be OBS.
Phishing attacks are some of the biggest threats to wallet and digital asset security. Attackers masquerading as trusted organizations will use email, Telegram, Twitter, and other channels to connect to potential targets. These phishing attacks can be designed to deliver malware, steal tokens, or promote scam projects.
Some best practices to protect against phishing attacks include:
Check Links and URLs: Phishers commonly use lookalike URLs and links to masquerade as legitimate projects. Always check that a URL is correct before trusting it and, when possible, browse to the legitimate site directly rather than clicking on a link.
Do Your Research: Phishing is just another means of sending users to fake projects, websites, etc. Always do your own research to verify that something is legitimate before taking an action that places tokens at risk.
Use MFA: Multi-factor authentication (MFA) is not a perfect solution and can be bypassed by an attacker. However, it’s better than nothing, and implementing it decreases the risk that an attacker will gain access to a blockchain account.
While blockchains are decentralized, global networks, users interact with them via their personal devices. A user’s computer is what generates transactions, signs them (potentially with the aid of a hardware wallet), and submits them to the blockchain for inclusion in the digital ledger.
Users’ computers can be high-value targets and potential single points of failure for a user’s interactions with the blockchain.
Some security best practices to help protect digital assets against threats on their owners’ devices include:
Store Keys Securely: Storing private keys on an Internet-connected device (i.e. “hot storage”) makes them more convenient to use but also exposes them to attack. Using a hardware wallet can help to reduce the risk that private keys will be compromised if an attacker gains access to a user’s device.
Use an Antivirus: Malware can be used to steal private keys or mine cryptocurrency on a user’s device. An up-to-date antivirus can help to identify and remediate malware infections before they put digital assets at risk.
Digital assets are at risk from a variety of different threats. Protecting private keys is vitally important, and cybercriminals use various methods to try to steal them, including phishing, malware, and other scams. On the other hand, it’s also important to consider the risks posed by various DeFi projects whether due to the fact that they are scams or that their poor security places deposited tokens at risk.
Halborn can help you protect your digital assets against a range of potential threats. For more information about protecting your blockchain accounts’ private keys against exposure, check out this blog on private key security. Halborn has also audited numerous DeFi contracts and helped to identify and remediate the vulnerabilities that place digital assets at risk. For information about protecting your DeFi project, reach out to our digital asset security experts.