As nonfungible tokens (NFTs) attract more users, they also capture the eyes of scammers. Bad actors in Web3 have set their sights on digital collectibles, with millions being lost through scams and various attacks.
However, according to professionals working in the Web3 space, there are multiple ways and tools to prevent being a victim of NFT theft. In addition, users can also take various actions after losing their digital collectibles to hacks.
Ronghui Gu, the co-founder and CEO of blockchain security firm CertiK, told Cointelegraph that the first and most important step is always due diligence. “Avoid clicking on suspicious links and be very careful when signing token approvals,” Gu shared.
Taking it a step further, the executive shared other best practices like periodically checking and revoking unneeded permissions and segregating NFTs into different wallets according to their purpose. He also explained that:
“Long-term holds should be kept in a secure wallet that interacts minimally, if at all, with applications. Hardware wallets have a somewhat steep learning curve, but the time investment is worth it.”
When asked about what can be done once the assets get lost, Gu shared that it’s unfortunate, but there’s “not a lot” that users can do to recover the assets. However, NFT marketplaces can blacklist the NFTs so that they cannot be traded anymore. “Raising awareness of common scams is an ongoing effort. Educating users about the safest ways to transact and how they can minimize their risk is the first step,” he added.
While hardware wallets may be a great solution, Michael Pierce, the CEO of Web3 security firm NotCommon, said there are still risks involved. He explained that:
“People should buy the hardware directly from the manufacturer to minimize any chance the wallet has been tampered with before the person receives it.”
Meanwhile, if the scam or attack had already occurred, Pierce recommended that victims report it to databases like NotCommon “to help keep others safe and identify the scammer.” If the potential losses are significant, the executive urged victims to take legal action if possible.
Mohamed Issa, a senior strategist at data firm Chainalysis, also shared some insights on the topic. According to Issa, as NFTs become one of the fastest-growing areas in crypto, it’s becoming a “go-to target for hackers.” He explained that:
“NFT transactions are creating a new challenge for cryptocurrency investigation as decentralized protocols are more complex and very difficult to trace compared to traditional centralized services.”
Issa also told Cointelegraph about the importance of being proactive when falling victim to theft. While it’s very important to report scams and hacks to law enforcement, he believes NFT holders can protect their investment with tools like Storyline, an analysis software created by their firm.
Issa believes that the tool can enable users to assist investigators after getting hacked and help them concentrate on the transactions and funds that matter most.
BNB Chain growth operations director Alvin Kan also shared that users can use tools like revoke.cash — a way to check wallet status and revoke approvals — and browser extensions that provide risk warnings before signing contracts.
Within the BNB Chain ecosystem, Kan told Cointelegraph that there are efforts from the community to provide more NFT-specific security tools. The executive talked about an NFT tool that detects NFT authenticity called GoPlus and other chain-wide initiatives like DappBay’s Red Alarm and AvengerDAO, which Kan believes helps users stay one step ahead of scammers. He explained that:
“These tools, with the contribution of the ecosystem projects, assess project risk levels in real-time and alerts users of potentially risky DApps so that users do not interact with malicious DApps and contracts.”
After becoming a victim of a hack or scam, Kan highlighted that it’s important to reach out to NFT marketplaces. When all else fails, the executive said that burning the token may be the last resort. Reaching out to the NFT project and asking them to burn the affected or stolen token may be the final solution.